Highest Voted 'ruby' Questions - IT Security Stack Exchange

11

votes

2 answers

Why would you need a salt for AES-CBS when IV is already randomly generated and stored with the encrypted data?

I was looking at this code and came across these comments which says encrypting without a salt is insecure. Why would it be insecure when you are already using a random IV for each value? I think the comment might be incorrect, but it is a popular…

asked Jan 03 '14 at 03:41

Chloe

1,668
3
15
30

11

votes

2 answers

What unique risks does MVC model binding bring to a website? What additional vigilance is needed?

From what I understand, "model binding" is where a website based on ASP.NET MVC or Ruby on Rails (there are others...) takes parameters in HTTP's GET statement and passes them as variables to code within the site. Since GitHub (a popular FOSS site…

web-application appsec threat-mitigation asp.net-mvc ruby

asked Feb 06 '13 at 03:26

makerofthings7

50,090
54
250
536

10

votes

3 answers

What simple security considerations can I / should I make for a read-only API?

Right now I'm setting up an API, to be consumed on the client-side to set up a directory site. I'm wondering what extra steps I need to take just to prevent people from gaining write access to the data. Some notes: The API / database has no private…

web-application tls ruby

asked May 27 '13 at 22:14

Anders H

209
1
3

7

votes

3 answers

ruby on rails pentesting web applications

I am currently testing a RoR web application, but I am honestly at a bit of a loss, I have never gone up against a RoR application before and I was wondering if there were any specific tools I could use to attack this RoR site (I have full…

web-application penetration-test ruby

asked Mar 04 '15 at 11:03

TheHidden

4,265
3
21
40

6

votes

1 answer

Password security when connecting to ldap with rails application

How do you store a username/password securely in a rails app when using it for many ldap searches? The connection in the app requires ldap_bind_authenticate(Net::LDAP.new, username, password) each time a search is made, and the credentials of the…

passwords password-management ldap ruby rails

asked Mar 24 '15 at 22:01

essefbx

172
12

6

votes

2 answers

What risks are involved with installing gems from rubygems.org? Are alternatives safer?

Normally, when installing a Ruby gem, I'd ask my system admin to do sudo gem install gemname However, there was recently a security breach with the source of gems, http://rubygems.org , and I'm wondering how safe this is, and whether alternatives…

ruby package-manager

asked Feb 18 '13 at 00:38

Andrew Grimm

2,100
2
20
27

6

votes

1 answer

Ruby Devise salt exposed

The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded. For…

bcrypt credentials ruby rails

asked Mar 26 '18 at 05:25

user1330734

389
7
16

6

votes

2 answers

How does the Meterpreter load modules?

I've been using the Meterpreter for some time and I'm still quite new to it and one of the questions I have is how it's module loading works. Correct me if I'm wrong as I'm still learning how to use Metasploit, but to the best of my knowledge I know…

metasploit meterpreter ruby

asked Nov 22 '17 at 14:27

eclipse

83
4

5

votes

2 answers

Ruby resources for Penetration testing/testers and ethical hackers

I'm wondering if there is a place where I can find up-to-date information regarding ethical hacking with Ruby. I do find lot of Python information, which is OK, but I have 4 years of experience coding Ruby for DevOps/Sysadmin/networking related…

penetration-test ruby

asked Jun 16 '14 at 05:58

cfernandezlinux

281
4
15

5

votes

2 answers

Why does OpenSSL not include AES-256-GCM?

I'm trying to implement AES-256-GCM in Ruby. Ruby's OpenSSL wrapper library and aead library both clearly seem to believe that OpenSSL itself supports this. However, neither 0.9.8r (which I had installed) nor 1.0.1c (which I updated to w/ macports)…

cryptography aes openssl ruby

asked Feb 05 '13 at 19:48

Sai

259
1
3
7

5

votes

8 answers

How should I securely generate random passwords when importing new users?

I need to generate random passwords when importing new users from an external source. I'm currently doing it by taking a random assortment of 8 lowercase/uppercase letters, and numbers. I am also using Ruby's rand as a PRNG. Is this…

passwords random ruby

asked May 22 '17 at 14:14

123

235
1
6
13

5

votes

2 answers

Could the bcrypt-ruby binding be vulnerable?

While developing a Ruby on Rails application using a commonly used authentication library named devise, I noticed from the prefix $2a$ of the produced password hashes in the application database that it's using a bcrypt variant. I read up about…

cryptography appsec known-vulnerabilities ruby

asked Feb 24 '12 at 15:09

aef

267
1
10

4

votes

1 answer

Does Apple maintain the security of the built-in Ruby?

Does Apple maintain the security of the Ruby implementation that comes by default in OS X? I recently heard about CVE-2013-4073, but when I ran "Software Update..." on my OS X Lion box, it didn't update Ruby. Also, I've never noticed a Software…

macos updates ruby

asked Jul 01 '13 at 04:54

Andrew Grimm

2,100
2
20
27

4

votes

2 answers

Can anybody recommend any gems for checking security vulnerabilities?

I want to check one of my RoR projects for security vulnerabilities. So can anybody recommend any gems for my needs?

xss sql-injection csrf rails ruby

asked Jul 15 '12 at 22:06

egoholic

75
4

3

votes

0 answers

Is Marshal.load safe for Marsha.dumped data

I want to serialize and deserialize models that contain user input. Marshal is a serialization library built into Ruby. By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code…

ruby deserialization

asked Feb 25 '22 at 19:54

Qaz

185
6

Questions tagged [ruby]