ruby and security
TRANSCRIPT
About Me
• Carl Sampson
• Twitter: @chs
• Web: www.chs.us
• Product Security Engineer at Salesforce
• Former developer turned appsec guy
• OWASP Indy chapter leader
• Ruby enthusiast
Why Ruby?
• One of the easiest languages to read and parse by anyone regardless of style
– an_object.empty?
– 3.times { puts “Hello, World” }
– list_numbers.each {|num| print num}
– [1, 2, 3].length
Why Ruby?
• Package management system that makes it easy to share and modify tools
– Standard format for distributing Ruby programs and libraries
– RubyGems (http://rubygems.org)
Why Ruby?
• Powerful introspection and object-oriented capabilities
– Find out information about classes
– Dynamically create classes/methods
– Objectspace
Why Ruby?
• Can be compiled and run natively on most platforms
• Doesn’t require libraries such as cygwin to build on windows
• Easy to embed within another application
– API for calling from within C
Why Ruby?
• Robust standard library included
– 20, 964 functions and classes
– Well-documented
• Dash
• Omniref (https://www.omniref.com/)
• Ruby-doc (http://www.ruby-doc.org/)
• Ri
Why Ruby?
• Easy to extend existing classes to meet new needs (open classes)
– Ruby classes are never closed
Why Ruby?
• Easy to hook native libraries
– FFI (interface with c-style libraries)
– DL (bridge to dlopen)
• Easy to extend using C
Why Ruby?
• Lends itself to Domain Specific Language (DSL) creation– Programming language designed specifically to
express solutions to problems in a specific domain
– Sinatra – DSL for defining how to handle HTTP requests
– Chef – DSL for automating server management tasks
– Rspec – DSL for testing
– ActiveRecord migrations
Why Ruby?
• IRB
– REPL for programming in ruby
– Allows execution of Ruby commands with immediate response, allowing experimenting in real time
– Blocks, mixins and monkey patching
Why Ruby?
• First-class regular expressions
– Borrowed from Perl
– Built-in without needing to include extra modules
Why Ruby?
• Network protocol and file format parsing are well supported in Ruby
– Most network protocols built in
– Most everything else available as a gem
Why Ruby?
• Cryptography, specifically comprehensive OpenSSL bindings
– Exposes a huge portion of the API
Projects Using Ruby?
• Metasploit
– Ported from Perl in 2006
• Why?
– Platform independent support for threading
– Native interpreter for Windows
– Enjoyed by the people that contribute to the framework
Projects Using Ruby?
• Metasm
– Assembler
– Disassembler
– Compiler
– Part of the Metasploit project
– https://github.com/jjyg/metasm
Projects Using Ruby
• Ronin
– Platform for vulnerability research and exploit development
– Subprojects for database access, web scraping /spidering, assembly programming and shellcoding generation, exploit and payload crafting, bruteforcers, SQL injection, etc.
– https://github.com/ronin-ruby/
Projects Using Ruby
• Ruckus
– DOM-inspired ruby fuzzer
– Great for network protocols
– Declare structures like you’re writing C
• Define network protocol headers
– Built in mutators for fuzzing
Projects Using Ruby
• BeEF
– Browser Exploitation Framework Project
– Pen testing tool that focuses on the browser
– http://beefproject.com/
Projects Using Ruby
• Gauntlt
– BE MEAN TO YOUR CODE AND LIKE IT
– DSL (based on Cucumber) for interfacing with popular testing tools
– http://gauntlt.org/
Projects Using Ruby
• PEDump
– Supports MZ & PE formats
– Can dump every part of the executable
– https://github.com/zed-0xff/pedump
Projects Using Ruby
• Ruby BlackBag (rbkb)
– Based on Matasano BlackBag
– Misc Pen-testing/reversing tools
– https://github.com/emonti/rbkb
Projects Using Ruby
• Ragweed
– Scriptable Win32/Linux/OSX debugger
– https://github.com/tduehr/ragweed
Projects Using Ruby
• PacketFu
– Mid-level packet manipulation library
– https://github.com/todb/packetfu
Projects Using Ruby
• Arachni
– Web application security scanner framework
– Multiple deployment options (CLI, Web, Distributed)
– Extensive security checks
– Automated, distributed, high-performance JavaScript/DOM security debugger
– http://www.arachni-scanner.com/
Projects Using Ruby
• Brakeman
– Open-source vulnerability scanner specifically designed for RoR applications
– Developed and maintained by Twitter
– http://brakemanscanner.org/
Projects Using Ruby
• RailsGoat
– Vulnerable version of the RoR framework
– OWASP project
– https://github.com/OWASP/railsgoat
References
• https://www.blackhat.com/presentations/bh-usa-09/TRACY/BHUSA09-Tracy-RubyPentesters-PAPER.pdf
• http://matasano.com/research/ruby_for_pentesters/Ruby-For-Pentesters.pdf
• http://rubysecurity.info/