Detect if Rails is Running a Site

Asked 10/1, 2013 at 18:27 Answered 12/1, 2017 at 20:33

Solved ruby-on-rails ruby apache nginx passenger

I am part of a team that manages a public facing cloud platform at my company. We have a large user base running VM's that face the internet. I would like to run an automated scan of our address space and see if anyone is running a Rails app so I can notify them to upgrade their version of Rails to avoid a critical security vulnerability that came out this week.

I've noticed that in some Apache deployments, there is a Passenger Header that is useful:

X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.0.3

However, this is not reliable. I'm wondering if there is a reliable way to detect Rails running behind a web server either with response headers or some kind of a GET / POST that can be definitive. Thanks!

Diegodiehard answered 10/1, 2013 at 18:27 Comment(5)

This could be used as easily by malicious parties to find vulnerable targets, so it's probably not a good idea to make the info public here. – Hulburt 10/1, 2013 at 18:33

... but if this is decided to be left alive, I wonder whether it might make sense migrating it to Server Fault? I'll flag a mod and ask them. – Hulburt 10/1, 2013 at 18:35

Don't you have a corporate email address that can target your devs? Some apps deliberately muck around so the server/framework specifically can't be detected, precisely to obfuscate sites that might be vulnerable to a particular attack. – Martins 10/1, 2013 at 18:49

I voted your question down (it's the only downvote I made as member here). I think that at the current time possible answers will do more harm then good. That's not to say, that script kiddies won't find a way, but let's not give them any ideas for time being. – Screeching 10/1, 2013 at 19:2

This is silly, you can look up the actual exploit with examples. I had considered using that code to do a check but it was too invasive. – Diegodiehard 11/1, 2013 at 17:54

Every Rails site has:

meta content="authenticity_token" name="csrf-param'

Or could have a submit button where the name="commit"

At least that's what I have consistently seen.

Header responses are not reliable, here are three from various Rails sites:

Server:Apache/2.2.14 (Ubuntu)
Server:nginx
Server: thin 1.4.1 codename Chromeo

You know nginx and Thin are popular in the Rails community, but that's not conclusive enough to say there is Rails behind it. You would need to run a script that scrapes the site and looks for the meta-tag above. BeautifulSoup is a pretty good if your script is going to be in Python. Mechanize gem is great if you are going with Ruby.

Vernacularism answered 10/1, 2013 at 19:1 Comment(1)

There's no need to use anything as heavyweight as Mechanize or BeautifulSoup. A simple HTTP GET for the index page should do it. The problem is all ports have to be covered. If getting the index page doesn't seem comprehensive enough, then a full-blown site crawler will have to walk the pages looking for the meta-tag in order to be thorough. – Hamlett 11/1, 2013 at 23:15

Most rails apps have a submit button where the name="commit"

Triboelectricity answered 12/1, 2017 at 20:33 Comment(0)

A Rails app could be running on lots of different ports, depending on the configuration allowed. That, plus the fact that the app might not respond in a way you can recognize, seems like a "sub-optimal" way to find out.

Instead, if you own the hosting, you own the drives and the systems supporting the apps. Why not run a grep across the systems, looking for strings matching Rails.

Or search for some of the standard Rails files; Use find, or locate if you have it running.

Hamlett answered 10/1, 2013 at 18:48 Comment(2)

I understand the security concerns but please understand that I'm not asking for an exploit either. I think the best approach would be a multifaceted check. Thanks for the suggestions. I don't have access to my users VM's else this whole would be fairly easy. – Diegodiehard 11/1, 2013 at 17:50

I work at a large hosting site, with scores of VMs. Those VMs are accessible to our site admins for maintenance and support issues, which this need would fall under. – Hamlett 11/1, 2013 at 23:11

Another default setting of Rails that is commonly left untouched is the name of the main /assets/application-<hex hash>.{css,js} files.

I don't thing that a single reliable way of detecting Rails exists, but by using a combination of the authenticity_token, the default assets names and the HTTP headers, you should be able do identify the vast majority of the Rails apps.

The Wappalyzer script uses these three criteria and considers that the co-occurrence of two indicates a Rails app.

Cod answered 10/1, 2013 at 20:55 Comment(0)

Wappalyzer is a good option, and (shameless plug) have you looked at Spotkick? We're in private beta now, but it's a distributed engine for running open source apps, so you could run Wappalyzer across all of your sites to see what's probably running rails.

I do this for banklook.com - I run over about 6800 banks to dig up details about security risks.

Let me know if you want more details or information.

Scarfskin answered 2/3, 2013 at 17:33 Comment(0)

Recommended topics

Hot tags