Gem Shop: A Vulnerable Rails 8 App for Security Education

Gem Shop is an intentionally vulnerable Ruby on Rails 8 project for security education, with examples of SQL injection, cross site scripting (XSS), broken access control, and more. The application is a simple e-commerce site where users can shop for gemstones. Most people are familiar with online shopping today, so starting with this base students can learn how security issues occur in a Rails codebase. The project is open source and hosted on the Paraxial.io GitHub. Many web developers are interested in security, and there are numerous resources online for learning about vulnerabilities in web applications, for example XSS. When teaching this subject I’ve found hands on labs to be the most effective way for students to understand the material. If a student is experienced with Ruby on Rails, and the lab exercise is a Rails project, they can focus more on understanding the security concept (XSS, CSRF, etc.) instead of deciphering a web framework they are not familiar with.