Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

Rapid7 Blog

Ruby on Rails  

Nexpose Gem 1.0 Released

As of April 8th, 2015, version 1.0 of the Nexpose gem (nexpose-client) is available.Big Numbers Mean Big ChangesNexpose 5.13 brings new API 2.1 features and following on that the 1.0 version of the Nexpose gem uses these new features. Because…

Metasploit Framework Rails 4.0 Upgrade

It is always a running battle to keep an application's backend up to date with various technologies. Today, we are excited to announce that Metasploit Framework now ships with Rails 4.0. Upgrades like this are sometimes hard to get excited about because if everything…

Not Reinventing The Wheel: The Metasploit Rails::Application in 4.10

In Metasploit 4.10, we converted Metasploit Framework (and prosvc in Metasploit Commercial Editions) to be a full-fledged Rails::Application.  You may be wondering why Metasploit Framework and prosvc, should be Rails applications when they aren't serving up web pages.  It all has to do…

12 Days of HaXmas: Exploiting (and Fixing) RJS Rails Info Leaks

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. Several weeks ago, Egor Homakov wrote a blog post pointing out a common…

Weekly Update: OpSec in Open Source Projects

The weekly Metasploit update is out, and I wanted to highlight three modules that landed in the last week, all of which target open source software. It's easy to drink the FOSS Kool-Aid, and talk about how it's more inherently secure than secret source software,…

Weekly Update: Introducing Metasploit 4.5.3

Version bump to Metasploit 4.5.3This week, we've incremented the Metasploit version number by one trivial point to 4.5.3 -- this was mainly done to ensure that new users get the fixes for the four most recent vulnerabilities that were fixed by…

Weekly Update: UPnP, Another Rails Exploit, and Auditing Joomla

UPnP ScanningThe big news this week are the UPnP / SSDP vulnerability announcements that we've been coordinating between CERT/CC, open source vendors, and device manufacturers over the last couple months. We have a pretty excellent white paper on the subject, written by Metasploit founder and…

Serialization Mischief Redux: Exploit for Ruby on Rails CVE-2013-0333

This afternoon, another scary advisory was posted to the Ruby on Rails security discussion list. Fortunately, this one doesn't affect any Metasploit products. The previous advisory (that HD talked about here) dealt with Rails parameter parsing of XML from a POST request.  The short…

Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

BackgroundEarlier this week, a critical security flaw in Ruby on Rails (RoR) was identified that could expose an application to remote code execution, SQL injection, and denial of service attacks. Ruby on Rails is a popular web application framework that is used by both web…

Serialization Mischief in Ruby Land (CVE-2013-0156)

This afternoon a particularly scary advisory was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which…

Weekly Metasploit Update: Mac OSX 64-Bit Payloads and More!

In addition to the frankly killer 0-day in RateMyPet, we have a couple other things going on in Metasploit land.Mac OSX 64-Bit PayloadsProbably the most significant add this week is Metasploit community contributor Nemo's two new 64-bit payloads for Mac OSX targets. While OSX…