Serialization – breaking down what you see into movable storable chunks – happens to everything we send or serve up. Always of concern is whether it has been *tampered with* (I heard something about data at rest an in transit somewhere). The vulnerability to ~de-serialization~ ranks eighth in the OWASP 2017 Top Ten
Ruby is behind many web services…and some fun “administrative tools”…and we are studying it.
The deep end of the article gets fairly technical (not as much as encryption theory but ~code centered~).
The short short version is that ~auto load~ behaviors of frameworks (like those in Ruby) can allow a payload to be slipped into the serialized output of or exfiltrated from the service it supports.
Don’t copy/paste anything you couldn’t have written yourself.
https://www.elttam.com.au/blog/ruby-deserialization/
Leave a Reply
You must be logged in to post a comment.