Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Tuesday, May 19 • 09:00 - 17:00
Ruby on Rails – Auditing & Exploiting the Popular Web Framework (Day 1)

Sign up or log in to save this to your schedule and see who's attending!

Day 1


  • Introduction

  • Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.

  • Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.

  • Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.

  • The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.

  • Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.


Day 2


  • Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.

  • Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.


This training is meant for:


  • Web App hackers – who want to audit/assess/break Ruby on Rails apps.

  • Professional Pentesters – who’d like to find more subtle issues on RoR assessments.

  • Ruby on Rails developers – who want to code more securely and get another point of view on RoR.

  • Everyone else – who is interested in RoR security and exploitation.


Objectives and Outcomes

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

Required Skills

The training will cover most of the basics needed in order to audit and assess Ruby on Rails applications. However some intermediate programming skills in any language are required. Additionally basic (web) application security skills are required for this training.

Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself. | | Talk to me about everything which is Ruby on Rails Security related of course. | Other topics of interest are: Web... Read More →


Tuesday May 19, 2015 09:00 - 17:00
Room D401 Amsterdam RAI