Application Security

Exploiting Unsafe Reflection in Ruby/Rails Applications

There is a class of vulnerabilities known as Unsafe Reflection [1] that has not been much discussed in the Ruby/Rails circle, despite being somewhat related to the recent deserialization vulnerabilities found in Rails. Unsafe Reflection vulnerabilities via constant creation occur in Ruby normally when the Module#const_get method is called with user-controlled data. The Rails framework expands the…
Read more

Which topics should an AppSec Training Contemplate?

Webinar - What changes for AppSec Flow with the union of forces between Conviso and N-Stalker

Application Security

Ruby on Rails SQL Injection (CVE-2012-2695)

We found a SQL Injection vulnerability in Ruby on Rails that affected all versions and reported it to the Rails security team. On the 12th of June, they released an advisory [1], patches and new versions that fix it. This vulnerability was also independently reported by other researchers. These new patches actually fixed two variants of the CVE-2012-2661 case. We will cover them later. First…
Read more

Which topics should an AppSec Training Contemplate?

Webinar - What changes for AppSec Flow with the union of forces between Conviso and N-Stalker