Jeremy Walker iHiD

## show_output_xss.html
<h2>My First Blog Post</h2>
&lt;div id="content"&gt;
  <script>
  setInterval(function() {
    alert("I'm annoying!!!")
  }, 50)
  &lt;/script&gt;
</div>

## show_output.html
<h2>My First Blog Post</h2>
<div id="content">
  <script>
  setInterval(function() {
    alert("I'm annoying!!!")
  }, 50)
  </script>
</div>

## show.html.erb
<h2><%= @blog_post.title %></h2>
<div id="content"><%= @blog_post.content %></div>

## malicious.html
<script>
setInterval(function() {
    alert("I'm annoying!!!")
}, 50)
</script>

## gemfile_parser.rb
def self.create_from_gemfile_url ( url )
    return nil if url.nil?
    if url.match(/^https:\/\/github.com\//)
      url = url.gsub("https://github.com", "https://raw.github.com")
      url = url.gsub("/blob/", "/")
    end
    uri = URI.parse( url )
    http = Net::HTTP.new(uri.host, uri.port)
    if uri.port == 443
      http.use_ssl = true

## speaker.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                iHiD
                / speaker.md
            
            
              Created
              June 12, 2012 15:41
                — forked from matiaskorhonen/speaker.md
            
              
                Frozen Rails Talk Proposal Template (http://2012.frozenrails.eu/)
              
          
    Jeremy Walker (iHiD)

Contact details


Email: jez.walker@gmail.com
Twitter: @iHiD
Website or Blog: http://www.ihid.co.uk
Company: Various :)

Speaker bio


## ProjectsController.rb
class ProjectsController < ApplicationController

  def index
    @project = current_user.projects.where('name LIKE ?', "#{params[:name]}%")
    #...
  end
end

## injection_opts.rb
# Use a hash
Project.where(:user_id => current_user.id)

# Use placeholders
Project.where("user_id = ?", current_user.id)

# Use bind variables
Project.where("user_id = :user_id", {:user_id => current_user.id})

## safe_sql.rb
@projects = Project.where(:user_id => current_user.id).
                    where('name LIKE ?', "#{params[:name]}%")

## vulnerable.sql
SELECT * FROM "projects"
WHERE user_id = 1
AND name LIKE '' OR created_at LIKE '%'
	<h2>My First Blog Post</h2>
	<div id="content">
	<script>
	setInterval(function() {
	alert("I'm annoying!!!")
	}, 50)
	</script>
	</div>
	<h2><%= @blog_post.title %></h2>
	<div id="content"><%= @blog_post.content %></div>
	def self.create_from_gemfile_url ( url )
	return nil if url.nil?
	if url.match(/^https:\/\/github.com\//)
	url = url.gsub("https://github.com", "https://raw.github.com")
	url = url.gsub("/blob/", "/")
	end
	uri = URI.parse( url )
	http = Net::HTTP.new(uri.host, uri.port)
	if uri.port == 443
	http.use_ssl = true
	class ProjectsController < ApplicationController

	def index
	@project = current_user.projects.where('name LIKE ?', "#{params[:name]}%")
	#...
	end
	end
	# Use a hash
	Project.where(:user_id => current_user.id)

	# Use placeholders
	Project.where("user_id = ?", current_user.id)

	# Use bind variables
	Project.where("user_id = :user_id", {:user_id => current_user.id})
	@projects = Project.where(:user_id => current_user.id).
	where('name LIKE ?', "#{params[:name]}%")
	SELECT * FROM "projects"
	WHERE user_id = 1
	AND name LIKE '' OR created_at LIKE '%'