Difference between revisions of "RoR Patching"
m (fixed up) |
|||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
==Vulnerabilities== | ==Vulnerabilities== | ||
[[XSS]], [[SQL injection]], [[session hijacking]], and [[data tampering]], standard [[web applications|web-application]] [[vulnerability|vulnerabilities]] afflict [[Ruby on Rails]]. One more less commonly known or used [[vulnerability]] is called Mass Assignment Abuse. | [[XSS]], [[SQL injection]], [[session hijacking]], and [[data tampering]], standard [[web applications|web-application]] [[vulnerability|vulnerabilities]] afflict [[Ruby on Rails]]. One more less commonly known or used [[vulnerability]] is called Mass Assignment Abuse. | ||
− | |||
== XSS == | == XSS == | ||
− | |||
Standard [[XSS]] is possible. [[session hijacking]] via [[cookies]] is possible. Be sure to [[sanitize]] your [[database]] [[Input|inputs]] as well as your [[cookies]] for [[XSS]]. | Standard [[XSS]] is possible. [[session hijacking]] via [[cookies]] is possible. Be sure to [[sanitize]] your [[database]] [[Input|inputs]] as well as your [[cookies]] for [[XSS]]. | ||
Line 13: | Line 9: | ||
[[vulnerability|vulnerable]] code : | [[vulnerability|vulnerable]] code : | ||
− | + | {{code | |
+ | |text= | ||
+ | <source lang="ruby"> | ||
<%= comment.content %> | <%= comment.content %> | ||
<%= sanitize(comment.content) %> | <%= sanitize(comment.content) %> | ||
− | + | </source> | |
+ | }} | ||
[[patched]] code : | [[patched]] code : | ||
− | + | {{code | |
− | + | |text= | |
− | + | <source lang="ruby"> | |
<%= h(comment.content) %> | <%= h(comment.content) %> | ||
− | + | </source> | |
− | + | }} | |
on [[output]] OR | on [[output]] OR | ||
− | + | {{code | |
− | + | |text= | |
+ | <source lang="ruby"> | ||
[[CGI]]::escapeHTML(user_input) | [[CGI]]::escapeHTML(user_input) | ||
− | + | </source> | |
− | + | }} | |
on [[input]]. | on [[input]]. | ||
The code below : | The code below : | ||
− | + | {{code | |
+ | |text= | ||
+ | <source lang="ruby"> | ||
<%= comment.content %> | <%= comment.content %> | ||
<%= sanitize(comment.content) %> | <%= sanitize(comment.content) %> | ||
− | + | </source> | |
+ | }} | ||
Is [[vulnerability|vulnerable]] because it only strips [[HTML]] tags. It does not save your program from [[XSS#XSS_Exploitation|javascript injection]]. The h() function does. | Is [[vulnerability|vulnerable]] because it only strips [[HTML]] tags. It does not save your program from [[XSS#XSS_Exploitation|javascript injection]]. The h() function does. | ||
== Params Injection & Mass Assignment Abuse == | == Params Injection & Mass Assignment Abuse == | ||
− | |||
Params can't be trusted, [[SQL injection]] may take place still, but is rare in [[Ruby on Rails]]. It can be [[Fuzzing|fuzzed]] for just like any other [[SQL injection]] [[vulnerability]]. | Params can't be trusted, [[SQL injection]] may take place still, but is rare in [[Ruby on Rails]]. It can be [[Fuzzing|fuzzed]] for just like any other [[SQL injection]] [[vulnerability]]. | ||
Line 53: | Line 55: | ||
example hash manipulation : | example hash manipulation : | ||
− | + | {{code | |
+ | |text= | ||
+ | <source lang="bash"> | ||
+ | $ curl -d "user[name]=hacker&user[admin]=1" server:port/users | ||
+ | </source> | ||
+ | }} | ||
[[vulnerability|vulnerable]] code : | [[vulnerability|vulnerable]] code : | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
@user=User.new(params[:user]) | @user=User.new(params[:user]) | ||
− | </ | + | </source> |
− | + | }} | |
[[patched]] code : | [[patched]] code : | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
attr_protected :admin | attr_protected :admin | ||
− | </ | + | </source> |
− | + | }} | |
− | + | ||
