Ruby InfoSec
- Proposal to deprecate "|command-here" inputs for Kernel.open() accepted
Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level
Kernel.open()
method, which not only accepts paths or URIs (ifopen-uri
has been loaded), but also"|command-here"
commands which are then opened usingIO.popen()
resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a"|command-here"
input is given toKernel.open()
. Hopefully, in Ruby 4.0 this insecure feature will be removed. - Finding all TLD typos using Ruby and ronin-support
You may have recently read a news story about how a typo in a US military email address (<mailbox>@<domain>.mil -> <mailbox>@<domain>.ml) accidentally caused sensitive military secrets to be sent to a similar Mali email address for years.
What if I told you, you could use Ronin to find all of the one-character-missing valid typos for all of the TLDs?
- ronin-code-sql 2.1.0 released, a Ruby library for crafting complex SQL injections (SQLi).
Checkout what new features were added in ronin-code-sql 2.1.0. Using ronin-code-sql you can generate complex and obfuscated SQL injections (SQLi).
- How to write a Ruby script for security research using the ronin-support library
A multi-part guide on how to write quick Ruby scripts using the ronin-support library. ronin-support is sort of like activesupport meets Python's pwnlib, but in Ruby.
- How to port a Metasploit Exploit to Ronin Exploits
A step-by-step guide explaining how to port a Metasploit Exploit to Ronin Exploits. Ronin Exploits is a simpler, more Object Orientated, micro-framework for writing and running exploits.
- Ronin has eight new guides! Ronin is a free and Open Source Ruby toolkit for security research and development.
Ever wanted to know more about the Ronin CLI, how to use ronin-repos or ronin-db, how to write Ruby scripts using ronin-support, or how to port Metasploit Payloads to ronin-payloads? We now have eight new Guides on those topics. Check it out!