Penetration Testing mailing list archives
Re: Pentesting RoR
From: hwertz () avalon net
Date: Wed, 18 Jul 2007 23:07:21 -0500
I believe a few out-of-date versions of Ruby on Rails had some SQL injection bugs.. but, nearly the whole package is scripts and easy to keep up-to-date, so I do doubt they are running an older version that is vulnerable. Metasploit's certainly good to try out; I don't think it'll be more successful just due to being written in Ruby though; Ruby's just a nice, easy to use scripting language and so was convenient to use for writing both products. The other method I would use, see if the administrative interface for the app (if any) has weak security. This won't get full machine control like a SQL injection might, but it's certainly bad for some random person to be able to administrate your database 8-). If possible have someone show you how to use the app. Don't pay too much attention to the app proper, check out the URLs. The security is as good or bad as the implementor implemented since Ruby on Rails is a general purpose scripting language with nice web<->Mysql glue. You might be able to just key in the admin URL and get in ("Security through obscurity".. just assuming no one will figure out the admin URL..). They may put in a "admin" link that asks for username and pass before forwarding to the admin URL (bypassable by just typing the admin URL directly.) I must admit I implemented an in-house app that just used http auth-basic.. for the admin page to load, a username+password have to be enetered.. auth-basic, however, sends the user+pass in plaintext. I don't know if there's auth-basic exploits but it woudn't surprise me terribly. Finally, there's probably stronger stuff like shared certificates, SSL, etc.. which is unlikely to be penetrated. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/c/wf-spi ------------------------------------------------------------------------
Current thread:
- Pentesting RoR Mister Dookie (Jul 17)
- <Possible follow-ups>
- Re: Pentesting RoR hwertz (Jul 20)