This talk was presented at THOTCON 0x6, Beacon and OWASP Chicago. Brandon Myers and I talk about our research on Ruby Gem security. We talk about RubyGem 101 basics, transport layer security risks, how to trojan a gem, and discuss how to bypass gem signing. We also discuss a research tool we created to demonstrate the exploitation and trojaning process. We also provide guidance on how developers and users can better protect themselves from such weaknesses.
Demonstration Video #1: Gem Install Request Hijacking
Demonstration Video #2: Trojaning a Gem in Transit
Demonstration Video #3: Bypassing Signed Gems (on MediumSecurity)