Loading…
Back To Schedule
Wednesday, May 20 • 09:00 - 17:00
Ruby on Rails – Auditing & Exploiting the Popular Web Framework (Day 2)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Day 1


  • Introduction

  • Ruby crash course – Structured introduction into the Ruby language specifics. This section will set the necessary basis for the rest of the training.

  • Bug Classes in Ruby – Common generic bug classes as well as Ruby specific issues will be introduced by example.

  • Introduction to Rails – A Ruby on Rails walk-through. On the way, the participants will learn the key features and usual as well as unusual patterns and techniques used in real-world applications.

  • The Rails Framework itself – In this section of the training, the participants will get an insight on the Rails framework itself, how it is designed and where to look for which feature implementation. Along with this, past vulnerabilities within the Rails framework will be explained and elaborated.

  • Real-world Apps hands-on – Day 1 closes with a hands-on on various real world applications.


Day 2


  • Rails Vulnerabilities – Day 2 will be all about Rails vulnerabilities. The common OWASP Top 10 style issues will be explained in Rails style and, of course, Rails specific flaws will be introduced and exploited in hands-on sessions. Various payloads for successful exploitation ranging from simple info leaks to a fully blown in-memory backdoor will be introduced to the participants.

  • Final Ruby on Rails Wargame – Day 2 closes with a Ruby on Rails wargame, where the participants can compete in hacking several Rails based challenges and use the skills learned the past two days.


This training is meant for:


  • Web App hackers – who want to audit/assess/break Ruby on Rails apps.

  • Professional Pentesters – who’d like to find more subtle issues on RoR assessments.

  • Ruby on Rails developers – who want to code more securely and get another point of view on RoR.

  • Everyone else – who is interested in RoR security and exploitation.


Objectives and Outcomes

After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.

Required Skills

The training will cover most of the basics needed in order to audit and assess Ruby on Rails applications. However some intermediate programming skills in any language are required. Additionally basic (web) application security skills are required for this training.
Speakers
JS

Joern Schneeweisz

Recurity Labs GmbH
Joern Schneeweisz is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications... Read More →

Wednesday May 20, 2015 09:00 - 17:00 CEST
Room D401 Amsterdam RAI
  2-days training

Attendees (0)