Common
IDOR in RoR
ΠΠΎΠ±Π°Π²Π»Π΅Π½ΠΈΠ΅ .json ΠΊ ΠΏΡΡΠΈ, Π΅ΡΠ»ΠΈ Ρ Π½Π°Ρ Ruby
/user_data/2341 --> 401 Unauthorized
/user_data/2341.json --> 200 OKRedirections
ΠΠ±ΡΠ°ΡΠ°ΡΡ Π²Π½ΠΈΠΌΠ°Π½ΠΈΠ΅ Π½Π° redirect_to. ΠΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»ΡΡΠΊΠΈΠΉ Π²Π²ΠΎΠ΄ Π½Π΅ Π΄ΠΎΠ»ΠΆΠ΅Π½ ΠΏΠΎΠΏΠ°Π΄Π°ΡΡ ΡΡΠ΄Π°.
? ΠΡΠΎΡ URL ΠΏΡΠΈΠ²Π΅Π΄Π΅Ρ ΠΊ ΠΎΡΡΠΈΡΠΎΠ²ΠΊΠ΅ ΡΠΎΡΠΌΠΎΡΠΊΠΈ Π² Firefox ΠΈ Opera:
data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4KRCE Flows
Command Injection
eval("ruby code here")
system("os command here")
`ls -al /` # (backticks contain os command)
exec("os command here")
open("\| os command here")Code Execution
open-uri
ΠΡΠ»ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π² ΠΊΠΎΠ΄Π΅ ΡΡΠΎΡ ΠΏΠ°ΠΊΠ΅Ρ, ΡΠΎ Π΅ΡΡΡ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΈΡΠΏΠΎΠ»Π½ΠΈΡΡ ΠΊΠΎΠ΄ Π½Π° ΡΡΠΎΡΠΎΠ½Π΅ ΡΠ΅ΡΠ²Π΅ΡΠ° (ΡΠ°ΠΊ ΠΊΠ°ΠΊ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΡΡΡ Π²Π½ΡΡΡΠΈ Kernel.open)
ΠΡΠΈΠΌΠ΅Ρ ΠΊΠΎΠ΄Π° ΡΡΠ·Π²ΠΈΠΌΠΎΠ³ΠΎ
Payloads:
Mitigation: ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄ΠΈΡΡ Π½Π° openURI.
Unsafe Jobs
delayed jobs (e.g. ActiveJob, delayed_job) whose classes accept sensitive data via a perform or initialize method. Jobs are serialized in plaintext, so any sensitive data they accept will be accessible in plaintext to everyone with database access. Instead, consider passing ActiveRecord instances that appropriately handle sensitive data (e.g. encrypted at rest and decrypted when the data is needed) or avoid passing in this data entirely.
When a RegistrationJob gets queued, this job will get serialized, leaving both password and authorization_tokenaccessible in plaintext. Betterment/UnsafeJob can be configured to flag parameters like these to discourage their use. Some ways to remediate this might be to stop passing in password, and to encrypt authorization_token and storing it alongside the user object. For example:
By default, this job will look at classes whose name ends with Job but this can be replaced with any regex.
Macros & Regexp -> Dinamic Params
Render / SSTI
Last updated