Archive for the ‘Ruby’ Category

« Older Entries

dradis v1.2 – now with one-click installer

Friday, June 13th, 2008

Windows one-click installer icon
In adition to the changes released on the 4th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

  • in the client:
    • export to XML module is now part of the standard module set.
    • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
    • fixed the window.rb:159 bug.
  • in the server:
    • a slightly less annoying implementation of the web interface auto refresh functionality.
    • the services added through the web interface can have a name now :)
    • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

dradis banner. click to go to dradis home

Popularity: 80% [?]

Posted in Ruby, Security | No Comments »

restful_authentication howto, step-by-step (part 2)

Friday, June 6th, 2008

Picking it up were we left it on restful_authentication howto, step-by-step (part 1) the second article of this series is a hands on example on how to use the restful_authentication plugin.

Things that will be covered include:

  • remove the need of a login
  • the use of an activation email, the application will require it’s users to activate their accounts upong sign up.
  • howto get rid of the remember me functionality (just in case you don’t need it).
  • howto strengthen a bit the default security of the framework.

(more…)

Popularity: 77% [?]

Posted in Ruby | No Comments »

restful_authentication howto, step-by-step (part 1)

Saturday, May 17th, 2008

There are more than a hundred thousand different ways of implementing authentication in ruby on rails. Authentication in the rails world is definetly not for the faint hearted. After some random reading through the rails wiki it seemed quite clear that there is one winner: acts_as_authenticated. However, after including this plugin in one of my secret projects to take over the world, it seems that is lacking some functionality, what I need out of the authentication framework is:

  • A no non-sense authentication: just email and password. No bells, no wistles.
  • The system should send an activation email after the user signs up.

Let’s explore the alternatives :)
(more…)

Popularity: 84% [?]

Posted in Ruby | No Comments »

ruby application configuration settings

Thursday, April 17th, 2008

In this article I want to discuss a way of storing and retrieving the configuration settings of a ruby application. The first thing you need to decide is whether you want to store your settings in a database, a XML file, a YAML,…

Since this is not an easy choice we can mitigate the impact of making the decision upfront by doing some interface based design.

(more…)

Popularity: 78% [?]

Posted in Ruby | No Comments »

dradis v1.1 is out

Friday, March 7th, 2008

A new version of dradis, the information sharing tool for security teams, was released on the 29th of February. Some major changes were introduced from the first release back on December:-

  • New client GUI that runs in Linux, Windows and Mac OS (screenshots).
  • New web interface.
  • Improved step-by-step installation instructions.
  • New contributed modules:
    • Export your Knowledge Base to an XML file.
    • run nmap from dradis and store the results in the knowledge base.

If you want to give it a try, go to the download page. And please let me know any thoughts or feedback (remember that you can use the dradis development mailing list: dradis-devel).
(more…)

Popularity: 32% [?]

Posted in Ruby, Security | No Comments »

sql injection: inference attack (part 2)

Sunday, January 27th, 2008

In the previous article of this series (sql injection: inference attack) we saw an in introduction to the concept of SQL inference attacks. On security advisory: Plogger Photo Gallery SQL Injection we saw that the Plogger Photo Gallery SQL injection vulnerability was an ideal scenario to study SQL inference attacks.

Now it’s time to see a hands on example on how to exploit a SQL injection vulnerability using this technique. Please note that the intended audience of this article are security researchers that want to gain a deeper knowledge on the nature and internals of SQL inference attacks.
(more…)

Popularity: 32% [?]

Posted in Ruby, Security | No Comments »

ruby ToDo list

Thursday, January 24th, 2008

I have created a small Ruby on Rails application to keep track of my personal “ToDo” list of tasks. The idea is to split your different tasks into categories (i.e. important & urgent, no important & urgent, etc.) and have a web front end in which you can get a nice view of your pending tasks.
(more…)

Popularity: 22% [?]

Posted in Ruby | No Comments »

ruby workshop: the way of the Qt samurai

Monday, December 17th, 2007

As a side result of my work with dradis during the last months, I’ve been working on some technical sessions that will be grouped in what could be called a “ruby workshop”. The first of this sessions is on ruby + Qt programming and is available now.

  • Slides can be found here.
  • Source and examples: here.

Popularity: 35% [?]

Posted in Ruby, X Windows | No Comments »

xmitm: xml man in the middle

Sunday, December 16th, 2007

This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport).

The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.

Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.

update: slides available here
(more…)

Popularity: 54% [?]

Posted in Networking, Ruby, Security, Shell Script | 2 Comments »

dradis

Tuesday, December 11th, 2007

dradis is a tool for sharing information during a pentest. If you are part of a team of testers working against the same set of targets, you will need to comunicate with each other. The most efficient this communication the more chances of a successful breach you will have.
(more…)

Popularity: 29% [?]

Posted in Networking, Ruby, Security | 1 Comment »

« Older Entries