Attacking Ruby on Rails applications (2016)

I remember reading this when I was the sole Infrastructure Engineer for Reverb.com. I knew we were being attacked and I knew we had issues but I didn&#x27;t have any idea where to start. This article sparked my interested in Cyber Security and helped me find a bug in the website that allowed me to set the CEO&#x27;s credit card as a primary card on my account in production. That was an amazing day.<p>All I had to do was modify a post parameter in flight and the backend would accept it. Turns out this is what is known as an &quot;unscoped find&quot;. More info here: <a href="https:&#x2F;&#x2F;brakemanscanner.org&#x2F;docs&#x2F;warning_types&#x2F;unscoped_find&#x2F;" rel="nofollow">https:&#x2F;&#x2F;brakemanscanner.org&#x2F;docs&#x2F;warning_types&#x2F;unscoped_find...</a><p>Thanks to the author of the article for inspiring me to dig in the rails codebase and find vulnerable patterns that I could exploit. Thankfully I was able to pivot into a cyber security focused career and I credit this article for starting me down that path.<p>Rails has a few things going for it that other languages and frameworks don&#x27;t but it still lets you shoot yourself in the foot if you&#x27;re not careful. I ended up writing a blog article about preventing XSS in rails as a direct inspiration from the OPs article: <a href="https:&#x2F;&#x2F;product.reverb.com&#x2F;stay-safe-while-using-html-safe-in-rails-9e368836fac1?gi=9bcb3cdf5726" rel="nofollow">https:&#x2F;&#x2F;product.reverb.com&#x2F;stay-safe-while-using-html-safe-i...</a><p>Just because this article is old doesn&#x27;t mean it&#x27;s not useful. Thanks for posting!

If you&#x27;re using Ruby on Rails, you should be using a static code analyzer to look for vulnerabilities. Please take a look at Railroader, an OSS tool I maintain that does this (and contributors are wanted!): <a href="https:&#x2F;&#x2F;railroader.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;railroader.org&#x2F;</a><p>I recommend that you also use a web application scanner like OWASP ZAP and something to scan your dependencies for known vulnerabilities (e.g., bundle audit or GitHub&#x27;s scanner).<p>That is in addition to normal software development tools like a style checker (like Rubocop) and a test suite with good coverage (e.g., minitest).<p>If you develop software, it&#x27;s going to get attacked. There are some pretty straightforward ways to help resist attacks, but you have to use them.

I suppose this is good, since this document was written for Rails 3 and Ruby 1.x; the author mentions that most of the attack vectors stopped working by Rails 4.1.<p>We&#x27;re now well into Rails 6 and Ruby 2.x is in its last year before 3.x rolls out. So far the sky hasn&#x27;t fallen.

I like the format of this post very much. Plain text yet clean and navigatable. Is there any tool for this?

This is from 2016

I figure, if you ever want to attack a Rails app (white hat on), go through the CVE list and try every vulnerability. There&#x27;s been so many with exploit codes and it&#x27;s dubious that every single service is patched.