overview

Web frameworks were born to help programmers develop web applications quickly and conveniently. The frameworks provide a number of libraries or functions that programmers can use for specific tasks without having to execute code from scratch. Frameworks also often provide some functionality with built-in vulnerability defense mechanisms. For example, Ruby on Rails provides a number of database query functions that can combat SQL injection. Or Ruby on Rails application forms will be generated random tokens to resist CSRF error if we call the form’s csrf_token while creating the form.

However, if the framework does not already provide functions and is resistant to security holes, we will be completely safe when developing the application. The above is only true when the programmer uses it correctly according to the developer’s instructions and uses it safely. To better understand this issue, we will follow the examples of the errors presented below.

Security guides

Injection

The vulnerability occurs when a Rails application fails to validate user-supplied input.

Example

SQL Injection

Below is an example of incorrect use of database access functions leading to SQL Injection vulnerabilities:

The above code has an SQL Injection error in both parameters: params[:state] and params