[WEB SECURITY] Ruby vulnerable project needed

Stephan Wehner stephanwehner at gmail.com
Fri Apr 29 20:01:34 EDT 2011


On Thu, Apr 14, 2011 at 4:42 PM, Joshua Lang <joshulang at gmail.com> wrote:
> Hello security people,
>
> I'm in the process of learning Ruby's vulnerabilities, and was wondering how
> to advance.
>
> One thing I really want is a "Ruby-Webgoat" :) - any project (set of
> projects?) that has many vulnerabilities (either well-documented, which is
> muhch preferable), or even something non-documented. I mean all the standard
> things - XSS, SQL Injection, XSRF... whatever can be found in Ruby.
>

This Ruby-on-Rails project is pretty ambitious, and probably
worthwhile to support with respect to closing security holes:

https://github.com/diaspora/diaspora

An article about its security appeared this week at
http://cacm.acm.org/magazines/2011/5/107701-weapons-of-mass-assignment
I think it doesn't reflect the current state of the code,
security-wise, not sure.

Stephan

> Also, if there are any other good resources for vulnerabilities in Ruby, and
> mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be
> more than happy to get the relevant links (list of potential programming
> vulnerabilities, how-to, small examples...)
>
> Thanks a lot in advance,
> ~josh~
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>



-- 
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://loggingit.com
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
-> http://twitter.com/stephanwehner / @stephanwehner




More information about the websecurity mailing list