Empathy List Archives

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Ruby vulnerable project needed

Joshua Lang

Thu, Apr 14, 2011 11:42 PM

Hello security people,

I'm in the process of learning Ruby's vulnerabilities, and was wondering how
to advance.

One thing I really want is a "Ruby-Webgoat" :) - any project (set of
projects?) that has many vulnerabilities (either well-documented, which is
muhch preferable), or even something non-documented. I mean all the standard
things - XSS, SQL Injection, XSRF... whatever can be found in Ruby.

Also, if there are any other good resources for vulnerabilities in Ruby, and
mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be
more than happy to get the relevant links (list of potential programming
vulnerabilities, how-to, small examples...)

Thanks a lot in advance,
~josh~

Hello security people, I'm in the process of learning Ruby's vulnerabilities, and was wondering how to advance. One thing I really want is a "Ruby-Webgoat" :) - any project (set of projects?) that has many vulnerabilities (either well-documented, which is muhch preferable), or even something non-documented. I mean all the standard things - XSS, SQL Injection, XSRF... whatever can be found in Ruby. Also, if there are any other good resources for vulnerabilities in Ruby, and mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be more than happy to get the relevant links (list of potential programming vulnerabilities, how-to, small examples...) Thanks a lot in advance, ~josh~

Stephan Wehner

Sat, Apr 30, 2011 12:01 AM

On Thu, Apr 14, 2011 at 4:42 PM, Joshua Lang joshulang@gmail.com wrote:

Hello security people,

I'm in the process of learning Ruby's vulnerabilities, and was wondering how
to advance.

This Ruby-on-Rails project is pretty ambitious, and probably
worthwhile to support with respect to closing security holes:

https://github.com/diaspora/diaspora

An article about its security appeared this week at
http://cacm.acm.org/magazines/2011/5/107701-weapons-of-mass-assignment
I think it doesn't reflect the current state of the code,
security-wise, not sure.

Stephan

Thanks a lot in advance,
~josh~

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://loggingit.com
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
-> http://twitter.com/stephanwehner / @stephanwehner

On Thu, Apr 14, 2011 at 4:42 PM, Joshua Lang <joshulang@gmail.com> wrote: > Hello security people, > > I'm in the process of learning Ruby's vulnerabilities, and was wondering how > to advance. > > One thing I really want is a "Ruby-Webgoat" :) - any project (set of > projects?) that has many vulnerabilities (either well-documented, which is > muhch preferable), or even something non-documented. I mean all the standard > things - XSS, SQL Injection, XSRF... whatever can be found in Ruby. > This Ruby-on-Rails project is pretty ambitious, and probably worthwhile to support with respect to closing security holes: https://github.com/diaspora/diaspora An article about its security appeared this week at http://cacm.acm.org/magazines/2011/5/107701-weapons-of-mass-assignment I think it doesn't reflect the current state of the code, security-wise, not sure. Stephan > Also, if there are any other good resources for vulnerabilities in Ruby, and > mainly for Ruby-specific vulnerabilities (are there any of these?), I'd be > more than happy to get the relevant links (list of potential programming > vulnerabilities, how-to, small examples...) > > Thanks a lot in advance, > ~josh~ > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > -- Stephan Wehner -> http://stephan.sugarmotor.org (blog and homepage) -> http://loggingit.com -> http://www.thrackle.org -> http://www.buckmaster.ca -> http://www.trafficlife.com -> http://stephansmap.org -- http://blog.stephansmap.org -> http://twitter.com/stephanwehner / @stephanwehner