13 Sep '13, 10pm

@Strabd

So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret . As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app.

Full article: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vul...

Tweets

7 Facts & Myths About Chocolate (Infographic)

7 Facts & Myths About Chocolate (Infographic)

care2.com 13 Sep '13, 11pm

Today is National Chocolate Day! In honor of the sweet treat, let’s dispel some common chocolate myths. Chocolate can be v...

Found this bit of @TwitterEng history today - J...

podcast.rubyonrails.org 12 Sep '13, 12am

Jack Dorsey and Alex Payne of Twitter Friday, April 06, 2007 Download: MP3 8.3 MB | MP4 8.3 MB The creator of Twitter talk...

JAVA Developer-UNIX/LINUX, RDBMS, SQL, XML/XSD,...

getrailsjobs.com 06 Sep '13, 7am

skills, as strong analytical skills, and excellent and clear written and verbal English communications skills. Bright cand...

Chinese translation of Everyday Rails Testing i...

everydayrails.com 10 Sep '13, 1am

I’m excited to share with you a new Chinese version of Everyday Rails Testing with RSpec , translated by Andor Chen and av...

Building Ruby services on and off Rails (actual...

rubyflow.com 13 Sep '13, 11pm

Building Ruby services on and off Rails (actual code) Posted by skwp on September 14, 2013 — 0 comments At reverb.com we'v...

Rails application templates: Giving this a try ...

edgeguides.rubyonrails.org 12 Sep '13, 1pm

to apply templates to an existing Rails application. The location of the template needs to be passed in to an environment ...

Practically free 4-day Ruby & Rails Codecamp from

railsforum.com 13 Sep '13, 4pm

Folks, Next week, the Practically free 4-day "Ruby and Rails Programming" Live, Instructor-Led Online Codecamp is getting ...