Questions tagged [ruby]
51 questions
3
votes
0 answers
How does the Ruby on Rails CSRF Protection Work?
I am not sure i completely understand how Ruby on Rails handles CSRF protection.
My understanding was that a token is generated and embedded in the HTML markup as a meta tag, and at the same time encrypted in the session cookie. When performing a…
![](../../users/profiles/76039.webp)
daniel f.
- 281
- 1
- 6
3
votes
3 answers
Plain text Rails environment variables and security
I work for a healthcare company that emphasizes security, due to the sensitivity of the data that we work with. Recently, we've been doing a lot of auditing (internal and external) of our current "stack" to ensure that we're compliant with various…
![](../../users/profiles/136154.webp)
RonMexico
- 31
- 1
3
votes
1 answer
Possibility of SQLI in the following request?
I was testing an web application which is written in Ruby, Rails framework, when I stumbled on the following request which was sent. I modified the request and now it displays me a part of the query of an SQL. I am not familiar with SQL in Ruby, so…
![](../../users/profiles/116472.webp)
Dhayalan Pro
- 131
- 2
2
votes
1 answer
Can we join a table in this Ruby on Rails Direct Object Reference?
I am trying to inject a RoR application... I have found a nice command which will allow me to delete things unchecked...but the problem is that its not a problem its a very minor point, to make it a problem is there anyway I can inject a command to…
![](../../users/profiles/69594.webp)
TheHidden
- 4,265
- 3
- 21
- 40
2
votes
1 answer
How does CVE-2013-4287 make Rubygems any more vulnerable?
I've recently heard about CVE-2013-4287, which can cause denial of service due to CPU consumption.
But earlier this year, I attended Hacking with Gems which showed all kinds of weird and wonderful things a hacker could do with a malicious gem.
If a…
![](../../users/profiles/8335.webp)
Andrew Grimm
- 2,100
- 2
- 20
- 27
2
votes
1 answer
How to verify Ruby on Rails projects are at current patch levels?
I've got a few Ruby on Rails systems running Ubuntu 14.04LTS. The Ubuntu version of supported Ruby is 1.9.1 but the developers use a Gemfile and Bundler which (AFAIK) installs Ruby (and gems) out-of-band from the OS updates to allow differernt…
![](../../users/profiles/110103.webp)
Server Fault
- 233
- 1
- 7
2
votes
0 answers
Arp Spoofing detection with Ruby
I am planning to develop a Ruby script that detects ARP spoofing attacks on a local network, I have a few questions about it. There are three scenarios I am taking into consideration:
First idea as always is a basic idea.
If ARP poisoning is…
![](../../users/profiles/143933.webp)
Fatih Altuntaş
- 121
- 1
2
votes
0 answers
What is the purpose of OpenSSL::X509::ExtensionFactory
Why standard library of ruby suggests to create factory and only then add extensions to certificate ?
ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = our_cert
ef.issuer_certificate =…
![](../../users/profiles/142631.webp)
srghma
- 203
- 2
- 7
2
votes
1 answer
Restriction to ui panel on BeEF+Bettercap generates error login
I'm not sure if I discovered a possible bug. I already reported to Bettercap's staff on their Bettercap's Github but as you can see on that link, it seems the problem is not on Bettercap's side. Maybe is a BeEF bug or I am missing something...…
![](../../users/profiles/133285.webp)
OscarAkaElvis
- 5,185
- 3
- 17
- 48
2
votes
1 answer
Is Ruby's SQL Injection protection enough to warrant not using additional security measures?
In my experience, SQL Injection is always a threat. If bad actors don't penetrate via SQL, they get enough data to launch bruteforces via MBASentry or do privilege escalation via scripts. However, I browse e-mercenary sites like…
![](../../users/profiles/84823.webp)
El Chapo Gluzman
- 123
- 5
2
votes
0 answers
Token based authentication: Why invalidate the token after each request?
I use the gem devise_token_auth while developing an API for a mobile app.
Authors claim that:
Tokens should be invalidated after each request to the API.
This behavior is enabled by default.
Can someone explains why?
The perfect answer will…
![](../../users/profiles/101969.webp)
rdupz
- 131
- 1
2
votes
1 answer
AES encryption between Java and Ruby: what is the default mode and padding for AES in Java?
I'm writing a ruby app that needs to create some encryption that our java app needs to be able to decrypt. For this I have done some research, and I have this Java code now:
Cipher cipher = Cipher.getInstance("AES");
While in the doc says the…
![](../../users/profiles/40743.webp)
cfernandezlinux
- 281
- 4
- 15
1
vote
1 answer
Implement GPG Verification (Bitcoin-OTC)
I'm looking to implement a "Verify with Bitcoin-OTC" feature for my web app. The general idea is the user would prove he owns a particular account on the external site Bitcoin-OTC and my app would accept/deny him based on his rating there.
Here's…
![](../../users/profiles/17406.webp)
Maros
- 113
- 6
1
vote
1 answer
Checking if current user exists before executing code
In one of my controllers I have this method:
def method_name
if current_user
@model = Model.find(params[:id])
if @model.destroy
flash.alert = 'Model deleted successfully'
redirect_to models_path
end
end
…
![](../../users/profiles/46505.webp)
Stefanos.Ioannou
- 111
- 1
- 6
1
vote
2 answers
What is an XML round trip vulnerability?
I keep hearing about the XML round trip vulnerability in version 3.2.4 of the Ruby package REXML. I looked into it myself, of course, and it seems to have something to do with parsing an XML document, then putting it back into XML again, and it…
![](../../users/profiles/224548.webp)
Alex V
- 190
- 6