YAML seems to be getting a bad rap lately, and I’m not surprised. YAML was used as the attack vector to execute arbitrary code in a Rails process and was even used to steal secrets from rubygems.org. Let’s try to dissect the attack vector used, and see how YAML fits in to the picture. The Metasploit Exploit First lets cover the most widely known vector. We (the Rails Security Team) have had report
