Prevent JavaScript links by parsing URLs

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

> safe_url('javascript:alert(1)')
false

read more...


Forcing Secure Cookies Behind an ELB in Ruby/Rails

As part of general security good practices, you should always (whenever possible):

  • use HTTPS to serve all requests
  • serve redirects to upgrade HTTP requests to HTTPS
  • set session cookies to secure and http_only
  • enable HTTP Strict Transport Security (HSTS)

read more...


A Quick Look at RC4

In cryptography work, RC4 (Rivest Cipher 4) is well known as both one of the easiest to implement and fastest to run symmetric encryption algorithms. Unfortunately, over time there have been a number of attacks on RC4, both in poorly written protocols (such as in the case of WEP) or statistical attacks against the protocol itself.

Still, for how well it formed, it’s an amazingly simple algorithm, so I decided to try my hand at implementing it.

read more...