A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Going AUTH the Rails on a Crazy Train - Tomek Rabczak Jeff Jarmoc Derbycon 2015 (Hacking Illustrated Series InfoSec Tutorial Videos)

Going AUTH the Rails on a Crazy Train
Tomek Rabczak Jeff Jarmoc
Derbycon 2015

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it's up to the developers to keep themselves safe. In this talk, we take a look at patterns that we've seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

Tomek is an Application Security Consultant at NCC Group with experience in secure web application development, security tool research and development, code review, and penetration testing. Over the past 2 years, he has looked at and assessed the security of some of the largest Ruby on Rails applications on the internet with great success. Tomek has recently been credited with the disclosure of 3 Rails related CVEs. (CVE-2015-3225, CVE-2015-3227, and CVE-2015-4619). Jeff is a Senior Application Security Consultant at NCC Group who has contributed code to the Brakeman Rails Security Scanning tool. He's perhaps best known in the Rails community for his whitepaper *The Anatomy of a Rails Vulnerability* in which he deeply explored remote code execution impacts of a ‰ÛÏdirectory traversal‰Û vulnerability in Rails. He's also contributed several Rails-related attack modules to the Metasploit Framework. Recently, he has assisted the Rails team in review of security patches and advisories. Jeff has previously presented at Derbycon 1.0, Blackhat USA, Blackhat EU, Defcon, Thotcon, and others.

@sigdroid
@jjarmoc

Back to Derbycon 2015 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast