Go to Top

Arachni Introspector preview/demo: The first Interactive Application Security Testing system for Rails

About a month ago, I laid-out the features and demoed a prototype IAST system for Rack-based Ruby web applications, using a tiny Sinatra app as a target. That system is a prototype no longer and it also got a codename, Arachni Introspector.

Also, as it happens, the Introspector is the first IAST in the world for Ruby web applications, I looked and asked around, the general focus of security vendors seems to be on Java, PHP and .Net.

Today, I’ll be showcasing its capabilities and its somewhat more mature API using a tiny Rails application.

Scan coverage

Let’s begin with the more tame stuff. We’ll load the application, scan it, grab the report and check how much of it the scan really covered.

The following script was placed under the “bin/” directory of the targeted Rails application.

And here’s the coverage result:

Now, once you see that an XSS issue was logged for the link input “my_input”, you’ll be able to immediately spot the problem.
Knowing the real coverage a scanner has on a web application not only shows you how good or bad the scanner is, but it can also show you errors in the assumptions that led to the problematic code.

HTTP request tracing

In the real world, things aren’t as cut and dry as in the above example. Statistics are nice, but knowing of the precise execution flow that resulted in the web application’s vulnerable state would be much, MUCH more helpful.

Even more helpful than that would be getting real access to the stack in its vulnerable state, thus being able to see important context data like local and instance variables and evaluate arbitrary code under each caller’s context. Obviously, this is possible using the Introspector, otherwise I wouldn’t be making such a big deal out of it, heh.

And here’s how you do that:

And the output of that would be (you may want to review this in an editor, it’s quite bulky but worthy of examination):

As you can see, the trace goes down to the ERB templates, which is nice. :)

In addition, you can get this much context for any HTTP request, not just for the issues. You can even enable tracing for the entire scan, hook into the HTTP interface and see the precise impact each request had on the web application.

In closing…

So…that’s it. The API is simple, the scan is fast and the features are insane. In essence, the Introspector can find the issue for you, show you the error of your ways and launch your favorite REPL debugger (like Pry) so that you can interactively sort it out.

Oh, and remember, the Arachni Framework is powering this, which means you can get the same context for your client-side (JS/DOM/AJAX) issues as well.

, , , , , , ,

About Tasos Laskos

CEO of Sarosys LLC, founder and lead developer of Arachni.

4 Responses to "Arachni Introspector preview/demo: The first Interactive Application Security Testing system for Rails"

  • Jesse Whitham
    February 18, 2015 - 12:39 am Reply

    This looks really cool! Question how do I get it? Totally want to try this out even if it is in beta

    • Tasos Laskos
      February 18, 2015 - 12:43 am Reply

      Unfortunately you can’t get it yet, this will most probably turn into a commercial offering in order to fund the Framework.

      • Jesse Whitham
        February 18, 2015 - 1:08 am Reply

        Hey that’s sweet if you want any help testing it I’m totally your guy. And if it does turn into a commercial offering we would totally use it at my work currently do internal penetration tests, and use code review tools like brakeman so adding a Introspector would be great.

        • Tasos Laskos
          February 18, 2015 - 1:12 am Reply

          That’s good to know, it could use some more testing. I’ll send you an e-mail so that we can set that up.

Leave a Reply