Ruby on Rails security

How to Counter Common Security Problems While Making Web Applications inside Ruby on Rails

Web hackers are present all over the planet!

Not only do they try to install vulnerabilities with their dubious apps, they also try to cheat you out of your money or assets by tracking your personal data and other information intrinsic to you.

  • Malicious code and phishing attacks are nowadays common via PPC methods when you accidentally click on an attractive yet harmless looking ad or promotion on an app which ends you up with lots of problems.
  • Since Ruby on Rails is a highly robust platform being used for mobile app development and is under constant up gradation, it too has a few vulnerabilities that you can bypass by these workarounds which will save you from encountering malicious bugs within your app.

Some of the possible security problems and their possible workarounds are mentioned below:

1)      Session Fixation

Normally, when a user’s session id is stolen, an attacker tries to fix a session id that is known to them which is called session fixation.

  • This attack forces the user’s browser to use this id when accessing the web app built upon Ruby on Rails.
  • How this happens is that the attacker creates for himself a valid session id and then he loads the login page of the web app and steals the session id from the cookie response. They maintain this session by accessing the app periodically so that the session does not expire.
  • By injecting a malicious JavaScript into the app via XSS like: , the attacker infects the page and traps the session id.
  • Once the user authenticates his credentials, the same session becomes valid for the attacker and the user and this is highly dangerous since it gives two users the authority to co-use a secure web app.


  • How this can be workaround is to use the Restful Authentication plugin for user id management and add reset_session to the specific SessionsController#create action which will remove all values from the session and create news ones in every new session.
  • Also, saving user-specific properties in a session and verifying them time and again helps, since if the information does not match, the user can be denied access by blocking the remote IP address.
  • You can always use proxy addresses since they keep changing and thus, attackers will not be able to use the application for long.

2)      Session Expiry

Sessions that never expire have a tendency to extent the time limit for attacks that use cross-site request forgery (CSRF), session fixation and session hijacking. This is a serious vulnerability and affects cookie level management.


  • What you can do is to set the time-stamp’s expiry with the session id. Cookies can be edited that were stored in the web browser so you can sessions via this time-out method. Use this command:

Call Session.sweep(“10 minutes”) to expire all sessions that were used 10 minutes ago.

class Session <ActiveRecord::Base

  defself.sweep(time = 1.hour)

    if time.is_a?(String)

      time = time.split.inject { |count, unit| count.to_i.send(unit) }



    delete_all “updated_at< ‘#{time.ago.to_s(:db)}'”



  • If an attacker keeps the session alive forever, you can add a created_at column to the specific sessions table which will now help you delete any session that you find vulnerable via:

delete_all “updated_at< ‘#{time.ago.to_s(:db)}’ OR

  created_at< ‘#{2.days.ago.to_s(:db)}'”

3)      Self-contained XSS

  • What self-contained XSS implies is that it tries to display malicious PPC images like GIFs and harmful links embedded in pictures within a browser like Firefox or Opera to trap a user by making him click infected HTML, JavaScript or back-ended images.
  • The protocol used is: data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
  • It works on the redirection method and redirects you to potentially malicious sites and feeds that steal your cookies and account information.


  • Since this is a classic Base64 encoding of JavaScript to display a simple message box, the attacker uses this to redirect you to visit a redirection URL. A simple solution is to bar all access from complete redirection URLs or parts of it to protect your web app from an attack.
  • Also, installation of a pop-up and ad blocker helps to further strengthen an app’s usability.

Using these workarounds, you not only protect your web app from potential threats, you also iron out common coding mistakes that can improve your app’s usability and user preference. After all, every user likes their login to be private and secure. That is what web security is all about.