Ruby and Security

It’s not just for Python…

About Me

• Carl Sampson

• Twitter: @chs

• Web: www.chs.us

• Product Security Engineer at Salesforce

• Former developer turned appsec guy

• OWASP Indy chapter leader

• Ruby enthusiast

Why Ruby?

• One of the easiest languages to read and parse by anyone regardless of style

– an_object.empty?

– 3.times { puts “Hello, World” }

– list_numbers.each {|num| print num}

– [1, 2, 3].length

Why Ruby?

• Package management system that makes it easy to share and modify tools

– Standard format for distributing Ruby programs and libraries

– RubyGems (http://rubygems.org)

Why Ruby?

• Powerful introspection and object-oriented capabilities

– Find out information about classes

– Dynamically create classes/methods

– Objectspace

Why Ruby?

• Platform-independent support for multithreading

– Leverages native features of the OS

Why Ruby?

• Can be compiled and run natively on most platforms

• Doesn’t require libraries such as cygwin to build on windows

• Easy to embed within another application

– API for calling from within C

Why Ruby?

• Robust standard library included

– 20, 964 functions and classes

– Well-documented

• Dash

• Omniref (https://www.omniref.com/)

• Ruby-doc (http://www.ruby-doc.org/)

• Ri

Why Ruby?

• Easy to extend existing classes to meet new needs (open classes)

– Ruby classes are never closed

Why Ruby?

Why Ruby?

• Easy to hook native libraries

– FFI (interface with c-style libraries)

– DL (bridge to dlopen)

• Easy to extend using C

Why Ruby?

• Lends itself to Domain Specific Language (DSL) creation– Programming language designed specifically to

express solutions to problems in a specific domain

– Sinatra – DSL for defining how to handle HTTP requests

– Chef – DSL for automating server management tasks

– Rspec – DSL for testing

– ActiveRecord migrations

Why Ruby?

• IRB

– REPL for programming in ruby

– Allows execution of Ruby commands with immediate response, allowing experimenting in real time

– Blocks, mixins and monkey patching

Why Ruby?

• Binary string processing and pattern matching

Why Ruby?

• First-class regular expressions

– Borrowed from Perl

– Built-in without needing to include extra modules

Why Ruby?

• Network protocol and file format parsing are well supported in Ruby

– Most network protocols built in

– Most everything else available as a gem

Why Ruby?

• Cryptography, specifically comprehensive OpenSSL bindings

– Exposes a huge portion of the API

Projects Using Ruby?

• Metasploit

– Ported from Perl in 2006

• Why?

– Platform independent support for threading

– Native interpreter for Windows

– Enjoyed by the people that contribute to the framework

Projects Using Ruby?

• Metasm

– Assembler

– Disassembler

– Compiler

– Part of the Metasploit project

– https://github.com/jjyg/metasm

Projects Using Ruby

• Ronin

– Platform for vulnerability research and exploit development

– Subprojects for database access, web scraping /spidering, assembly programming and shellcoding generation, exploit and payload crafting, bruteforcers, SQL injection, etc.

– https://github.com/ronin-ruby/

Projects Using Ruby

• Ruckus

– DOM-inspired ruby fuzzer

– Great for network protocols

– Declare structures like you’re writing C

• Define network protocol headers

– Built in mutators for fuzzing

Projects Using Ruby

• BeEF

– Browser Exploitation Framework Project

– Pen testing tool that focuses on the browser

– http://beefproject.com/

Projects Using Ruby

• Gauntlt

– BE MEAN TO YOUR CODE AND LIKE IT

– DSL (based on Cucumber) for interfacing with popular testing tools

– http://gauntlt.org/

Projects Using Ruby

• PEDump

– Supports MZ & PE formats

– Can dump every part of the executable

– https://github.com/zed-0xff/pedump

Projects Using Ruby

• Ruby BlackBag (rbkb)

– Based on Matasano BlackBag

– Misc Pen-testing/reversing tools

– https://github.com/emonti/rbkb

Projects Using Ruby

• Ragweed

– Scriptable Win32/Linux/OSX debugger

– https://github.com/tduehr/ragweed

Projects Using Ruby

• PacketFu

– Mid-level packet manipulation library

– https://github.com/todb/packetfu

Projects Using Ruby

• Arachni

– Web application security scanner framework

– Multiple deployment options (CLI, Web, Distributed)

– Extensive security checks

– Automated, distributed, high-performance JavaScript/DOM security debugger

– http://www.arachni-scanner.com/

Projects Using Ruby

• Brakeman

– Open-source vulnerability scanner specifically designed for RoR applications

– Developed and maintained by Twitter

– http://brakemanscanner.org/

Projects Using Ruby

• WPScan

– Black box WordPress vulnerability scanner

– http://wpscan.org/

Projects Using Ruby

• RailsGoat

– Vulnerable version of the RoR framework

– OWASP project

– https://github.com/OWASP/railsgoat

References

• https://www.blackhat.com/presentations/bh-usa-09/TRACY/BHUSA09-Tracy-RubyPentesters-PAPER.pdf

• http://matasano.com/research/ruby_for_pentesters/Ruby-For-Pentesters.pdf

• http://rubysecurity.info/