Sha256: aad6ea61fbb5f474b1ef18973eb92868dcac30f6d5b69c53f0dfa4f6fb462940

Contents?: true

Size: 1.6 KB

Versions: 13

Compression:

Stored size: 1.6 KB

Contents

module Dawn
  module Kb
    module OwaspRorCheatSheet

      class SessionStoredInDatabase
        include PatternMatchCheck

        def initialize
          message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."

          super({
            :name=>"Owasp Ror CheatSheet: Session management",
            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
            :applies=>["rails"],
            :glob=>"session_store.rb",
            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
            :message=>message,
            :attack_pattern => ["Application.config.session_store :active_record_store", "Rails.application.config.session_store ActionDispatch::Session::CacheStore"],
            :negative_search=>true,
            :avoid_comments=>true,
            :check_family=>:owasp_ror_cheatsheet,
            :severity=>:info,
            :evidences=>["In your session_store.rb file you are not using ActiveRecord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
            :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
          })
          # @debug = true
        end
      end
    end
  end
end

Version data entries

13 entries across 13 versions & 1 rubygems

Version Path
dawnscanner-1.6.9 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.8 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.7 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.6 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.5 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.4 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.3 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.2 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.1 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.6.0 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.5.2 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.5.1 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
dawnscanner-1.5.0 lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb