19 Mar '17, 10pm

#infosec #hackin…

and I discovered a Cross-Site Scripting vulnerability a few months ago related to Rails typecasting request variables into JSON. This caused the output to be JSON formatted and the JSON indexes would avoid XSS encoding. We decided to run with this concept and explore the rest of the website to see if we could identify other vulnerabilities using the same method. Along the way we discovered an interesting output from the /api/v1/listings/[id]/update API request. This led us to finding a Remote Code Execution vulnerability on Airbnb due to Ruby on Rails string interpolation.

Full article: https://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-...

Tweets

How @nahamsec and I got Remote Code Execution o...

buer.haus 13 Mar '17, 5pm

and I discovered a Cross-Site Scripting vulnerability a few months ago related to Rails typecasting request variables into...

How @nahamsec and I got Remote Code Execution o...

linkis.com 15 Mar '17, 9am

Why are you closing? It hides the content It looks like an ad I trust only original links Link shared by RifCo RifCo @rifc...

Lead Ruby on Rails Engineer - REMOTE! - Salt La...

jobs.utah.gov 24 Mar '17, 2pm

You can email your cover letter and resume directly to the employer for this job. You can attach saved resumes and upload ...

GitHub Code Execution Bug Fetches $18,000 Bounty:

GitHub Code Execution Bug Fetches $18,000 Bounty:

threatpost.com 17 Mar '17, 2pm

GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console tha...

ruby on rails by ollycruze2

freelancer.com 19 Mar '17, 3pm

drag drop tree ajax mysql asp rails ruby

Remote Ruby on Rails Developer #Columbia #South...

hea-employment.com 15 Mar '17, 1am

Our Government Client is seeking an experienced Information Ruby on Rails Developer for a 12 Month plus contract position ...

Ruby on Rails Code Camp (Student Edition) #even...

mice.easybranches.com 17 Mar '17, 10am

Ruby on Rails Code Camp (Students Edition) is a whole day workshop in partnership with Ruby Users Group Philippines (PhRUG...