The final project (undertaken during the last 2 weeks) of the Makers Academy course. The aim of this project was to gain an understanding in cyber security. A simple web app was developed (a basic twitter clone) with a test driven approach using few libraries and no frameworks. Employing a 'from the ground up' approach created various challenges which lead to the need for a custom-built HTML/Ruby templating-engine, ORM, http-server/middleware and hashing algorithm. This was to bypass the inherent security features implemented by well developed libraries/frameworks, allowing the app to be used as an environment to discover, exploit and document various security vulnerabilities. Subsequently this knowledge was used to develop suitable countermeasures.
ruby v2.4.1
get latest version here:
PostgreSQL v10.1
get here:
Mozilla Firefox (for capybara tests)
get latest version here:
Getting the repo:
$ git clone
$ cd Making-a-secure-web-app
Configuring environment:
$ gem install bundler
$ ruby db-reset.rb
$ bundle install
Running app:
$ ruby server.db
-> then visit
Links to flow diagrams: request/response cycle, control flow diagram
Tested in rspec with capybara using selenium webdriver. 100% test coverage (evaluated by SimpleCov).
Test suite consists of:
- regression tests (for known vulnerabilities)
- unit tests
- feature tests
all tests used to expose vulnerabilities do not run but are stored in spec/hacks folder.
Running tests:
$ rspec
A few sites that gave us insight into well-known hacking techniques.