Questions tagged [ruby]
51 questions
11
votes
2 answers
Why would you need a salt for AES-CBS when IV is already randomly generated and stored with the encrypted data?
I was looking at this code and came across these comments which says encrypting without a salt is insecure. Why would it be insecure when you are already using a random IV for each value? I think the comment might be incorrect, but it is a popular…
Chloe
- 1,668
- 3
- 15
- 30
11
votes
2 answers
What unique risks does MVC model binding bring to a website? What additional vigilance is needed?
From what I understand, "model binding" is where a website based on ASP.NET MVC or Ruby on Rails (there are others...) takes parameters in HTTP's GET statement and passes them as variables to code within the site.
Since GitHub (a popular FOSS site…
makerofthings7
- 50,090
- 54
- 250
- 536
10
votes
3 answers
What simple security considerations can I / should I make for a read-only API?
Right now I'm setting up an API, to be consumed on the client-side to set up a directory site. I'm wondering what extra steps I need to take just to prevent people from gaining write access to the data.
Some notes:
The API / database has no private…
Anders H
- 209
- 1
- 3
7
votes
3 answers
ruby on rails pentesting web applications
I am currently testing a RoR web application, but I am honestly at a bit of a loss, I have never gone up against a RoR application before and I was wondering if there were any specific tools I could use to attack this RoR site (I have full…
TheHidden
- 4,265
- 3
- 21
- 40
6
votes
1 answer
Password security when connecting to ldap with rails application
How do you store a username/password securely in a rails app when using it for many ldap searches?
The connection in the app requires
ldap_bind_authenticate(Net::LDAP.new, username, password)
each time a search is made, and the credentials of the…
essefbx
- 172
- 12
6
votes
2 answers
What risks are involved with installing gems from rubygems.org? Are alternatives safer?
Normally, when installing a Ruby gem, I'd ask my system admin to do
sudo gem install gemname
However, there was recently a security breach with the source of gems, http://rubygems.org , and I'm wondering how safe this is, and whether alternatives…
Andrew Grimm
- 2,100
- 2
- 20
- 27
6
votes
1 answer
Ruby Devise salt exposed
The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded.
For…
user1330734
- 389
- 7
- 16
6
votes
2 answers
How does the Meterpreter load modules?
I've been using the Meterpreter for some time and I'm still quite new to it and one of the questions I have is how it's module loading works.
Correct me if I'm wrong as I'm still learning how to use Metasploit, but to the best of my knowledge I know…
eclipse
- 83
- 4
5
votes
2 answers
Ruby resources for Penetration testing/testers and ethical hackers
I'm wondering if there is a place where I can find up-to-date information regarding ethical hacking with Ruby. I do find lot of Python information, which is OK, but I have 4 years of experience coding Ruby for DevOps/Sysadmin/networking related…
cfernandezlinux
- 281
- 4
- 15
5
votes
2 answers
Why does OpenSSL not include AES-256-GCM?
I'm trying to implement AES-256-GCM in Ruby.
Ruby's OpenSSL wrapper library and aead library both clearly seem to believe that OpenSSL itself supports this.
However, neither 0.9.8r (which I had installed) nor 1.0.1c (which I updated to w/ macports)…
Sai
- 259
- 1
- 3
- 7
5
votes
8 answers
How should I securely generate random passwords when importing new users?
I need to generate random passwords when importing new users from an external source. I'm currently doing it by taking a random assortment of 8 lowercase/uppercase letters, and numbers. I am also using Ruby's rand as a PRNG. Is this…
123
- 235
- 1
- 6
- 13
5
votes
2 answers
Could the bcrypt-ruby binding be vulnerable?
While developing a Ruby on Rails application using a commonly used authentication library named devise, I noticed from the prefix $2a$ of the produced password hashes in the application database that it's using a bcrypt variant.
I read up about…
aef
- 267
- 1
- 10
4
votes
1 answer
Does Apple maintain the security of the built-in Ruby?
Does Apple maintain the security of the Ruby implementation that comes by default in OS X?
I recently heard about CVE-2013-4073, but when I ran "Software Update..." on my OS X Lion box, it didn't update Ruby. Also, I've never noticed a Software…
Andrew Grimm
- 2,100
- 2
- 20
- 27
4
votes
2 answers
Can anybody recommend any gems for checking security vulnerabilities?
I want to check one of my RoR projects for security vulnerabilities.
So can anybody recommend any gems for my needs?
egoholic
- 75
- 4
3
votes
0 answers
Is Marshal.load safe for Marsha.dumped data
I want to serialize and deserialize models that contain user input. Marshal is a serialization library built into Ruby.
By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code…
Qaz
- 185
- 6