Collaborate Disseminate
Our rails application has a feature where admin can from trigger sending verify email to users that haven’t been verified yet but not to verified ones.
However, it was pointed out that by intercepting this PUT request and m… Continue reading How to prevent an user from tampering a request using Burp
I am performing White Box testing on Rails application with static code analyzing tools like brakeman, I came across an instance where the developer is loading images using file.open.
file = File.open(“#{Rails.root}/app/asse… Continue reading Rails File.open(#{Rails.root}) is vulnerable to LFI?
Are there risks associated with using gsub on user input? Can it be used for regular expression DoS?
Continue reading Is it safe to pass user input through rails gsub?
I am able to inject javascript:alert `1` or javascript:alert(1) into the href field of the rails app and it is getting executed as JavaScript. Html encoding is already implemented but it doesnt encode brackets and back quotes… Continue reading How to fix XSS in rails
I have a project that requires users to submit a photo of a driver’s license as proof of identity. This image just needs to be seen once by an administrator, and has no use after their id is verified.
This project uses AWS … Continue reading is there any need to encrypt sensitive images in a database?
I need to use a Single Page Application (React, Ember, Angular, I don’t care) with Rails CSRF protection mechanism.
I’m wondering if I need to create a token evey time in the ApplicationController like this:
class Applicati… Continue reading Single Page Application and CSRF Token generated every time
The remember_user_token cookie token generated by the Ruby Devise authentication component reveals part of a bcrypt salted credential when decoded.
For example:
remember_user_token=W1sxNF0sIiQyYSQxMSRtSHhGeWd3VkFNdzdxd3VmU… Continue reading Ruby Devise salt exposed
I checked my rails project with a brakeman, and received warning.
Potentially dangerous key allowed for mass assignment:
params.require(:inspector_id)
class ReportsController < ApplicationController
…
def rep… Continue reading How to transfer the `id` more securely in Rails project?
I have a brand new Rails api based application, where i need to implement authorization.
Overall Architecture:
React frontend -> Rails API layer -> Rails model/server layer
While exploring different approaches, I h… Continue reading Where should the authorization logic go in an api based application?
I work for a healthcare company that emphasizes security, due to the sensitivity of the data that we work with. Recently, we’ve been doing a lot of auditing (internal and external) of our current “stack” to ensure that we’re … Continue reading Plain text Rails environment variables and security