Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AW: Pentesting RoR

from [Martin Muench] Network Security [Permanent Link]
Subject: AW: Pentesting RoR
Date: Fri, 27 Jul 2007 11:26:04 +0200 
Well, Ruby on Rails is just a other Webapplikation Framework,
So you should tread it like a normal webapp pentest.

Metasploit is written in ruby and the web interface made with rails, but I
don't think that this would help you in any way when it comes to test a
rails application (the most exploits in metasploit are not for
webapplications, I as far as I know there is no one that targets ruby on
rails. Also, you will test the application of your customer, which means
that you should find new flaws and not just the ones every one knows). 

At the moment I'm playing around with rails and so I can tell
you some things that might be interessting for you:

1. Rails has a 'anti xss' function (the "h()" function), however the
developer of the application must use it. You, the pentester, have to check
all parameters for possible xss issues. (Like in any other webapplikation)

2. The way a nomal rails url looks like:
http://foo.bar/controller/action/parameter

The controller is a class and the action is a method of the controller
class. So search for controllers like admin. If you found it you can try to
find methods which are not declared as private (error by the developer), for
example
http://foo.bar/admin/deleteuser/1
(I don't know if this really works, I will try when I have some time)

3. Rails uses different environments (development, test, production).
Normally, each has a separate Database with separate data to play arround. 
One big difference is, that you get detailt ruby exception messages in the
development environment, so check if they forget to switch it.

The rails framework had some security issues (I think there was a DoS
vulnerability and a XSS flaw in some older versions.) Thake a look at
the different security mailinglists.

Just work a little bit with rails, look at the tutorials on the rails side
(it's not difficult and not so stressful like your first j2ee applikation)

Also you can check out some real world rails application, for example
radiant (www.radiantcms.org) or the web interface of metasploit. This will
help you getting a feeling how a rails application works.

A other good starting point for rails security may be the Ruby on Rails
Security Blog
http://www.rorsecurity.info/

Hope that helps

Hans Martin


-----Ursprüngliche Nachricht-----
Von: Mister Dookie [mailto:misterdookie@gmail.com] 
Gesendet: Montag, 16. Juli 2007 22:02
An: security-basics@securityfocus.com
Betreff: Pentesting RoR

So a client is setting up a webapp written in Ruby on Rails with a
MySQL backend.

I do not have much experience with Ruby exploits or SQL injection against
Ruby.

Can some list members give me some insight or point me in the right
direction? I know the new Metasploit is written using Ruby. Does that
make it a better pentest platform (just one of the tools) for me?
Thanks! Regards, John
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • AW: Pentesting RoR, Martin Muench <=
Previous by Date:  RE: Disabling autorun for mapped network drives, tima
Next by Date:  RE: Securing the Server Farm, Bowers, Jeramy J
Previous by Thread:  Alternative to tsgrinder?, barcajax
Next by Thread:  Scripts for OS security audit, Noaman Khan
Indexes:  [Date] [Thread] [Top] [All Lists]