ruby on rails pentesting web applications
There's a number of areas that you can focus on with rails apps, depending on the level of access you have. Some initial ideas
- If you have source code access (and I would highly recommend it), you can use Brakeman to find some issues.
- Even if you can't get source code access, you may be able to request the output of the 'rake routes' command which should give you a picture of all the possible routes in the app.
- OWASP have a good doc on rails security which has some good starting points.
- I'd always try changing extensions on requests (e.g. from html to xml or json) as rails tends to have different code paths for different formats and this can expose security issues.
- if you can find the version of rails in use (in the Gemfile in the application root), review for known CVEs (there have been a few)
- As rails apps generally have an MVC structure, they can have quite predictable URL paths, so if you're black-boxing, then things like /users/1/edit (replace users with other plural nouns) can produce interesting results
- Always decode the cookies to see if there's any secret info in there (there shouldn't be).
You can find information about the most common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist.
I'd recommend getting familiar with web penetration testing techniques and types of attack in general (XSS, SQLi, Privilege Escalation, Session security, etc.) then dive into Rails specific vulnerabilities. I find that having a very strong understand of the HTTP protocol, how sessions are created/persisted/destroyed and the flow of data helps more than any single tool you can run. Rails has some great documentation on security once you are feeling comfortable with basic testing mechanisms - http://guides.rubyonrails.org/security.html