Security Basics mailing list archives
AW: Pentesting RoR
From: Martin Muench <mmuench () it-sec de>
Date: Fri, 27 Jul 2007 11:26:04 +0200
Well, Ruby on Rails is just a other Webapplikation Framework, So you should tread it like a normal webapp pentest. Metasploit is written in ruby and the web interface made with rails, but I don't think that this would help you in any way when it comes to test a rails application (the most exploits in metasploit are not for webapplications, I as far as I know there is no one that targets ruby on rails. Also, you will test the application of your customer, which means that you should find new flaws and not just the ones every one knows). At the moment I'm playing around with rails and so I can tell you some things that might be interessting for you: 1. Rails has a 'anti xss' function (the "h()" function), however the developer of the application must use it. You, the pentester, have to check all parameters for possible xss issues. (Like in any other webapplikation) 2. The way a nomal rails url looks like: http://foo.bar/controller/action/parameter The controller is a class and the action is a method of the controller class. So search for controllers like admin. If you found it you can try to find methods which are not declared as private (error by the developer), for example http://foo.bar/admin/deleteuser/1 (I don't know if this really works, I will try when I have some time) 3. Rails uses different environments (development, test, production). Normally, each has a separate Database with separate data to play arround. One big difference is, that you get detailt ruby exception messages in the development environment, so check if they forget to switch it. The rails framework had some security issues (I think there was a DoS vulnerability and a XSS flaw in some older versions.) Thake a look at the different security mailinglists. Just work a little bit with rails, look at the tutorials on the rails side (it's not difficult and not so stressful like your first j2ee applikation) Also you can check out some real world rails application, for example radiant (www.radiantcms.org) or the web interface of metasploit. This will help you getting a feeling how a rails application works. A other good starting point for rails security may be the Ruby on Rails Security Blog http://www.rorsecurity.info/ Hope that helps Hans Martin -----Ursprüngliche Nachricht----- Von: Mister Dookie [mailto:misterdookie () gmail com] Gesendet: Montag, 16. Juli 2007 22:02 An: security-basics () securityfocus com Betreff: Pentesting RoR So a client is setting up a webapp written in Ruby on Rails with a MySQL backend. I do not have much experience with Ruby exploits or SQL injection against Ruby. Can some list members give me some insight or point me in the right direction? I know the new Metasploit is written using Ruby. Does that make it a better pentest platform (just one of the tools) for me? Thanks! Regards, John
Current thread:
- AW: Pentesting RoR Martin Muench (Jul 27)