RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Detect Your Web Application's Vulnerabilities Early with Ruby : Page 2

Web application fuzzing enables you to detect a web application's vulnerabilities prior to deploying it on a production system.

Leveraging Ruby to Build a Framework
Ruby is a powerful scripting language that can be used to build a nice fuzzing framework. This article covers only the initial phase of the framework; a more advanced library can be built around it. The following are some of the advantages of using Ruby as the language for the framework:
  • It can be used across platforms once support for the language is in place.
  • It is object-oriented, permitting you to leverage object-oriented programming features to make the framework more flexible.
  • It supports HTTP and HTTPS with sockets and libraries.
  • Its interactive shell enables effective interactive fuzzing.

The Ruby code is contained in the file Webfuzz.rb (see Listing 1), which contains two classes for implementing web fuzzing:

  1. Target—Needed for specifying the IP address, port, and request you want to fuzz
  2. Fuzz—Contains methods to fuzz each outgoing request with various payloads; provides an interface to the result array

You can build fuzzing logic using these two classes to provide a customized fuzzing load for a specific request. Let's explore each of these classes in detail.

Target Class
The Target class (see Figure 1 for a high-level Ruby documentation view) offers the following methods to set critical parameters:

  1. ip= — set the target IP address
  2. port= — set the target port
  3. request= — set the HTTP request for fuzzing

Click to enlarge

Figure 1. RDoc View for Target Class

As you can see, these methods all end with the "=" operator and "new" indicates a constructor. The following is simple webfuzz.rb code for ip=, which takes a parameter and sets it to a @ip instance variable:

# File webfuzz.rb, line 11
  def ip=(newip)
    @ip = newip

The other two methods, port= and request=, work the same way.

The following webfuzz.rb code initializes an instance of the class in the form of an object and creates four variables:

# File webfuzz.rb, line 4
  def initialize()

The other two methods, request and response, are the HTTP fuzz request and the placeholder for its response, respectively.

Finally, the send method contains code to "throw" the request on the wire and fetch a response from the target:

# File webfuzz.rb, line 42
  def send
    s = TCPsocket.open(@ip,@port)
    @response = s.read

This very simple code snippet will open a TCP connection with the socket library, send a request to the server, and then wait for a response and assign it to the @response variable.

Hence, each instance of Target has its own IP, port, and request. By using the send method, it can access, target, and fill the response variable. It has another method called show that also enables you to see all variables of an instance.

Let's quickly look at how you can use the Target class. Ruby has its own interactive prompt called irb. Here is how you can use it for interactive assessment:

  1. You Open an irb session and load webfuzz.rb using the require directive, as follows:
    D:\webfuzz> irb --simple-prompt
    >> require 'webfuzz'
    Loading the library ...
    Library loaded
    => true

    Make sure you have webfuzz.rb in the same directory where you are executing irb. Also note that you don't need to write webfuzz.rb; webfuzz is sufficient for the operation.

  2. Once the library is loaded, you can start using the classes to you assign a target and send a very basic request to it on the wire. For example, you take following URL:

    Say you want to fuzz the variable "id", which takes an integer value in the webshop application. You would create your target setting as follows:

    1. Create an object for the target:
      >> t = Target.new
      => #<Target:0x2be93d8 @port="", @ip="", @response="", @request="">
    2. Assign "webshop.example.com" as ip:
      >> t.ip = "webshop.example.com"
      => "webshop.example.com"
    3. Assign port 80:
      >> t.port = 80
      => 80
      Here's a quick peek at the object "t":
      >> t
      => #<Target:0x2be93d8 @port=80, @ip="webshop.example.com", @response="", @request="">
  3. Set the GET request for the Target class. You want to fuzz the "id" variable, so you insert "$fuzz$" as the value:
    >> t.request = "GET /dvds4less/details.asp?id=$fuzz$ HTTP/1.0\r\n\r\n"
    => "/dvds4less/details.asp?id=$fuzz$ HTTP/1.0\r\n\r\n "

    At this point, you can use the send method by issuing the t.send command on irb to send the request on the wire. At the same time, you can use t.show to view the entire class instance. You are all set with your fuzzing target at this point.

Now let's look at the Fuzz class, which uses Target when doing web fuzzing (in this case, the target you just defined ). The next section shows how the Fuzz class reads and processes the "$fuzz$" value.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date