2. Introductions
• Ken Johnson – CTO @nVisium
– Former LivingSocialite
– Develop heavily in Rails
– Railsgoat Co-Author
• Mike – Director of ProServ @nVisium
– Former LivingSocialite
– Isn’t here to defend himself, I can say what I want
– Paler than me
– Trendsetter of the “Skhaki”
3. Why?
• Why not?
• Lack of quality training available
• Assist all of you!
8. Model Layer – Mass Assignment
• Mass- Assignment
– Not a huge issue in Rails 4… unless you
instantiate models with data *outside* of the
controller
– Rails 2 & 3 (don’t be ashamed, someone in this
room is running 2.x) – Yes, very much a problem
– Audit for fun & profit
– Ready, set, hack!
9. Model Layer – Hashing/Encryption
• Hashing vs. Encryption
• Strong hashing algorithms
• Strong encryption algorithms
• Rack::Utils.secure_compare vs. “==“
• Be careful how you re-use
10. Model Layer – SQL Injection
• ActiveRecord - Safe… well, sort of
• http://rails-sqli.org/
17. Logic Layer – Regexp
• Be careful with your Regular Expression
• Subtle Logic Flaw (demo)
18. Logic Layer - CSRF
• Somewhat well known aspects
– Meta tag helper
– On by default
– protect_from_forgery filter
• Not so well known…
– `match` routes bypass
– Chain of execution is not halted
19. Logic Layer – Session Handling
• Logout
– reset_session
– Clear session values
• Login
– reset_session
• before_filter(s)
– Take a whitelist approach
• Base access decisions off the current_user
20. Logic Layer - Redirection
• redirect_to …. You scoundrel
• Why does this matter?
• URI.parse()