Comments on: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

By: Week 36 in Review – 2009 | Infosec Events

Week 36 in Review – 2009 | Infosec Events — Thu, 11 Feb 2010 10:42:19 +0000

[...] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence – techcrunchit.com Today came news that an XSS vulnerability had been found in the RubyOnRails development framework. [...]

By: Basecamp Review

Basecamp Review — Wed, 20 Jan 2010 19:12:01 +0000

As a ruby developer and user of both Twitter and basecamp I appreciate you bringing this to our attention.

By: WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku

WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku — Mon, 07 Sep 2009 20:48:52 +0000

[...] Ruby On Rails XSS Vulnerability discovered Brian Masterbrook discovered a vulnerability on the uber-famous Ruby On Rails framework. The vulnerability impacted Twitter, Basecamp and the many applications written using Ruby On Rails. [...]

By: Tyler

Tyler — Sun, 06 Sep 2009 10:22:40 +0000

4 days later and still no correction. Keep it classy.

By: Nikolay Kolev

Nikolay Kolev — Sat, 05 Sep 2009 23:02:34 +0000

Twitter’s front end is very simple. Probably it has more JavaScript nowadays than Ruby code – it’s not a big effort to port it to Scala’s lift, for example, and standardize entirely on one technology.

Now, on the funny side… Ruby is being developed in Japan and historically has been having issues with Unicode that is designed to solve problems with non-English locales.

By: Elton

Elton — Sat, 05 Sep 2009 13:52:40 +0000

Some more insight into Twitter’s architecture.

John Adams, “Fixing Twitter: Improving the Performance and Scalability…”

http://velocityconference.blip.tv/file/2300327/

By: Paolo

Paolo — Sat, 05 Sep 2009 07:06:25 +0000

Depending on what application server you use you might have experienced XSS vulnerabilities with Java too. For example, this is one dating back to last July http://sunsolve.sun.com/search/document.do?assetkey=1-66-259588-1 on Sun Java System Web Server 6.1.
This one is of April, applying to Struts http://www.ca.com/us/securityadvisor/vulninfo/Vuln.aspx?ID=37269
Googling a little will find many more.

By: pffft

pffft — Sat, 05 Sep 2009 05:04:14 +0000

I wonder why I never had these problems… Oh that’s right. I use java

By: sponge j

sponge j — Sat, 05 Sep 2009 02:00:52 +0000

It is cute, techcrunch giving advice on development. Add this one, don’t take development advice from techcrunch.

Anyone using RoR is foolish. Anyone sensible from that community bailed long ago. Funny you mention the disinterest of the basecamp guys, since they are “the” RoR guys. They mainly care about cash and ego.

Last bit of advice, techcrunch, you should bail on your RoR systems, future fail comming for you.

By: Brock Batsell

Brock Batsell — Fri, 04 Sep 2009 16:44:51 +0000

Nik:

Care to explain why, after being informed 8+ hours ago that your last paragraph is completely factually incorrect, and seeming to acknowledge that fact, the piece still stands uncorrected? That’s absolutely insane. The Rails security release doesn’t even remotely say what you claim it does; simple reading comprehension would have disclosed that.

By: marcus

marcus — Fri, 04 Sep 2009 16:03:35 +0000

Yes, classic case of ‘who you know’. Ping a guy you know on the security team at Twitter = response. Put in a support ticket like any other person = crickets.

By: oops

oops — Fri, 04 Sep 2009 15:36:44 +0000

almost as buggy as Omnidrive!

By: Saravanan

Saravanan — Fri, 04 Sep 2009 15:20:52 +0000

and this vulnerability did not affect IE 8 thanks to its built-in XSS filter says Arstechnica
http://arstechnica.com/security/news/2009/09/ruby-on-rails-vulnerability-affects-twitter-ie8-immune.ars

By: Pete Austin

Pete Austin — Fri, 04 Sep 2009 13:26:13 +0000

People don’t only use Western European languages.

