7

I am currently testing a RoR web application, but I am honestly at a bit of a loss, I have never gone up against a RoR application before and I was wondering if there were any specific tools I could use to attack this RoR site (I have full permission, all legal).

any tools or tutorials for basic RoR pen testing?

TheHidden
  • 4,265
  • 3
  • 21
  • 40

3 Answers3

9

There's a number of areas that you can focus on with rails apps, depending on the level of access you have. Some initial ideas

  • If you have source code access (and I would highly recommend it), you can use Brakeman to find some issues.
  • Even if you can't get source code access, you may be able to request the output of the 'rake routes' command which should give you a picture of all the possible routes in the app.
  • OWASP have a good doc on rails security which has some good starting points.
  • I'd always try changing extensions on requests (e.g. from html to xml or json) as rails tends to have different code paths for different formats and this can expose security issues.
  • if you can find the version of rails in use (in the Gemfile in the application root), review for known CVEs (there have been a few)
  • As rails apps generally have an MVC structure, they can have quite predictable URL paths, so if you're black-boxing, then things like /users/1/edit (replace users with other plural nouns) can produce interesting results
  • Always decode the cookies to see if there's any secret info in there (there shouldn't be).
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thank you! this is very useful information, and I do indeed have full source code access. Though I may try and blackbox first (more fun that way). I am going to go through all of these steps one way or another! – TheHidden Mar 04 '15 at 14:46
4

You can find information about the most common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist.

BrunoF
  • 141
  • 3
3

I'd recommend getting familiar with web penetration testing techniques and types of attack in general (XSS, SQLi, Privilege Escalation, Session security, etc.) then dive into Rails specific vulnerabilities. I find that having a very strong understand of the HTTP protocol, how sessions are created/persisted/destroyed and the flow of data helps more than any single tool you can run. Rails has some great documentation on security once you are feeling comfortable with basic testing mechanisms - http://guides.rubyonrails.org/security.html

jmbmxer
  • 129
  • 1
  • 2
  • 7
  • thank you for your reply and sorry for the delay. I have a good understanding of sessions, cookies, the flow of data etc as I am a PHP developer. Though I am hitting bumps with the different syntax of RoR also it does not help that it uses postgre which I am also unfamiliar with. I shall look at your link thanks for the help :) – TheHidden Mar 11 '15 at 12:01