Best [[patch]] : | Best [[patch]] : | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
attr_accessible :user | attr_accessible :user | ||
− | </ | + | </source> |
− | + | }} | |
− | + | ||
More [[vulnerability|vulnerable]] code: | More [[vulnerability|vulnerable]] code: | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
has_many :comments | has_many :comments | ||
− | </ | + | </source> |
+ | }} | ||
+ | use curl to repossess comments or posts. example : | ||
− | + | {{code | |
− | + | |text= | |
− | curl -d "user[name]=hacker&user[admin]=1&user[comment_ids][]=1&user[comment_ids][]=2" server:port/users | + | <source lang="bash"> |
+ | $ curl -d "user[name]=hacker&user[admin]=1&user[comment_ids][]=1&user[comment_ids][]=2" server:port/users | ||
+ | </source> | ||
+ | }} | ||
best fix is white-listed [[input]]. To make it so that only the user[name] param is read by | best fix is white-listed [[input]]. To make it so that only the user[name] param is read by | ||
ActiveRecord, change : | ActiveRecord, change : | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
attr_protected :admin | attr_protected :admin | ||
− | </ | + | </source> |
− | + | }} | |
− | + | ||
To: | To: | ||
− | < | + | {{code |
+ | |text= | ||
+ | <source lang="ruby"> | ||
attr_accessible :name | attr_accessible :name | ||
− | </ | + | </source> |
− | + | }} | |
− | + | ||
This will make it so that only the name attribute matters to activerecord when params is passed to | This will make it so that only the name attribute matters to activerecord when params is passed to | ||
the sql query. Now, activerecord will not pay attention to any other values set inside of the | the sql query. Now, activerecord will not pay attention to any other values set inside of the | ||
− | params[] hash. | + | params[ ] hash. |
− | + | {{exploitation}} | |
+ | {{countermeasures}} |
Latest revision as of 18:25, 27 June 2016
Vulnerabilities
XSS, SQL injection, session hijacking, and data tampering, standard web-application vulnerabilities afflict Ruby on Rails. One more less commonly known or used vulnerability is called Mass Assignment Abuse.
XSS
Standard XSS is possible. session hijacking via cookies is possible. Be sure to sanitize your database inputs as well as your cookies for XSS.
vulnerable code :
<%= comment.content %> <%= sanitize(comment.content) %> |
patched code :
<%= h(comment.content) %> |
on output OR
[[CGI]]::escapeHTML(user_input) |
on input.
The code below :
<%= comment.content %> <%= sanitize(comment.content) %> |
Is vulnerable because it only strips HTML tags. It does not save your program from javascript injection. The h() function does.
Params Injection & Mass Assignment Abuse
Params can't be trusted, SQL injection may take place still, but is rare in Ruby on Rails. It can be fuzzed for just like any other SQL injection vulnerability.
params injection : curl can be used for posting and can specify params. example hash manipulation :
$ curl -d "user[name]=hacker&user[admin]=1" server:port/users |
vulnerable code :
@user=User.new(params[:user]) |
patched code :
attr_protected :admin
|
Best patch :
attr_accessible :user
|
More vulnerable code:
has_many :comments
|
use curl to repossess comments or posts. example :
$ curl -d "user[name]=hacker&user[admin]=1&user[comment_ids][]=1&user[comment_ids][]=2" server:port/users |
best fix is white-listed input. To make it so that only the user[name] param is read by ActiveRecord, change :
attr_protected :admin
|
To:
attr_accessible :name
|
This will make it so that only the name attribute matters to activerecord when params is passed to the sql query. Now, activerecord will not pay attention to any other values set inside of the params[ ] hash.
<center>