Knowledge Repository

Ruby Security Field Guide

In January 2013 vulnerabilities with the potential to affect vast swathes of the Internet, and attract attackers to lucrative targets online, were discovered in Ruby applications.

These vulnerabilities take advantage of features and common idioms such as serialization and deserialization of data in the YAML format. Nearly all large, tested and trusted open-source Ruby projects contain some of these vulnerabilities.

Few developers are aware of the risks.

Our RubySec Field Guide addresses recent Ruby vulnerabilities classes and their root causes. We demonstrate and share how to develop real-world exploits. We present patterns behind the vulnerabilities and show readers how to develop software engineering strategies to avoid these vulnerabilities in their projects.

Readers learn:

  • The mechanics and root causes of past Rails vulnerabilities
  • Methods for mitigating the impact of deserialization flaws
  • Rootkit techniques for Rack-based applications via YAML deserialization
  • Mitigations techniques for YAML deserialization flaws
  • Defensive Ruby programming techniques
  • Advanced testing techniques and fuzzing with Mutant

Help make the Internet more secure. Sharpen your skills with this self-paced field guide today.