Gem Shop: A Vulnerable Rails 8 App for Security Education

Gem Shop is an intentionally vulnerable Ruby on Rails 8 project for security education, with examples of SQL injection, cross site scripting (XSS), broken access control, and more. The application is a simple e-commerce site where users can shop for gemstones. Most people are familiar with online shopping today, so starting with this base students can learn how security issues occur in a Rails codebase. The project is open source and hosted on the Paraxial.io GitHub.

Many web developers are interested in security, and there are numerous resources online for learning about vulnerabilities in web applications, for example XSS. When teaching this subject I’ve found hands on labs to be the most effective way for students to understand the material. If a student is experienced with Ruby on Rails, and the lab exercise is a Rails project, they can focus more on understanding the security concept (XSS, CSRF, etc.) instead of deciphering a web framework they are not familiar with.

Gem Shop is not the first vulnerable Rails project, OWASP Rails Goat was started 12 years ago, with releases up to Rails 6. Rails Goat is a fantastic project from the highly accomplished team at OWASP. With Gem Shop, I hope to continue the mission of helping Rails developers learn about security to ensure their own projects are safe through examples in Rails 8 and beyond.

Cybersecurity has become a critical field, and web developers are very much part of the ecosystem. Consider the 2017 Equifax data breach, where an American credit bureau was hacked and the personal information of over 150 million people was stolen. This was due to a vulnerability in Apache Struts, a web framework for Java, similar to Rails. Web applications written in Rails are often critical infrastructure, from banking to medical portals. Every developer needs to be aware of security risks.

The initial version of Gem Shop is live on GitHub now. Please star the repo, download the project, poke around to find the security problems, and share your feedback on the issue tracker. Pull requests for new vulnerabilities and features are welcome.

Paraxial.io stops data breaches by helping developers ship secure applications. Get a demo or start for free.