[Owasp-austin] Any one else in Austin interested in Ruby on Rails Vulns/Security?

Matthew Franz mdfranz at gmail.com
Sat Aug 12 12:15:01 EDT 2006


I think it would cool if the first (or one of the first)
sustained/systematic (meaning at least 45 minutes worth of slides)
treatment on the topic would be presented at an Austin OWASP meeting!

I started tracking issue about 6 weeks ago on
http://www.threatmind.net/secwiki/RailsVulns and of course with last
weeks posts to bugtraq/webappsec and the generally poor response (but
not suprising having seen similar responses from commercial product
vendors when they get "hit" the frist time) from the rails team there
is likely to be more attention from independent researchers.

Some quick ideas off the top of my head:

- analysis of the implementation flaws (requires doing some "syn diffs")
- look at architectural/design for attack surface issues, how they do
sessions, etc.

If you haven't heard about this:

The Denim folks down in SA have been blogging on this
http://denimgroup.typepad.com/
as the always interesting Matasano crew talks about it here
http://www.matasano.com/log/416/alert-vulnerability-in-web-20-upgrade-immediately-to-web-201/

Anyone game? I'm hoping to team with someone that has better knowledge
of all that "MVC stuff"

It would be cool if we presented this at the September meeting.

- mdf

-- 
Matthew Franz
http://www.threatmind.net



More information about the Owasp-austin mailing list