Common
IDOR in RoR
Добавление .json к пути, если у нас Ruby
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OK
Redirections
Обращать внимание на redirect_to
. Пользовательский ввод не должен попадать сюда.
? Этот URL приведет к отрисовке формочки в Firefox и Opera:
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
RCE Flows
Command Injection
eval("ruby code here")
system("os command here")
`ls -al /` # (backticks contain os command)
exec("os command here")
open("\| os command here")
Code Execution
class_eval <<-RUBY, __FILE__, __LINE__ + 1
def #{item}?
code == '#{item.upcase}'
end
RUBY
open-uri
Если используется в коде этот пакет, то есть возможность исполнить код на стороне сервера (так как используется внутри Kernel.open)
Пример кода уязвимого
require "open-uri"
open(params[:url]) { |f|
f.each_line {|line| p line}
}
Payloads:
url = "|ls"
# open(params[:url]) if param[:url] =~ /^https:// , то сработает так:
url = "|touch n;\nhttps://url.com" # Почему? читай про broken Regexp (use \A\z) в Ruby: https://homakov.blogspot.com/2012/05/saferweb-injects-in-various-ruby.html
# Если так: open(URI(params[:url])) -> Local File Read
url = "/etc/passwd"
# open(params[:url]) if URI(params[:url]).scheme == 'http'
url = "http:/../../../../../../../etc/passwd"
Mitigation: переходить на openURI
.
Unsafe Jobs
delayed jobs (e.g. ActiveJob, delayed_job) whose classes accept sensitive data via a perform
or initialize
method. Jobs are serialized in plaintext, so any sensitive data they accept will be accessible in plaintext to everyone with database access. Instead, consider passing ActiveRecord instances that appropriately handle sensitive data (e.g. encrypted at rest and decrypted when the data is needed) or avoid passing in this data entirely.
class RegistrationJob < ApplicationJob
def perform(user:, password:, authorization_token:)
# do something to the user with the password and authorization_token
end
end
When a RegistrationJob
gets queued, this job will get serialized, leaving both password
and authorization_token
accessible in plaintext. Betterment/UnsafeJob
can be configured to flag parameters like these to discourage their use. Some ways to remediate this might be to stop passing in password
, and to encrypt authorization_token
and storing it alongside the user object. For example:
class RegistrationJob < ApplicationJob
def perform(user:)
authorization_token = user.authorization_token.decrypt
# do something with the authorization_token
end
end
By default, this job will look at classes whose name ends with Job
but this can be replaced with any regex.
Macros & Regexp -> Dinamic Params
%w(one two three)
%i(one two three)
%r{(\w+)-(\d+)}
"#{p}_name"
Render / SSTI
render <user_input>
ERB: <%= 7 * 7 %>
SLIM: #{ 7 * 7 }
Ищем raw, html_safe, safe_concat
Last updated