Re: Pentesting RoR

From: hwertz@avalon.net
Date: Thu Jul 19 2007 - 00:07:21 EDT

• Next message: aSEC: "RE: Skype use obligation - Security x Productivity"
• Previous message: nicola mondinelli: "Something strange in my logs!!!"
• Maybe in reply to: Mister Dookie: "Pentesting RoR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

     I believe a few out-of-date versions of Ruby on Rails had some SQL
injection bugs.. but, nearly the whole package is scripts and easy to keep
up-to-date, so I do doubt they are running an older version that is vulnerable.

     Metasploit's certainly good to try out; I don't think it'll be more
successful just due to being written in Ruby though; Ruby's just a nice, easy
to use scripting language and so was convenient to use for writing both
products.

     The other method I would use, see if the administrative interface for the
app (if any) has weak security. This won't get full machine control like a SQL
injection might, but it's certainly bad for some random person to be able to
administrate your database 8-). If possible have someone show you how to use
the app. Don't pay too much attention to the app proper, check out the URLs.
The security is as good or bad as the implementor implemented since Ruby on
Rails is a general purpose scripting language with nice web<->Mysql glue. You
might be able to just key in the admin URL and get in ("Security through
obscurity".. just assuming no one will figure out the admin URL..). They may
put in a "admin" link that asks for username and pass before forwarding to the
admin URL (bypassable by just typing the admin URL directly.) I must admit I
implemented an in-house app that just used http auth-basic.. for the admin page
to load, a username+password have to be enetered.. auth-basic, however, sends
the user+pass in plaintext. I don't know if there's auth-basic exploits but it
woudn't surprise me terribly. Finally, there's probably stronger stuff like
shared certificates, SSL, etc.. which is unlikely to be penetrated.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------

• Next message: aSEC: "RE: Skype use obligation - Security x Productivity"
• Previous message: nicola mondinelli: "Something strange in my logs!!!"
• Maybe in reply to: Mister Dookie: "Pentesting RoR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:57 EDT