Hello security people,
I'm in the process of learning Ruby's vulnerabilities, and was wondering how
to advance.
One thing I really want is a "Ruby-Webgoat" :) - any project (set of
projects?) that has many vulnerabilities (either well-documented, which is
muhch preferable), or even something non-documented. I mean all the standard
things - XSS, SQL Injection, XSRF... whatever can be found in Ruby.
Also, if there are any other good resources for vulnerabilities in Ruby, and
mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be
more than happy to get the relevant links (list of potential programming
vulnerabilities, how-to, small examples...)
Thanks a lot in advance,
~josh~
On Thu, Apr 14, 2011 at 4:42 PM, Joshua Lang joshulang@gmail.com wrote:
Hello security people,
I'm in the process of learning Ruby's vulnerabilities, and was wondering how
to advance.
One thing I really want is a "Ruby-Webgoat" :) - any project (set of
projects?) that has many vulnerabilities (either well-documented, which is
muhch preferable), or even something non-documented. I mean all the standard
things - XSS, SQL Injection, XSRF... whatever can be found in Ruby.
This Ruby-on-Rails project is pretty ambitious, and probably
worthwhile to support with respect to closing security holes:
https://github.com/diaspora/diaspora
An article about its security appeared this week at
http://cacm.acm.org/magazines/2011/5/107701-weapons-of-mass-assignment
I think it doesn't reflect the current state of the code,
security-wise, not sure.
Stephan
Also, if there are any other good resources for vulnerabilities in Ruby, and
mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be
more than happy to get the relevant links (list of potential programming
vulnerabilities, how-to, small examples...)
Thanks a lot in advance,
~josh~
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Stephan Wehner
-> http://stephan.sugarmotor.org (blog and homepage)
-> http://loggingit.com
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
-> http://twitter.com/stephanwehner / @stephanwehner