Published on January 26, 2016 by John Poulin
Tl;dr: If your application uses dynamic render paths (eg: render params[:id]) then you are vulnerable to remote-code execution via local file inclusion. Update to the latest version of Rails, or refactor your controllers.
In this blog post we will be demonstrating the exploitation of a flaw in the Ruby on Rails framework that allows attackers to remotely execute code in certain circumstances.
Published on December 21, 2015 by Ernie Miller
We've all been there. You're using some library or framework that's saving you SO MUCH TIME... until you run into that one little thing it does wrong. Whether "wrong" means buggy or just "different than the way I would do it," you're now faced with a choice: do you override behavior or do you live with it? Sometimes the obvious choice can have unintended consequences.
Published on December 7, 2015 by Ryan Reid
In this adventure we will discuss some of the security features available and potential issues within the Flask micro-framework with respect to Server-Side Template Injection, Cross-Site Scripting, and HTML attribute injection attacks, a subset of XSS. If you've never had the pleasure of working with Flask, you're in for a treat. Flask is a lightweight python framework that provides a simple yet powerful and extensible structure (it is Python after all).
Published on November 11, 2015 by John Poulin
Published on October 21, 2015 by Ken Johnson
Three years ago, Jack (our CEO) and I sat at a local coffee shop and contemplated what was next for nVisium. We wanted to have a meaningful impact on our clients' security programs. We wanted to equip our clients with services that made sure their security programs mitigated risk and demonstrated value.
Published on October 13, 2015 by Jonn Callahan
Implementing secure file uploads is something a lot of developers struggle with. Not because they're bad developers, but because of how difficult it can be to do correctly. This post is going to cover a few different methods for handling this common functionality and the possible pitfalls that come with each. Sample code snippets leveraging Python+Flask for each implementation are also provided. Additionally, there is a general checklist at the end which should help developers bring their apps up to a decent security level.