24C3 - 1.01

24th Chaos Communication Congress
Volldampf voraus!

Speakers
Jonathan Weiss
Schedule
Day Day 4 (2007-12-30)
Room Saal 2
Start time 14:00
Duration 01:00
Info
ID 2252
Event type lecture
Track Hacking
Language en
Feedback

Ruby on Rails Security

This talk will focus on the security of the Ruby on Rails Web Framework. Some dos and don’ts will be presented along with security Best Practices for common attacks like session fixation, XSS, SQL injection, and deployment weaknesses.

Even though Ruby on Rails introduces a lot of best practices to the developer, it is still quite easy for an imprudent programmer to forget that every web application is a potential target. Web application attacks like Cross Site Scripting or Cross Site Request Forgery are very popular these days and every Rails developer should have an idea about the different possibilities that his application presents to an attacker.

This talk will cover most of the common web application vulnerabilities like Cross Site Scripting and Cross Site Request Forgery, SQL and Code injection, and deployment security and how they apply to Rails. Further Ruby on Rails specific issues like Rails plugin security, JavaScript/Ajax security, and Rails configuration will be examined and best practices introduced.