Kacper SzurekTagsPolishNewsletterAbout
YouTubeWebinaryFacebookTwitter
Kacper Szurek
TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter
Ruby

16-01-2019 / From 0 to pentesting hero

Ruby

Today we are going to talk about Ruby language. We'll take a look at a simple implementation of the proxy server.

class ProxyServlet < WEBrick::HTTPServlet::AbstractServlet
    def do_GET (request, response)
        open(request.query["url"]) do |http|
            result = http.read
            response.body = result  
        end
    end
end

But first, what is a proxy server? Sometimes, some websites are blocked in companies.

How such filters work is simple: they check what URL the computer connects to

and if this address is blocked - it does not allow to make a connection.

And here proxy servers come in handy. There are many of them - it's easy to find them in the Internet.

In such gate we provide the address that we want to connect to.

Then, the website downloads the content of the website using its resources and returns it to us in text format.

Because it is not us who entered the given address - the firewall is not aware that we are connecting to the blocked website.

Here I have a very simple implementation of such service in Ruby.

We are going to use the webrick module to quickly create a web server.

Next, we pass the url parameter from the user to the open function and display the content it will return.

Let's check how this code sample works.

Proxy server

As you can see, I received the content of the external site.

Now let's go to finding vulnerabilities. This code contains two of them.

First server side request forgery.

On the same server, I also have a running instance of phpMyAdmin tool that is used for database management.

phpMyAdmin

It is configured in such way that it is impossible to access it from the outside.

We can connect to this address only from localhost.

phpMyAdmin proxy

But what will happen if we provide this address as a parameter to our goal?

The content will be downloaded. Why? Because the gateway and phpmyadmin are available on the same server.

How to protect yourself against this vulnerability?

By using external modules, for example ssrf_filter1, which checks whether the address given by the user

does not point to the resources on local computer.

SSRF filter

But it is not everything. The open function has one more interesting functionality.

If the parameter that is passed to it begins with a vertical line - that is, pipe - it is not treated as a url but as a command to execute in the console2.

Pipe Ruby

So, if we enter: |dir instead of a url, we will get a list of files in the current directory, not a website as one could expect.

Very interesting functionality that is probably known by only a few users.

As you can see, creating a secure proxy server is not so easy.

  1. https://github.com/arkadiyt/ssrf_filter 

  2. https://sakurity.com/blog/2015/02/28/openuri.html