[WEB SECURITY] Ruby vulnerable project needed

MustLive mustlive at websecurity.com.ua
Fri Apr 29 16:55:29 EDT 2011

Hello Josh!

Concerning your learning of Ruby's vulnerabilities, I can suggest you to
look at web applications on Ruby (popular or not so popular) and find holes
in real webapps. With this you'll gain experience of finding holes in web
applications on Ruby and also you can inform developers about them and so
you'll help them to improve security of their web applications.

> One thing I really want is a "Ruby-Webgoat" :) - any project (set of
> projects?) that has many vulnerabilities

Better to work with real web applications. My position concerning synthetic
software I already described in 2009 in WASC Mailing List. Or if you can't
find such webapps or there are other reasons for not testing on localhost,
then you can search for vulnerabilities at real sites on Ruby - to search
for holes in Ruby webapps in real environment. About legality of such
researches I told in the same above-mentioned discussion in 2009 in this
list. Based on my two posts on this subject I've created my article Hacking
of web sites, security researches, disclosure and legislation

So with no doubts you'll find web applications on Ruby to check them for
vulnerabilities ;-). For all those which can be found in Ruby (and it's a
lot of WASC TC v.2.0).

Best wishes & regards,
Administrator of Websecurity web site

Joshua Lang joshulang at gmail.com
Thu Apr 14 19:42:08 EDT 2011

> Hello security people,
> I'm in the process of learning Ruby's vulnerabilities, and was wondering
> how
> to advance.
> One thing I really want is a "Ruby-Webgoat" :) - any project (set of
> projects?) that has many vulnerabilities (either well-documented, which is
> muhch preferable), or even something non-documented. I mean all the
> standard
> things - XSS, SQL Injection, XSRF... whatever can be found in Ruby.
> Also, if there are any other good resources for vulnerabilities in Ruby,
> and
> mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be
> more than happy to get the relevant links (list of potential programming
> vulnerabilities, how-to, small examples...)
> Thanks a lot in advance,
> ~josh~

More information about the websecurity mailing list