2. Chapters All DayTM
About Me
Sahil Tembhare
● Engineering Student (Computer Science and Engineering)
● Part Time Bug Bounty Hunter
● Likes to code in Ruby and Rust
● One of the OWASP Nagpur Chapter Leader
peeper35 on and
3. Chapters All DayTM
Some of the Tech Giants are using Rails
Application Development and configuration is such an ease, and therefore
sometimes not easy to secure
Why care about Rails?
4. Chapters All DayTM
Sessions Goal
1. Securing your Rails Application
2. Keep a track of some of the CVE’s and patch them
5. Chapters All DayTM
SQL Injection in Rails
● ORM’s does not completely prevents SQLi’s
There are some methods in ActiveRecord (The ORM which Rails use) which can cause SQLi’s, one must know
these methods and use them safely.
One of these methods are -
1. delete_all() ->
params[:id] = "1) OR 1=1--"
User.delete_all(“id = #{params[:id]}”)
This will become -> DELETE from “users” WHERE (id = 1) OR 1=1--)
Which will result in deletion fo all the records from users table
The delete_all() method takes string, array or hash argument. Strings are not escaped at all which causes
the SQL Injection, the string needs to be escaped first.
6. Chapters All DayTM
Ruby 2.x Universal RCE Deserialization Gadget Chain
Ruby uses a gem (library) named Marshal for serialization and deserialization of objects
Deserializing untrusted data can be dangerous
ActiveSupport and ERB must be loaded already - these conditions are already satisfied by Ruby On Rails
Now with all these conditions are satisfied we can hunt for the Gadget Chain
There are some available gadget chains found by researchers
require and autoload
Complete research about the topic: https://www.elttam.com//blog/ruby-deserialization/
7. Chapters All DayTM
Easy RCE in MiniMagick gem
Vulnerable version - before 4.9.4
Fetching a remote image could cause a Remote Code Execution just using a single | (pipe)
The Image.open from MiniMagick library takes input and passes it directly to Kernel#open
And Kernel#open accepts a pipe character | followed by a command.
Reference to CVE: https://twitter.com/VulmonFeeds/status/1149556950364856320
8. Chapters All DayTM
CVE 2019-5418 - File Content Disclosure
Affected Version: All
Fixed in: 6.0.0.beta3
File Content Disclosure in ActionView
The render function in ActionView causes this vulnerability
render file: does not takes a proper file accept format
The impact is only limited to the calls to render
CVE Reference:
https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/ruby-on-rails-file-content-disclosure-cve-2019-5418/
9. Chapters All DayTM
SSRF in Ruby’s native Resolver
CVE 2017-0904
SSRF filters can be bypassed using resolv::getaddresses
resolv::getaddresses is completely OS Dependent
Playing around with IP’s can give blank values
Resolv.getaddresses("127.0.0.1") -> ["127.0.0.1"] ~ expected result
Resolv.getaddresses("127.000.000.1") -> [] ~ unexpected result
require 'resolv'
uri = "0x7f.1" # "0x7f.1"
server_ips = Resolv.getaddresses(uri) # [] ~ The bug here
blocked_ips = ["127.0.0.1", "::1", "0.0.0.0"] # ["127.0.0.1", "::1", "0.0.0.0"] (Code Snippets took from the reference site)
(blocked_ips & server_ips).any? # false ~ Bypassed the filter
Full reference: https://edoverflow.com/2017/ruby-resolv-bug/
11. Chapters All DayTM
References and Further Reading
● https://rails-sqli.org/
● https://www.elttam.com//blog/ruby-deserialization/
● https://twitter.com/VulmonFeeds/status/1149556950364856320
● https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/ruby-on-rails-
file-content-disclosure-cve-2019-5418/
● https://www.youtube.com/watch?v=HNyrUS1lsIE
● https://edoverflow.com/2017/ruby-resolv-bug/
● https://hackerone.com/rails/hacktivity
● https://www.youtube.com/watch?v=AFOlxqQCTxs
● http://guides.rubyonrails.org/security.html
● https://github.com/OWASP/railsgoat
12. Chapters All DayTM
Rails Security Checklist
Let CanCanCan handle the authorization model in your app -
https://github.com/CanCanCommunity/cancancan
Devise for authentication part
https://github.com/heartcombo/devise
protect_from_forgery with: :exception on sensitive controller actions
etc...
Further Reading: https://guides.rubyonrails.org/security.html