Ruby on Rails - Auditing & Exploiting the Popular Web Framework

Recurity Labs | August 2-3 & 4-5

On This Page


This training will be all about Ruby on Rails. Participants first get introduced into the Ruby programming language basics. Afterwards a deep dive into RoR applications will be given. All this will be mostly done from a pentesters/attackers perspective. Ruby on Rails little secrets and quirks will be uncovered and used in order to exploit Web applications or APIs based on this framework. Practical examples and assignments for the participants will deepen their knowledge on how to tackle Ruby on Rails applications in real world scenarios and code audits.

The topics covered include:
• Ruby crash course
• All you need to know about Ruby in order to assess RoR applications.
• Recap on typical Web application flaws
• Just in case it's needed we'll have a short recap on the most typical Web application flaws.

Ruby on Rails - General overview
• MVC Model-View-Controller
• The design concept behind every RoR app will be elaborated.
• Basic Concepts
• A walk through a RoR application, where to find what and how to program the underlying framework.

Ruby on Rails - Attacker perspective
• User Input
• In order to successfully exploit an application we'll dissect how the RoR framework takes user input and how it handles it.
• Typical Web application flaws
• We will have a look at how the typical Web application flaws reflect in RoR code.
• Ruby on Rails specific flaws
• What are the quirks and pitfalls of the framework? That question will be answered in this section of the training.
• Code Audit
• How to read and audit RoR apps efficiently in order to find security issues.
• Black Box testing
• How to spot if you are dealing with a RoR application, and how to properly assess it without having the source code.
• Exploitation and Post-Exploitation
• Turning the bugs we have found into actual attacks.

Ruby on Rails - The framework itself

• In this section we'll look into the RoR framework itself previous flaws within the RoR will be analyzed and certain bug classes will be shown in context of the underlying framework code.

Hands on and practical exercises

• For the most relevant aspects of the training practical exercises and hands on sessions will be held during the whole course.

Who Should Take This Course

This training is meant for:
• Web App hackers - who want to audit/assess/break Ruby on Rails apps.
• Professional Pentesters - who'd like to find more subtle issues on RoR assessments.
• Ruby on Rails developers - who want to code more securely and get another PoV on RoR.
• Everyone else - who is interested in RoR security and exploitation.

Student Requirements

• Basic Web Application Security knowledge
• Willingness to read & understand code

What Students Should Bring

A VirtualBox installation in order to run the VM containing exercises.

What Students Will Be Provided With

Course materials will include:
• Handout material
• Reading material which covers the topics of the training.
• A virtual machine containing several challenges and exercises.
• Digital copy of the training slides

Training VMs:
• Several virtual machine images with real-world Ruby on Rails applications


Joern Schneeweisz: Joern is a Security Consultant over at Recurity Labs by day. As findings bugs ~ 8hrs a day is not enough for him, he digs for bugs in Ruby on Rails apps in his spare time as well. By that he can look back to almost 5 years of bug hunting in both Ruby on Rails applications and the framework itself.

Florian Grunert: Florian has finished his bachelor degree at the University of Osnabrueck and has joined Recurity Labs as a student trainee in 2013. He will assist Joern during the workshop.