A discussion of ruby and security

1. Ruby and Security
It’s not just for Python…

2. About Me
• Carl Sampson
• Twitter: @chs
• Web: www.chs.us
• Product Security Engineer at Salesforce
• Former developer turned appsec guy
• OWASP Indy chapter leader
• Ruby enthusiast

3. Why Ruby?
• One of the easiest languages to read and
parse by anyone regardless of style
– an_object.empty?
– 3.times { puts “Hello, World” }
– list_numbers.each {|num| print num}
– [1, 2, 3].length

4. Why Ruby?
• Package management system that makes it
easy to share and modify tools
– Standard format for distributing Ruby programs
and libraries
– RubyGems (http://rubygems.org)

5. Why Ruby?
• Powerful introspection and object-oriented
capabilities
– Find out information about classes
– Dynamically create classes/methods
– Objectspace

6. Why Ruby?
• Platform-independent support for
multithreading
– Leverages native features of the OS

7. Why Ruby?
• Can be compiled and run natively on most
platforms
• Doesn’t require libraries such as cygwin to
build on windows
• Easy to embed within another application
– API for calling from within C

8. Why Ruby?
• Robust standard library included
– 20, 964 functions and classes
– Well-documented
• Dash
• Omniref (https://www.omniref.com/)
• Ruby-doc (http://www.ruby-doc.org/)
• Ri

9. Why Ruby?
• Easy to extend existing classes to meet new
needs (open classes)
– Ruby classes are never closed

10. Why Ruby?

11. Why Ruby?
• Easy to hook native libraries
– FFI (interface with c-style libraries)
– DL (bridge to dlopen)
• Easy to extend using C

12. Why Ruby?
• Lends itself to Domain Specific Language (DSL)
creation
– Programming language designed specifically to
express solutions to problems in a specific domain
– Sinatra – DSL for defining how to handle HTTP
requests
– Chef – DSL for automating server management tasks
– Rspec – DSL for testing
– ActiveRecord migrations

13. Why Ruby?
• IRB
– REPL for programming in ruby
– Allows execution of Ruby commands with
immediate response, allowing experimenting in
real time
– Blocks, mixins and monkey patching

14. Why Ruby?
• Binary string processing and pattern matching

15. Why Ruby?
• First-class regular expressions
– Borrowed from Perl
– Built-in without needing to include extra modules

16. Why Ruby?
• Network protocol and file format parsing are
well supported in Ruby
– Most network protocols built in
– Most everything else available as a gem

17. Why Ruby?
• Cryptography, specifically comprehensive
OpenSSL bindings
– Exposes a huge portion of the API

18. Projects Using Ruby?
• Metasploit
– Ported from Perl in 2006
• Why?
– Platform independent support for threading
– Native interpreter for Windows
– Enjoyed by the people that contribute to the
framework

19. Projects Using Ruby?
• Metasm
– Assembler
– Disassembler
– Compiler
– Part of the Metasploit project
– https://github.com/jjyg/metasm

20. Projects Using Ruby
• Ronin
– Platform for vulnerability research and exploit
development
– Subprojects for database access, web scraping
/spidering, assembly programming and
shellcoding generation, exploit and payload
crafting, bruteforcers, SQL injection, etc.
– https://github.com/ronin-ruby/

21. Projects Using Ruby
• Ruckus
– DOM-inspired ruby fuzzer
– Great for network protocols
– Declare structures like you’re writing C
• Define network protocol headers
– Built in mutators for fuzzing

22. Projects Using Ruby
• BeEF
– Browser Exploitation Framework Project
– Pen testing tool that focuses on the browser
– http://beefproject.com/

23. Projects Using Ruby
• Gauntlt
– BE MEAN TO YOUR CODE AND LIKE IT
– DSL (based on Cucumber) for interfacing with
popular testing tools
– http://gauntlt.org/

24. Projects Using Ruby
• PEDump
– Supports MZ & PE formats
– Can dump every part of the executable
– https://github.com/zed-0xff/pedump

25. Projects Using Ruby
• Ruby BlackBag (rbkb)
– Based on Matasano BlackBag
– Misc Pen-testing/reversing tools
– https://github.com/emonti/rbkb

26. Projects Using Ruby
• Ragweed
– Scriptable Win32/Linux/OSX debugger
– https://github.com/tduehr/ragweed

27. Projects Using Ruby
• PacketFu
– Mid-level packet manipulation library
– https://github.com/todb/packetfu

28. Projects Using Ruby
• Arachni
– Web application security scanner framework
– Multiple deployment options (CLI, Web,
Distributed)
– Extensive security checks
– Automated, distributed, high-performance
JavaScript/DOM security debugger
– http://www.arachni-scanner.com/

29. Projects Using Ruby
• Brakeman
– Open-source vulnerability scanner specifically
designed for RoR applications
– Developed and maintained by Twitter
– http://brakemanscanner.org/

30. Projects Using Ruby
• WPScan
– Black box WordPress vulnerability scanner
– http://wpscan.org/

31. Projects Using Ruby
• RailsGoat
– Vulnerable version of the RoR framework
– OWASP project
– https://github.com/OWASP/railsgoat

32. References
• https://www.blackhat.com/presentations/bh-usa-
09/TRACY/BHUSA09-Tracy-RubyPentesters-PAPER.pdf
• http://matasano.com/research/ruby_for_pentesters/Ruby-
For-Pentesters.pdf
• http://rubysecurity.info/