Rails Derailed

Duration: full day

Abstract

Scale is the word of the day and thanks to Rails, small shops can build apps for big business with bigger tastier data! More and more, these minnows chip away at the role traditionally reserved for nobody-ever-got-fired-for-buying-IBMs, and as they acquire customers who actually bother to test things, we need to pretend to understand it.

Unlike PHP shops' artistic splash of SQLi in the log-in form, or Enterprise's XML Engineering Experts, Rails sometimes carves a development path as tight as a light beam in a 10.5 µm fibre. Thanks to these "guidelines", pentests for Rails apps too often turn up a wash of HTTP Server headers, your-password-policy-ignores-the-NZISM-suggestions, Burp-says-there's-XSS-in-your-JSON-response rubbish. Where's the fun in that?

Never fear though, it's time for Rails to claim its fair share of bugs! Solder a battery to the red signal lamp, we're going to stop this train.

This is targeted at pentesters and security professionals with existing experience testing web applications, and is not a course on secure development practices. We assume that you can find security flaws in web applications already, but want to test Rails apps more effectively. Practical exercises will be involved - bring a Windows/Mac/Linux laptop with working WiFi (if such a thing exists).