Ruby InfoSec

124 readers
3 users here now

Where Ruby and InfoSec intersect.

founded 1 year ago
MODERATORS
1
2
3
4
5
6
7
8
9
10
11
 
 

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

12
 
 

You may have recently read a news story about how a typo in a US military email address (@.mil -> @.ml) accidentally caused sensitive military secrets to be sent to a similar Mali email address for years.

What if I told you, you could use Ronin to find all of the one-character-missing valid typos for all of the TLDs?

13
 
 

Checkout what new features were added in ronin-code-sql 2.1.0. Using ronin-code-sql you can generate complex and obfuscated SQL injections (SQLi).

14
 
 

A quick reference cheat sheet on how to port pwnlib code to Ronin.

15
 
 

A quick reference cheat sheet on how to port Python code to Ruby/Ronin code.

16
 
 

A multi-part guide on how to write quick Ruby scripts using the ronin-support library. ronin-support is sort of like activesupport meets Python's pwnlib, but in Ruby.

17
 
 

A step-by-step guide explaining how to port a Metasploit Exploit to Ronin Exploits. Ronin Exploits is a simpler, more Object Orientated, micro-framework for writing and running exploits.

18
 
 

Ever wanted to know more about the Ronin CLI, how to use ronin-repos or ronin-db, how to write Ruby scripts using ronin-support, or how to port Metasploit Payloads to ronin-payloads? We now have eight new Guides on those topics. Check it out!