Gem Shop: A Vulnerable Rails 8 App for Security Education
Gem Shop is an intentionally vulnerable Ruby on Rails 8 project for security education, with examples of SQL injection, cross site scripting (XSS), broken access control, and more. The application is a simple e-commerce site where users can shop for gemstones. Most people are familiar with online shopping today, so starting with this base students can learn how security issues occur in a Rails codebase. The project is open source and hosted on the Paraxial.io GitHub.
Many web developers are interested in security, and there are numerous resources online for learning about vulnerabilities in web applications, for example XSS. When teaching this subject I’ve found hands on labs to be the most effective way for students to understand the material. If a student is experienced with Ruby on Rails, and the lab exercise is a Rails project, they can focus more on understanding the security concept (XSS, CSRF, etc.) instead of deciphering a web framework they are not familiar with.
Gem Shop is not the first vulnerable Rails project, OWASP Rails Goat was started 12 years ago, with releases up to Rails 6. Rails Goat is a fantastic project from the highly accomplished team at OWASP. With Gem Shop, I hope to continue the mission of helping Rails developers learn about security to ensure their own projects are safe through examples in Rails 8 and beyond.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25820492/247466_CES_2025_Lenovo_ThinkBook_Plus_Gen6_rollable_laptop_ADiBenedetto_0002.jpg)
