Ruby on Rails Security

---

📄 Download the original Master’s thesis in Computer Science (Polish): Thesis.docx

🌍 The thesis was originally written in Polish as part of my M.Sc. studies in Computer Science (following a B.Eng.). This repository contains the English translation, adapted to be developer-friendly.

---

This repository is part of my master’s thesis in Computer Science at the University of Rzeszów. The thesis itself serves both as academic research and as a practical developer’s guide to security in Ruby on Rails applications, structured around the OWASP Top 10 (2021).

The project is organized as a monorepo containing a series of small Rails applications, each of which demonstrates a specific security vulnerability.

Each application illustrates the vulnerability in practice — showing how it can be exploited, what the consequences are, and then how to implement a secure fix along with recommended protection techniques and best practices.

---

Covered Vulnerabilities (OWASP Top 10:2021)

Most examples are built using Ruby on Rails 7.2 and Ruby 3.3.5.

3.1 A01:2021 - Broken Access Control

Vulnerability	Description	Example App	Link
Mass Assignment	✅	✅	GitHub
Insecure Direct Object References (IDOR)	✅	✅	GitHub
Local File Inclusion (LFI)	✅	✅	GitHub
Object Level Authorization (OLA)	✅	✅	GitHub

3.2 A02:2021 - Cryptographic Failures

Vulnerability	Description	Example App	Link
Weak Encoding for Password	✅	❌	GitHub
Use of Hard-Coded Cryptographic Key	✅	❌	GitHub
Cleartext Transmission of Sensitive Information	✅	❌	GitHub

3.3 A03:2021 - Injection

Vulnerability	Description	Example App	Link
Remote Code Execution (RCE)	✅	✅	GitHub
Cross-Site Scripting (XSS)	✅	✅	GitHub
Cross-Site Request Forgery (CSRF)	✅	✅	GitHub
SQL Injection (SQLi)	✅	✅	GitHub

3.4 A04:2021 - Insecure Design

Vulnerability	Description	Example App	Link
Open Redirect	✅	✅	GitHub
Regex Denial of Service (ReDoS)	✅	❌	GitHub
Login Rate Limiting	✅	✅	GitHub

3.5 A05:2021 - Security Misconfiguration

Vulnerability	Description	Example App	Link
Token / Cookie Misconfiguration	✅	✅	GitHub
XML XXE	✅	❌	GitHub
TLS Force / HSTS	✅	❌	GitHub
Debug Mode	✅	❌	GitHub

3.7 A09:2021 - Security Logging and Monitoring Failures

Vulnerability	Description	Example App	Link
Enable Logging	✅	❌	GitHub
Logging Sensitive Information	✅	✅	GitHub
No Log to User	✅	❌	GitHub

3.8 A10:2021 - Server-Side Request Forgery

Vulnerability	Description	Example App	Link
Server-Side Request Forgery	✅	✅	GitHub

---

Creating a New Rails Application

To simplify the process of adding new Rails apps, the script create-rails-app.sh automates the setup. It handles project initialization, gem installation, database reset & seeding, Docker container configuration, and server startup.

To create a new Rails app, run:

chmod +x create-rails-app.sh
./create-rails-app.sh

Then enter the new project and start the Rails server:

cd <project-name>
docker compose up -d --remove-orphans

Rebuild containers if needed:

docker compose down
docker compose up -d --remove-orphans --build

Access the Rails app container:

cd <project-name>
docker compose exec -it app bash

Access PostgreSQL shell:

cd <project-name>
docker compose exec -it db psql -U postgres

Restart the application (removes all data):

docker compose restart

Stop containers:

docker compose down