Ruby Snippet #03

Bookmarked!

This challenge covers the review of a snippet of code written in Ruby

PRO
Tier
Easy
< 1 Hr.
583

In this Code Review Snippet challenge, you are provided with a Ruby on Rails application containing a potential security vulnerability. The challenge begins by examining the users_controller.rb file, where a user is fetched based on an id parameter. This parameter is converted to an integer to prevent SQL injection, making this part of the code secure.

However, the vulnerability lies in the show.html.erb view file. Here, the user's website URL is directly used in a link without proper validation or sanitization. This oversight allows users to inject JavaScript code through their website URL, leading to a cross-site scripting (XSS) vulnerability. The challenge emphasizes the importance of securing user-provided data, especially when it is used to generate HTML content.

Want to learn more? Get started with PentesterLab Pro! GOPRO