TIOBE Index News (April 2024): PHP’s Popularity Declining
The top three programming languages – C++, C and Python – remain the same, while Fortran rises. Continue reading TIOBE Index News (April 2024): PHP’s Popularity Declining
Collaborate Disseminate
The top three programming languages – C++, C and Python – remain the same, while Fortran rises. Continue reading TIOBE Index News (April 2024): PHP’s Popularity Declining
was trying to brute force a random number generated by the ruby method rand which generated a random float number between 0.0 and 1.0 excluding 1.0.
so for example I have this code:
Time.now.to_s.split(//).sort_by {rand}.join
this produce… Continue reading brute forcing a pseudoRandom number Generator
I am using the following line of code to create a reset password code sent to the user in her/his email. when scanned with brakeman to my ruby code, this line of code is catched and describes it as it is vulnerable.
this is the line of cod… Continue reading exploiting the scenario and how to generate a secure reset password token
I was trying to exploit the constantize method in ruby for remote code execution. for example I have this line code:
@mygroups = params[:group][:type].constantize.new(params[:group])
and in the request I sent the following payload:
group%… Continue reading ruby on rails constantize exploitation
If an attacker can obtain the value of secret_key_base in rails 6, can he achieve RCE through that, similar to https://www.exploit-db.com/exploits/27527 (applicable to rails 2-4)?
I am doing an api with Rails(api-only). Security is so importand for me. I got 2 question.
1-) I am keeping user’s id in session[:authID], is it safe to use like this?
2-) Do i need CSRF protection for api-only? I’m using Next.js for clien… Continue reading Rails API Session Security and CSRF
Let’s say I have two environments: https://qa.example.com and https://example.com. In QA, I want to allow access to something insecure, like a special route that allows logging in without a password.
What are the security concerns of check… Continue reading In Ruby, can request.host be trusted to differentiate between a staging environment and production?
I’m curious to check what could be some possibly secure and recommended ways through which I could send a password as part of a GET request in rails? Just to be explicit, we’re using HTTPS in general.
High level overview of the use case: O… Continue reading How to send a password securely as part of a GET request in rails?
I was trying to figure out whether this issue has ever been fixed in Rails but my searches yielded nothing.
A vulnerable application will either contain columns named identically
to their table, or have column names which conflict with jo… Continue reading Was rails issue ever fixed – Unsafe Query Risk in Active Record?
I am working on a challenge that involves getting code execution on a Ruby application hosted on Nginx. One of the ruby controllers seems to have been using unsanitized user input as part of the send() method which leads to arbitrary code … Continue reading Command substitution for code execution via Ruby’s send() method