Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "RoR Patching"

From NetSec
Jump to: navigation, search
(RoR Patching)
Line 1: Line 1:
 
=RoR Patching=
 
=RoR Patching=
 +
{{cleanup}}
 
==Vulnerabilities==
 
==Vulnerabilities==
  

Revision as of 00:37, 19 October 2011

RoR Patching

Vulnerabilities

XSS, SQL injection, session hijacking, and data tampering, standard web-application vulnerabilities afflict Ruby on Rails. One more less commonly known or used vulnerability is called Mass Assignment Abuse.


XSS

Standard XSS is possible. session hijacking via cookies is possible. Be sure to sanitize your database inputs as well as your cookies for XSS.

vulnerable code :

 <syntaxhighlight lang="ruby">
 <%= comment.content %>
 <%= sanitize(comment.content) %>  
 </syntaxhighlight>

patched code :


 <syntaxhighlight lang="ruby">
 <%= h(comment.content) %> 
 </syntaxhighlight>


on output OR


 <syntaxhighlight lang="ruby">
 CGI::escapeHTML(user_input) 
 </syntaxhighlight>


on input.

The code below :

 <syntaxhighlight lang="ruby">
 <%= comment.content %>
 <%= sanitize(comment.content) %>  
 </syntaxhighlight>

Is vulnerable because it only strips HTML tags. It does not save your program from javascript injection. The h() function does.

Params Injection & Mass Assignment Abuse

Params can't be trusted, SQL injection may take place still, but is rare in Ruby on Rails. It can be fuzzed for just like any other SQL injection vulnerability.

params injection : curl can be used for posting and can specify params. example hash manipulation :

 curl -d "user[name]=hacker&user[admin]=1" server:port/users

vulnerable code :

<syntaxhighlight lang="ruby"> @user=User.new(params[:user]) </syntaxhighlight>


patched code :

<syntaxhighlight lang="ruby"> attr_protected :admin </syntaxhighlight>


Best patch :

<syntaxhighlight lang="ruby"> attr_accessible :user </syntaxhighlight>


More vulnerable code:

<syntaxhighlight lang="ruby"> has_many :comments </syntaxhighlight>


use curl to repossess comments or posts. example : curl -d "user[name]=hacker&user[admin]=1&user[comment_ids][]=1&user[comment_ids][]=2" server:port/users

best fix is white-listed input. To make it so that only the user[name] param is read by ActiveRecord, change :

<syntaxhighlight lang="ruby"> attr_protected :admin </syntaxhighlight>


To:

<syntaxhighlight lang="ruby"> attr_accessible :name </syntaxhighlight>


This will make it so that only the name attribute matters to activerecord when params is passed to the sql query. Now, activerecord will not pay attention to any other values set inside of the params[] hash.