VulnerableRubyWebsite is a vulnerable Ruby on Rails web app designed to be used for testing of security scanners, providing examples of exploitable code and an app that can be used for training people on how to exploit or not get exploited on Ruby on Rails websites.
CVE-2014-0130 - Commonly known as the glob routes bug (directory traversal and code execution)
… More to come
I am going to suggest that you use my Docker container with everything already installed (ready to run)
If you haven’t heard of it before head over to www.docker.com and take a look
Once you have an installed version of docker
-
pull my container -
docker pull whithajess/vuln_rails_app -
sudo docker run -i -p 3000:3000 -t whithajess/vuln_rails_app /bin/bash- run my container interactively-p 3000:3000makes my container accessable on port 3000 on my host forwarding from port 3000 on the container -
make rvm usable -
source /etc/profile.d/rvm.sh -
goto the app directory
cd /home/VulnerableWebApp -
tell rvm to use the vulnwebapp gemset(already installed gems) -
rvm use ruby-1.9.3-p194@vulnwebapp -
start up the website on port 3000
rails s
(this is more stuff then i would like and needs a little bit of a cleanup)
If you would like to install everything yourself
-
pull down the code,
-
install your preffered ruby (tested it with ruby-1.9.3-p194)
-
bundle install -
rails s
NB: there is a bug installing gems (related to older rails)
rvm reinstall ruby-1.9.3-p194 --disable-binary - fixed this for me
Me
.. help me out if you like!