By: Jonathan Cohen

Jonathan Cohen — Fri, 04 Sep 2009 12:12:35 +0000

Ryanair would probably charge you $20 for the privilege of submitting a security report to them.

By: Rob Knight

Rob Knight — Fri, 04 Sep 2009 12:00:50 +0000

It’s still a bad argument. Developers always have to assume that the code they’re building on top of is secure. RoR is just one layer in a stack that includes Rails, a web server, a database server, the Linux OS and possibly all kinds of other software/hardware for load balancing, caching, proxying and so on. Yet nobody would suggest that it’s wrong to run a web app on Linux unless you understand exactly how it works. In fact, we generally measure technical progress by the number of things a person can do without having to understand exactly how they work.

RoR is widely adopted, both commercially and non-commercially, tested by many people in many circumstances, and provides security comparable with any other web framework, and substantially more security than the default ‘no framework’ option. It has flaws, just like the rest of the stack will have flaws, but fixing them is the responsibility of whoever maintains that level of the stack, not the people who use it.

By: itsnotvalid

itsnotvalid — Fri, 04 Sep 2009 11:59:35 +0000

It is so true that white-listing is the real correct way on handling taunted data. Block everything, then open up things that get needed. Even if it would become too clumsy, it is just what developers have to live with.

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence — Fri, 04 Sep 2009 10:35:50 +0000

[...] By Techcrunch [...]

By: nik

nik — Fri, 04 Sep 2009 10:13:26 +0000

its about understanding the framework and what it does – not read howto + copy + paste

By: nik

nik — Fri, 04 Sep 2009 10:11:45 +0000

“your gonna be ok!” :)

By: Peter Smith

Peter Smith — Fri, 04 Sep 2009 09:48:02 +0000

not sure why Twitter gets off the hook. they took days to respond. didn’t respond. and then only responded when a security employee was contacted directly. is that supposed to inspire confidence?

By: Steve

Steve — Fri, 04 Sep 2009 09:36:46 +0000

A framework makes development a heck of a lot easier, and saves an incredible amount of time.

Thousands of people use off-the-shelf identikit Wordpress installs and noone ever complains, yet someone goes off on their own to code their own site+application using a base framework that merely undertakes the most menial of tasks, and you complain that they’re not “real developers”.
Why reinvent the wheel?

I also *highly* doubt that a single developer or small development team would be able to code something more secure that RoR first time (unless they were actively focusing on the security issue).
Every platform has security issues, we can only ever delay hackers, never stop them.

By: Paolo

Paolo — Fri, 04 Sep 2009 09:24:15 +0000

Nik, thanks for the info. I just patched a server of mine waiting for the official release.

By: Paolo

Paolo — Fri, 04 Sep 2009 09:22:07 +0000

They started using Scala for some background jobs and liked it.

This is an interview to the Twitter team
http://www.artima.com/scalazine/articles/twitter_on_scala.html

Quoting from that article: “We find Ruby and Scala are very complementary. We use Ruby, actually specifically Rails, for things that it is very strong at. All the front end stuff that it does very well. [...] our plan for the long run is to move more and more of our architecture into Scala. The vast majority of our traffic is API requests, and we want most of those to be served by Scala, either at an edge cache layer or a web application layer. Hopefully by the end of 2009 the majority of users’ interactions with Twitter are going to be Scala-powered. ”

Don’t know at which point they are now but it seems to me that the front end (that is, the HTML pages) will be served by Ruby on Rails for the time being.

By: nik

nik — Fri, 04 Sep 2009 09:20:43 +0000

there are some frameworks that will give you a set of functions where you can allow certain classes of input (eg. A-Za-z0-9, all alpha-num plus some punctuation, some html tags etc.) these can come in handy. key is everything off by default and then whitelist. i have a list of regexp’s here i should post at some point – been using it for years.