# Ruby on Rails

**Blogs / Articles / Writeups / Presentations:**

* <https://hackerone.com/reports/134321>
* [Airbnb - Ruby on Rails String Interpolation led to Remote Code Executionbuer.haus](https://buer.haus/2017/03/13/airbnb-ruby-on-rails-string-interpolation-led-to-remote-code-execution/)
* <https://rhys.io/post/rce-in-ruby-using-mustache-templates>
* <https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/>
* <https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/>
* <https://t.co/XmASzMEMAb?amp=1>
* <https://edoverflow.com/2017/ruby-resolv-bug/>
* <https://www.slideshare.net/Railwaymen_org/ror-workshop-web-applications-hacking-ruby-on-rails-example>
* <https://twitter.com/_devalias/status/1194461246394753025>
* [https://blog.heroku.com/rails-asset-pipeline-vulnerability#:\~:text=Released%20in%20CVE%2D2018%2D3760,set%20to%20compile%20at%20runtime.\&text=If%20Sprockets%20can't%20find,asset%20that%20matches%20the%20request.](https://blog.heroku.com/rails-asset-pipeline-vulnerability)

**Cheatsheet:**

* <https://github.com/brunofacca/zen-rails-security-checklist>
* <https://github.com/edwardqiu/awesome-rails-security>

**Labs:**

* <https://twitter.com/PentesterLab/status/1174476446376398848>[h ](https://towardsdatascience.com/building-a-vulnerable-rails-application-for-learning-2a1de8cf98d5)
* <https://towardsdatascience.com/building-a-vulnerable-rails-application-for-learning-2a1de8cf98d5>

**Twitter Threads:**

* <https://twitter.com/orange_8361/status/817658441598574592>
* <https://twitter.com/chybeta/status/1106752671057395712>
* <https://twitter.com/_devalias/status/1173806552723050497>
* <https://twitter.com/_ayoubfathi_/status/1108341801193213952>
* <https://twitter.com/intigriti/status/1177178910397796353>
* <https://twitter.com/ph0rensic/status/1151640168417374208>
* <https://twitter.com/Wh11teW0lf/status/1062043483786149888>
* <https://twitter.com/search?q=CVE-2019-5418&src=typed_query>
* <https://twitter.com/s0md3v/status/1177183347887312897>
* <https://twitter.com/Wesecureapp_RD/status/1171726890857459712>
* [When auditing Ruby on Rails apps, always search for .js.erb views files. There is a stupid pattern called "Server-generated JavaScript Responses" which is a way to bypass SOP and inject content via JavaScript files (just like JSONP) which leads to XSSI.](https://twitter.com/lean0x2f/status/1205335920507006977)
* [CSRF using PUT , DELETE is possible in ruby on rails frameworks if you see a hidden field called \_method in the request (if it dont exist try to add it) set its value to PUT or DELETE and then submit a GET or POST request it will override the HTTP Verb and success the attack .](https://twitter.com/secmind009/status/1205669730331373568)
* [API TIP: 4/31- Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design)](https://twitter.com/traceableai/status/1213495503981305858)
* <https://twitter.com/m4ll0k2/status/1112119619396030466>
* <https://github.com/mpgn/CVE-2019-5418>