13 Apr '13, 9pm

Rails SQL injection vulnerability: hold your horses, here are the facts

So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret . As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app.

Full article: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vul...

Tweets

Best practices for open sourcing your rails app...

railsforum.com 13 Apr '13, 3pm

Topic: Best practices for open sourcing your rails app and using git I want to: * Use git as my version control * Work in ...

Home Loan Facts That You Must Know

Home Loan Facts That You Must Know

thefinance.sg 13 Apr '13, 4pm

So this makes the HDB (Housing Development Board) concessionary loan the few housing loans which rates can be fixed for lo...

Modifying the order of Datetime picker in Rails

api.rubyonrails.org 16 Apr '13, 5am

:use_month_numbers - Set to true if you want to use month numbers rather than month names (e.g. "2" instead of "February")...

“@0x6D6172696F: I wonder if there's many applic...

api.rubyonrails.org 21 Apr '13, 7pm

Class HTML::Sanitizer < Object actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

What I don't like about padrinorb ; "with rails...

padrinorb.com 12 Apr '13, 11pm

Rails has its ActiveRecord, Merb has it’s Datamapper. With some work, you can have them use another ORM . With Padrino, us...

Integration testing in the absurd land of Rails...

guides.rubyonrails.org 15 Apr '13, 12pm

Testing support was woven into the Rails fabric from the beginning. It wasn’t an “oh! let’s bolt on support for running te...

Finished filming our online Rails course! Look ...

pragmaticstudio.com 16 Apr '13, 5pm

Subscribe To Our Newsletter Want to get on the fast track to learning Rails? We'll be releasing our new online Rails cours...

Been heads-down working on our online Rails course for the past few months. Just finished filming!

Been heads-down working on our online Rails cou...

pragmaticstudio.com 16 Apr '13, 5pm

We just finished filming our online Rails course based on Rails 4! By popular demand, the format is the same as our online...

Double Shot #1107: Teabag – Javascript test run...

afreshcup.com 15 Apr '13, 11am

is Mike Gunderloy's software development weblog, covering Ruby on Rails and whatever else I find interesting in the univer...