Skip to main content

Jason Yeo

Jason is a software engineer at Veracode working on SourceClear's Agent team.

Posts by Jason Yeo
  • Rails_admin Vulnerability Disclosure

    A few days ago, I found a CSRF vulnerability in rails_admin. rails_admin is a Ruby gem that generates administrative interfaces for your models automatically. Interestingly, this vulnerability is similar in nature to the one I found in administrate, a similar gem. Additionally, past Ruby gems affected in a similar fashion can be explored at this link. Teardown After a change introduced by this… READ MORE

Stay up to date on Application Security

  • TLS Verification in Ruby Client Libraries

    A week ago, a couple of security researchers warned about unverified TLS certificates in SSL libraries of some programming languages. You may read more at their blog. In summary, they found that all programming languages do not verify revoked certificates and languages like Python and PHP do not verify certificates in some cases. That is, if you are using Python or PHP to make HTTPS requests, you… READ MORE

  • Rails Engines: Magic or Curse?

    Most Rails applications typically use a bunch of gems. Some of these gems may be Rails engines. Devise, Shoppe and RailsAdmin are examples of engines. The simple definition of an engine is a mini Rails application. When you include an engine in your Rails application, you are actually including an application in your application. Unlike gems that provide simple library code like Faker or… READ MORE

  • Administrate Vulnerability Disclosure

    Last week, I found a CSRF vulnerability in the Administrate gem. The controllers that are generated by the gem do not enforce CSRF protection. As we saw in the previous post, the CSRF protection mechanism in Rails can fail you if you are not careful in ensuring that your callbacks are idempotent to prevent session memoization. In addition, as Rails developers we don't simply work with our own… READ MORE

  • When Rails' protect_from_forgery Fails

    Cross-site request forgery (CSRF) protection has been around in the form of protect_from_forgery since Rails 2 but somehow it's also the most misunderstood feature in the Rails community. To many Rails developers, the protection might seem like magic and thus the details of how it works are ignored like a black box. In this blog post, I will open up the black box and show how, in some situations… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.