{"id":5884,"date":"2018-11-09T13:04:03","date_gmt":"2018-11-09T18:04:03","guid":{"rendered":"http:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/?p=5884"},"modified":"2018-11-09T13:04:03","modified_gmt":"2018-11-09T18:04:03","slug":"exploiting-the-ruby-programming-language","status":"publish","type":"post","link":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/2018\/11\/09\/exploiting-the-ruby-programming-language\/","title":{"rendered":"Exploiting the Ruby programming language"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>Serialization &#8211; breaking down what you see into movable storable chunks &#8211; happens to everything we send or serve up. Always of concern is whether it has been *tampered with* (I heard something about data at rest an in transit somewhere). The vulnerability to ~de-serialization~ ranks eighth in the <a href=\"https:\/\/github.com\/OWASP\/Top10\/blob\/master\/2017\/OWASP%20Top%2010-2017%20(en).pdf\">OWASP 2017 Top Ten\u00a0<\/a><\/p>\n<p>Ruby is behind many web services&#8230;and some fun &#8220;administrative tools&#8221;&#8230;and we are studying it.<\/p>\n<p>The deep end of the article gets fairly technical (not as much as encryption theory but ~code centered~).<\/p>\n<p>The short short version is that ~auto load~ behaviors of frameworks (like those in Ruby) can allow a payload to be slipped into the serialized output of or exfiltrated from the service it supports.<\/p>\n<p>Don&#8217;t copy\/paste anything you couldn&#8217;t have written yourself.<\/p>\n<p>https:\/\/www.elttam.com.au\/blog\/ruby-deserialization\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Serialization &#8211; breaking down what you see into movable storable chunks &#8211; happens to everything we send or serve up. Always of concern is whether it has been *tampered with* (I heard something about data at rest an in transit somewhere). The vulnerability to ~de-serialization~ ranks eighth in the OWASP 2017 Top Ten\u00a0 Ruby [&hellip;]<\/p>\n","protected":false},"author":20410,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[717225],"tags":[],"class_list":{"0":"post-5884","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-week-12-it-security","7":"entry"},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/users\/20410"}],"replies":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/comments?post=5884"}],"version-history":[{"count":1,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5884\/revisions"}],"predecessor-version":[{"id":5886,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/posts\/5884\/revisions\/5886"}],"wp:attachment":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/media?parent=5884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/categories?post=5884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec001fall2018\/wp-json\/wp\/v2\/tags?post=5884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}