AW: Pentesting RoR

[Martin Muench <mmuench () it-sec de>]

Well, Ruby on Rails is just a other Webapplikation Framework,
So you should tread it like a normal webapp pentest.

Metasploit is written in ruby and the web interface made with rails, but I
don't think that this would help you in any way when it comes to test a
rails application (the most exploits in metasploit are not for
webapplications, I as far as I know there is no one that targets ruby on
rails. Also, you will test the application of your customer, which means
that you should find new flaws and not just the ones every one knows). 

At the moment I'm playing around with rails and so I can tell
you some things that might be interessting for you:

1. Rails has a 'anti xss' function (the "h()" function), however the
developer of the application must use it. You, the pentester, have to check
all parameters for possible xss issues. (Like in any other webapplikation)

2. The way a nomal rails url looks like:
http://foo.bar/controller/action/parameter

The controller is a class and the action is a method of the controller
class. So search for controllers like admin. If you found it you can try to
find methods which are not declared as private (error by the developer), for
example
http://foo.bar/admin/deleteuser/1
(I don't know if this really works, I will try when I have some time)

3. Rails uses different environments (development, test, production).
Normally, each has a separate Database with separate data to play arround. 
One big difference is, that you get detailt ruby exception messages in the
development environment, so check if they forget to switch it.

The rails framework had some security issues (I think there was a DoS
vulnerability and a XSS flaw in some older versions.) Thake a look at
the different security mailinglists.

Just work a little bit with rails, look at the tutorials on the rails side
(it's not difficult and not so stressful like your first j2ee applikation)

Also you can check out some real world rails application, for example
radiant (www.radiantcms.org) or the web interface of metasploit. This will
help you getting a feeling how a rails application works.

A other good starting point for rails security may be the Ruby on Rails
Security Blog
http://www.rorsecurity.info/

Hope that helps

Hans Martin


-----Ursprüngliche Nachricht-----
Von: Mister Dookie [mailto:misterdookie () gmail com] 
Gesendet: Montag, 16. Juli 2007 22:02
An: security-basics () securityfocus com
Betreff: Pentesting RoR

So a client is setting up a webapp written in Ruby on Rails with a
MySQL backend.

I do not have much experience with Ruby exploits or SQL injection against
Ruby.

Can some list members give me some insight or point me in the right
direction? I know the new Metasploit is written using Ruby. Does that
make it a better pentest platform (just one of the tools) for me?
Thanks! Regards, John