Recent Posts

2013.12.10 by Steve Schwartz

Announcing Dynatable.js

We've been quietly building a jQuery plugin over the past couple years to help make tabular data more interactive. You might be familiar with existing plugins such as DataTables. But after extensive use, we finally made the decision that it wasn't for us.


2013.02.05 by Steve Schwartz

JSON-parsing YAML Vulnerability in Rails (and bonus patch for 2.2.x)

This exploit is similar to the XML vulnerability explained in our last post. This exploit, however, is in the JSON parsing of Rails 2.3.x and 3.0.x, due to the fact that the built-in JSON parser in those versions of Rails delegated a lot of its logic to the YAML parser. The exploit and official patches were announced here on the official RoR Security mailing list.


2013.01.10 by Steve Schwartz

Rails XML Parameter Vulnerability: Summary and Fixes

There's been a lot of commotion lately about the critical vulnerability in Rails (>= Rails 2). And with good reason. For technical details, you can see any number of write-ups, including the post on the Rails-core mailing list from Aaron Patterson, this post on Rapid7, and this discussion on Hacker News. There are also posts on the EngineYard blog and Heroku blog. In this article though, I'd like to 1) boil the issue down to its most basic principle, and 2) outline your options for fixing.


More Posts