Ruby language features Makes development process fast and simple Default restful interface and xml + json API's Very healthy library ecosystem Popular with developers for prototyping and rapid small team application development Also used for large scale applications
3.x should escape everything. Rails 2.x need to escape text. Rails 3.x should escape everything. However, in the case where a programmer wants to store unescaped input this can be bypassed. Happens all the time.
Model.where(:name => params[:name]) Can be made to bypass a query where clause by sending an empty hash in params[:name] Variant of CVE-2012-2660 CVE-2012-2694 Solution: Update to Rails: 3.2.11, 3.1.10, 3.0.19 or cast to string. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI
params. (All) Create symbols. Parse YAML. Basically remote code execution. Not SQLi but exascerbates other SQLi vulns due to symbol manipulation. Solution: Update to Rails 3.2.11, 3.1.10, 3.0.19, 2.3.15, disable XML / YAML interfaces or disable capabilities within XML parsing. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ https://gist.github.com/4499206 - postmodern RCE
a bad week. We don't wish that on anyone. He in turn wants to thank these folks: “Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville for reporting the issue to us and working with us to ensure the fixes worked.”
session. People put all kinds of things in the session. They never expire. Easy to replay after logout. Open source apps sometimes use public secret for signing cookies. Recommendations Use the database based session and expire them. Update your secret and keep it secret.
we presented to ChicagoRuby on Rails Security. We were fortunate to receive a favorable response and lots of interesting follow up conversations. 2/13/2013 we have been invited back to do a Ruby “Hack Night” where we'll have folks run brakeman and fix security problems. We would LOVE to have you come help us!