Rails - Oct 2007 - What to display on hacking attempts?

Hi all

Currenty I''m implementing an authorization system in my website.
Because this is the first time I''m doing something like this
I''m a bit
unsure how to handle hacking attempts - what should I display if someone
tries to open an URL he is not allowed to open?

Scenario 1 - user is not logged in yet:
a) When the user tries to open an unknown route, in production a 404
website is shown.
b) When the user tries to open an existing route, which needs a logged
in user he is redirected to the login screen

Scenario 2 - user is logged in:
a) When the user tries to open an unknown route, still a 404 website is
shown
b) (Now the interesting part) When the user tries to open an existing
route but he is not allowed to (which could be a hacking attempt) -
should there be an error message like "You are not allowed..." or
should
also be shown a 404 (but with a notification to the webmaster)? And in
the second case - how can I show this 404 manually so it does not differ
in any way to the point a) ?

Thanks for help
Josh
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Redirect them to a page they can look at.

Suppose this situation occurs:

  A search engine finds a post it cares about at http://example.com/forum/5/51.
  That post is deleted.
  A user searches, and is sent there.

Would you rather have them see "you idiot!  do you think you can haxor
me!" or your opening page?  :)

If you want to make the distinction between "possible hacking
attempts" and "pages that don''t exist" you can probably
render :file
in your controller, and directly render the 404 file.  If you do this,
be certain to set the 404 response code.  However...  would this break
some web caches, since the 404 response might be cashed?  I don''t
know.

I''m comfortable in displaying a message like "You cannot edit this
item" and redirecting them to the item''s display page (if
it''s public)
or to the list of items they can see, or to the home page, as
appropriate.  I do the same thing for "record not found" as "you
cannot edit this item" in the redirect part.  I just flash[:notice]
them about their lack of permission too.

--Michael

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, 24 Oct 2007 23:34:05 +0200, Joshua Muheim wrote:
> b) (Now the interesting part) When the user tries to open an existing
> route but he is not allowed to (which could be a hacking attempt) -
> should there be an error message like "You are not allowed..." or
should
> also be shown a 404 (but with a notification to the webmaster)? And in
> the second case - how can I show this 404 manually so it does not differ
> in any way to the point a) ?
I generally prefer an error that doesn''t indicate that there''s
something
there worth digging into, so that''d probably be a 404.  You
don''t want

http://www.example.com/blog/non-existent-post

to give a 404, while

http://www.example.com/admin-panel/format-hard-drive

to give a "You do not have permission to access this URL".  That just
screams "Find a hole and hack me!!"

On the other hand, you should think about whether you really want a
webmaster notification or not.  If you get the notification, what are you
actually going to do about it?

I''ve worked on large systems that start out being incredibly paranoid
about
all their input, and any time they get an invalid message, they log it and
possibly even page the NOC.  (Error!  Emergency!  Attempted to fetch
article 523 but it doesn''t exist!  It''s missing!  Go page the
person who
might be able to restore article 523 from backups!)

That''s useful to work out the bugs.  And, eventually, you realize that
there''s a pattern to the few errors that remain; they always come from
screen names like "133tHotGeek4u".  And you deduce that hackers have
found
a way to send requests for arbitrary article numbers to your server.  And
that''s when you turn it from a log message into a report statistic so
you
can see what percentage of your bandwidth budget is going toward hacker
activity.  And then you ignore it.

-- 
Jay Levitt                |
Boston, MA                | My character doesn''t like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://www.jay.fm         | - Kristoffer 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thank you, that''s useful information to me.

Anyway, how exactly can I send the 404 header?

def show
  if !Article.exists?(params[:id])
    # What codes goes here?
  end
end
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Depends on how you want to send the 404 information, but you basically
need to include ":status => 404"

Examples:
  render :layout => false, :status => 404
  send_file "#{RAILS_ROOT}/public/404.html", :type =>
''text/html;
charset=utf-8'', :status => 404

On Oct 27, 6:33 am, Joshua Muheim
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
> Thank you, that''s useful information to me.
>
> Anyway, how exactly can I send the 404 header?
>
> def show
>   if !Article.exists?(params[:id])
>     # What codes goes here?
>   end
> end
> --
> Posted viahttp://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

stephen.celis-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
wrote:
> Depends on how you want to send the 404 information, but you basically
> need to include ":status => 404"
> 
> Examples:
>   render :layout => false, :status => 404
>   send_file "#{RAILS_ROOT}/public/404.html", :type =>
''text/html;
> charset=utf-8'', :status => 404
> 
> On Oct 27, 6:33 am, Joshua Muheim
<rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
When using this code, Firefox displays me a "Save to..." dialog... :-/
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, 29 Oct 2007 00:04:15 +0100, Joshua Muheim wrote:
> When using this code, Firefox displays me a "Save to..."
dialog... :-/
See?  It''s confused you so much you''ve stopped hacking.  Works
great,
doesn''t it?

-- 
Jay Levitt                |
Boston, MA                | My character doesn''t like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://www.jay.fm         | - Kristoffer 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Jay Levitt wrote:
> On Mon, 29 Oct 2007 00:04:15 +0100, Joshua Muheim wrote:
> 
>> When using this code, Firefox displays me a "Save to..."
dialog... :-/
> 
> See?  It''s confused you so much you''ve stopped hacking. 
Works great,
> doesn''t it?
> 
> --
> Jay Levitt                |
> Boston, MA                | My character doesn''t like it when they
> Faster: jay at jay dot fm | cry or shout or hit.
> http://www.jay.fm         | - Kristoffer
Hehe, funny guy =)

render :file => "#{RAILS_ROOT}/public/404.html", :layout =>
false,
:status => 404

Using this one it works great. :-)
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---