Parameter pollution with JSON
Nice approach for circumventing input validation for JSON: Parameter Pollution with JSON.
Be sure to have your input validation handle this kind of injection attacks.
Choosing a good web password
Most web applications depend on user name password combinations in order to authorize user access. Hence one of the biggest security problems in the world wide web are weak passwords. Users choose easy to guess password because they are easy to remember. In this article some hints are given which should help choosing a good [...]
Run Javascript, Run!
We’re pretty much a Mac shop here at imedo and, as our application is built using Ruby on Rails, it’s safe to say that we are legally obliged to use TextMate for all our editing needs .
One of the features I love about TextMate, catered for in most bundles, is the ability to execute [...]
Smusher is crushing your images
Another short tip, because I really like the smusher gem!
first install it:
gem install smusher
then crush your images automatically using the PunyPng service, which is currently delivering the best results in terms of file size:
smusher * –service PunyPng
PDF2PNG – PDF Thumbnail Generator Script
If you need to generate thumbnails of the first pages of alot of PDF documents you can use this tiny ruby script:
http://bit.ly/8T0B1a
I also included smusher support to crush the PNGs after they were created. Just gem install smusher and uncomment the smusher command.
Enjoy!
Is your web server up-to-date?
Here is an interesting article about the search engine Shodan which is supposed to find web servers instead of web pages. This means that one can e.g. search for a particular web server version in one country.
Finding vulnerable web servers with Shodan is as easy as using Google. Hence in combination with the Metasploit exploit [...]
Secure coding with Ruby on Rails 7: Cross-site request forgery (CSRF)
Although discovered already in 1988 by Norm Hardy, cross-site request forgery (CSRF) has been the shooting star of web attacks in 2008. As a result it has become one of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.
The idea behind CSRF is that an attacker sends a malicious request to the target application using [...]
Matching elements on complex web pages with Webrat 2
In the first part of this article it was shown how to use CSS selectors for matching elements on complex web pages. But selectors are not the only way of matching HTML elements, Webrat also supports matching via XPath.
XPath matchers can be combined with CSS-selector matchers. This is really useful if not, for example, the [...]
Secure coding with Ruby on Rails 6: TLS
The transmission of sensitive information in cleartext is the number six of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Sending data without encryption becomes a security issue when nobody but the receiver is supposed to be able to read the included information and the data is send over an open network like the [...]
How to troubleshoot Problems in Server Setups, Rails Apps or any other Config or Code Problem
This post might be interesting for all people who are faced with strange problems like this: “Yesterday it worked. Now it’s broken” or “It works on my machine (and it does not in production)”.
I’m sure that all Programmers and sysadmins have had an incident like this in their lives. I’ve had a lot of these [...]
