Successfully reported this slideshow.

Ruby and Security

2

Share

Loading in …3
×
1 of 32
1 of 32

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Ruby and Security

  1. 1. Ruby and Security It’s not just for Python…
  2. 2. About Me • Carl Sampson • Twitter: @chs • Web: www.chs.us • Product Security Engineer at Salesforce • Former developer turned appsec guy • OWASP Indy chapter leader • Ruby enthusiast
  3. 3. Why Ruby? • One of the easiest languages to read and parse by anyone regardless of style – an_object.empty? – 3.times { puts “Hello, World” } – list_numbers.each {|num| print num} – [1, 2, 3].length
  4. 4. Why Ruby? • Package management system that makes it easy to share and modify tools – Standard format for distributing Ruby programs and libraries – RubyGems (http://rubygems.org)
  5. 5. Why Ruby? • Powerful introspection and object-oriented capabilities – Find out information about classes – Dynamically create classes/methods – Objectspace
  6. 6. Why Ruby? • Platform-independent support for multithreading – Leverages native features of the OS
  7. 7. Why Ruby? • Can be compiled and run natively on most platforms • Doesn’t require libraries such as cygwin to build on windows • Easy to embed within another application – API for calling from within C
  8. 8. Why Ruby? • Robust standard library included – 20, 964 functions and classes – Well-documented • Dash • Omniref (https://www.omniref.com/) • Ruby-doc (http://www.ruby-doc.org/) • Ri
  9. 9. Why Ruby? • Easy to extend existing classes to meet new needs (open classes) – Ruby classes are never closed
  10. 10. Why Ruby?
  11. 11. Why Ruby? • Easy to hook native libraries – FFI (interface with c-style libraries) – DL (bridge to dlopen) • Easy to extend using C
  12. 12. Why Ruby? • Lends itself to Domain Specific Language (DSL) creation – Programming language designed specifically to express solutions to problems in a specific domain – Sinatra – DSL for defining how to handle HTTP requests – Chef – DSL for automating server management tasks – Rspec – DSL for testing – ActiveRecord migrations
  13. 13. Why Ruby? • IRB – REPL for programming in ruby – Allows execution of Ruby commands with immediate response, allowing experimenting in real time – Blocks, mixins and monkey patching
  14. 14. Why Ruby? • Binary string processing and pattern matching
  15. 15. Why Ruby? • First-class regular expressions – Borrowed from Perl – Built-in without needing to include extra modules
  16. 16. Why Ruby? • Network protocol and file format parsing are well supported in Ruby – Most network protocols built in – Most everything else available as a gem
  17. 17. Why Ruby? • Cryptography, specifically comprehensive OpenSSL bindings – Exposes a huge portion of the API
  18. 18. Projects Using Ruby? • Metasploit – Ported from Perl in 2006 • Why? – Platform independent support for threading – Native interpreter for Windows – Enjoyed by the people that contribute to the framework
  19. 19. Projects Using Ruby? • Metasm – Assembler – Disassembler – Compiler – Part of the Metasploit project – https://github.com/jjyg/metasm
  20. 20. Projects Using Ruby • Ronin – Platform for vulnerability research and exploit development – Subprojects for database access, web scraping /spidering, assembly programming and shellcoding generation, exploit and payload crafting, bruteforcers, SQL injection, etc. – https://github.com/ronin-ruby/
  21. 21. Projects Using Ruby • Ruckus – DOM-inspired ruby fuzzer – Great for network protocols – Declare structures like you’re writing C • Define network protocol headers – Built in mutators for fuzzing
  22. 22. Projects Using Ruby • BeEF – Browser Exploitation Framework Project – Pen testing tool that focuses on the browser – http://beefproject.com/
  23. 23. Projects Using Ruby • Gauntlt – BE MEAN TO YOUR CODE AND LIKE IT – DSL (based on Cucumber) for interfacing with popular testing tools – http://gauntlt.org/
  24. 24. Projects Using Ruby • PEDump – Supports MZ & PE formats – Can dump every part of the executable – https://github.com/zed-0xff/pedump
  25. 25. Projects Using Ruby • Ruby BlackBag (rbkb) – Based on Matasano BlackBag – Misc Pen-testing/reversing tools – https://github.com/emonti/rbkb
  26. 26. Projects Using Ruby • Ragweed – Scriptable Win32/Linux/OSX debugger – https://github.com/tduehr/ragweed
  27. 27. Projects Using Ruby • PacketFu – Mid-level packet manipulation library – https://github.com/todb/packetfu
  28. 28. Projects Using Ruby • Arachni – Web application security scanner framework – Multiple deployment options (CLI, Web, Distributed) – Extensive security checks – Automated, distributed, high-performance JavaScript/DOM security debugger – http://www.arachni-scanner.com/
  29. 29. Projects Using Ruby • Brakeman – Open-source vulnerability scanner specifically designed for RoR applications – Developed and maintained by Twitter – http://brakemanscanner.org/
  30. 30. Projects Using Ruby • WPScan – Black box WordPress vulnerability scanner – http://wpscan.org/
  31. 31. Projects Using Ruby • RailsGoat – Vulnerable version of the RoR framework – OWASP project – https://github.com/OWASP/railsgoat
  32. 32. References • https://www.blackhat.com/presentations/bh-usa- 09/TRACY/BHUSA09-Tracy-RubyPentesters-PAPER.pdf • http://matasano.com/research/ruby_for_pentesters/Ruby- For-Pentesters.pdf • http://rubysecurity.info/

×