Monday, September 04, 2006

Fuzzing on Rails

Only 10 minutes in playing around with a new web fuzzer I wrote vs. an unnamed Rails app, I'm getting stack traces. Probably not the end of the world, but not great either. I'm wondering what Rails provides out of the box for validation and how it compares to what other frameworks such as Struts.


undefined method `include?' for nil:NilClass
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:49:in `parse_request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:47:in `each'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_ext/cgi_methods.rb:47:in `parse_request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/cgi_process.rb:70:in `request_parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/request.rb:12:in `parameters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:122:in `set_session_options_without_components'
./script/../config/../vendor/rails/actionpack/lib/action_controller/components.rb:178:in `set_session_options'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process'
./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:115:in `handle_dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:81:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:172:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:161:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:161:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:67:in `dispatch'
./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require__'
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:136:in `require'
./script/../config/../vendor/rails/railties/lib/commands/server.rb:30
script/server:3:in `require'
script/server:3

2 comments:

Anonymous said...

Try looking for a double ampersand in your url.

Anonymous said...

This is mostly for posterity, but rails has a large collection of validates_* methods within ActiveRecord. If your models (and that's a big if) use these validations you should eliminate at least some of the risk. I would be interested to see the results of fuzzing an app that implemented them. In fact, most tutorials on RoR mention the validates_* methods quite early on so there is a good chance people are using them.

Here's the link to the ActiveRecord validations methods: http://api.rubyonrails.org/classes/ActiveRecord/Validations/ClassMethods.html

-roodee
http://www.thummy.com/roodee