Ruby on Rails – Auditing & Exploiting the Popular Web Framework
Presented by Recurity Labs
About the course
Each topic will be completed with practical hands-on exercises.
- Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.
- Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.
- Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.
- The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.
- Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.
- Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.
- Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.
This training is meant for:
- Web App hackers – who want to audit/assess/break Ruby on Rails apps.
- Professional Pentesters – who’d like to find more subtle issues on RoR assessments.
- Ruby on Rails developers – who want to code more securely and get another point of view on RoR.
- Everyone else – who is interested in RoR security and exploitation.
Objectives and Outcomes
After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.
The training will cover most of the basics needed in order to audit and
assess Ruby on Rails applications. However some intermediate programming
skills in any language are required. Additionally basic (web)
application security skills are required for this training.
About the trainers
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself.
Florian Grunert has finished his bachelor degree at the University of Osnabrueck and has joined Recurity Labs as a student trainee in 2013. He will assist Joern during the workshop.
Enroll in this training course
Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.