Link to this headingRuby

Common Ruby Security Issues

Link to this headingRails

Scan with Brakeman:

>>> brakeman --ensure-latest -p `pwd` -o ~/Test_Output.txt Loading scanner... Processing application in /opt/Projects/tiramisu Processing gems... [Notice] Detected Rails 3 application Processing configuration... [Notice] Escaping HTML by default Parsing files... Processing initializers... Processing libs... Processing routes... Processing templates... Processing data flow in templates... Processing models... Processing controllers... Processing data flow in controllers... Indexing call sites... Running checks in parallel... - CheckBasicAuth - CheckBasicAuthTimingAttack - CheckCrossSiteScripting - CheckContentTag - CheckCookieSerialization - CheckCreateWith - CheckDefaultRoutes - CheckDeserialize - CheckDetailedExceptions - CheckDigestDoS - CheckDynamicFinders - CheckEscapeFunction - CheckEvaluation - CheckExecute - CheckFileAccess - CheckFileDisclosure - CheckFilterSkipping - CheckForgerySetting - CheckHeaderDoS - CheckI18nXSS - CheckJRubyXML - CheckJSONEncoding - CheckJSONParsing - CheckLinkTo - CheckLinkToHref - CheckMailTo - CheckMassAssignment - CheckMimeTypeDoS - CheckModelAttrAccessible - CheckModelAttributes - CheckModelSerialize - CheckNestedAttributes - CheckNestedAttributesBypass - CheckNumberToCurrency - CheckPermitAttributes - CheckQuoteTableName - CheckRedirect - CheckRegexDoS - CheckRender - CheckRenderDoS - CheckRenderInline - CheckResponseSplitting - CheckRouteDoS - CheckSafeBufferManipulation - CheckSanitizeMethods - CheckSelectTag - CheckSelectVulnerability - CheckSend - CheckSendFile - CheckSessionManipulation - CheckSessionSettings - CheckSimpleFormat - CheckSingleQuotes - CheckSkipBeforeFilter - CheckSprocketsPathTraversal - CheckSQL - CheckSQLCVEs - CheckSSLVerify - CheckStripTags - CheckSymbolDoSCVE - CheckTranslateBug - CheckUnsafeReflection - CheckValidationRegex - CheckWithoutProtection - CheckXMLDoS - CheckYAMLParsing Checks finished, collecting results... Generating report... Report saved in '/home/bridings/Test_Output.txt'

Link to this headingExecution After Redirect

  • Since there is no return in the function, the Topic is updated.

Overview of Execution After Redirect Web Application Vulnerabilities

class TopicsController < ApplicationController def update @topic = Topic.find(params[:id]) unless current_user.is_admin? redirect_to "/" end if @topic.update_attributes(params[:topic]) flash[:notice] = "Topic updated!" end end end