Rails 3.2.10 Exploit and Slow Read Attacks

Charlie Somerville and I presented a talk at the Melbourne RORO (Ruby on Rails Oceania) meetup regarding the recent Rails 3.2.10 security hole, as well as the Slow HTTP Read Attack and how it affects certain Rails stacks.

We decided to experiment with the structure of the talk by weaving in a narrative. We called it “chendo’s 11”, parodying Ocean’s Eleven. The story follows us planning and executing a revenge heist against a fictitious illegal gambling website called “Casino King On Line”.

The slow read portion of the talk was based on our experience of encountering the slow read attack in the wild in late 2011 — although the bit about it being used for a distraction as part of the heist isn’t quite true to life.