[ad_1]
Ben Dixon Jan 26, 2023 17:27 UTC
Update: Jan 26, 2023 17:33 UTC
Some applications were vulnerable to brute force attacks.Hundreds more could be at risk
Poorly integrated Ransack libraries into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases, security firm Positive Security has warned.
Ransack allows developers to add object-based search to Rails applications. Its convenience and flexibility have led to its widespread use and problems, at least from a security perspective.
Object traversal by search
By default, Ransack supports associated object query conditions. For example, if you are querying on a page that lists blog posts, you can include a condition on the author of the post through an association with the blog object.
Ransack also supports very useful commands that allow you to append to field names and filter results with operators like ‘starts with’ and ‘contains’. However, using this feature without guardrails could allow malicious attackers to easily traverse domains and reach backend database systems.
For example, an attacker could go from the posts table to the users table and try to guess a user’s password hash. Filtering operators allow a malicious person to speed up the process by guessing her hash value one character at a time. Positive Security researchers found that a single bcrypt password hash can be extracted within minutes with less than 2,000 requests.
you might like it too Trellix automates open source vulnerability tackling at scale
“It’s a feature, and the problem is how the web application uses this feature: calling the Ransack search function with unlimited user input as parameters,” said Positive said Lukas Euler, Managing Director of Security. Daily Swig“However, the library’s documentation explicitly recommends how to use this library.”
Recently, a notification was added to Ransack’s documentation to warn users that “searching and sorting on any column of the model is allowed”. This warning was added after a public discussion on the issue started on GitHub.
Exploit Wild Ransac Search
Researchers found hundreds of potentially vulnerable sites by searching for Ransack patterns in URL datasets. While we were unable to verify all candidates, we were able to confirm vulnerabilities on dozens of websites.
“A common pattern we used in exploiting this issue was to use the exposed search functionality to look for association chains from searchable data classes to sensitive attributes in the application’s user classes.” says Euler.
Their most disturbing discovery was their ability to hijack administrator accounts using Ransack. For example, on fablabs.io, a platform for sharing scientific knowledge, a Ransack search query could potentially gain access to the password reset tokens of superadmin users (this is another poorly designed By decision, it did not expire and could be reused).
Keep up with the latest secure development news
“Having access to the admin user account made it easy to read and manipulate all of the application’s private data for the two Ruby on Rails applications we tested,” says Euler.
Other common applications confirmed vulnerable include CodeOcean, Pageflow, Active Admin and openSUSE Travel Support Program.
This issue has been fixed for all of these projects except for Active Admin, where the vendor Tidelift did not seem to respond to Positive security’s email. However, a Tidelift representative replied to an email about the flaw, saying they were not aware of the issue and would look into it.
Other vulnerable technologies
In previous work, researchers found similar problems in applications using Hasura, a GraphQL server platform. They were able to extract the admin session token through a multi-step association chain across various objects.
“Libraries and frameworks generally evolve over time to add features that are often enabled by default. They also keep integration and usage for simple use cases easy for developers. We are trying to do that,” said Euler. “As a result, developers often inadvertently integrate more additional features and attack surfaces than expected.”
According to Euler, the lesson is to always explore the full functional scope of the libraries and frameworks you use and take steps to minimize your attack surface by disabling what you don’t need.
“This is not specific to Ruby on Rails, but RoR is more about ‘convention than configuration’ and makes more powerful features available behind a simple API interface than other frameworks. It can be prone to problems like this,” Euler said.
you might like it too RubyGems tries 2FA by default with modern security measures for code repositories
[ad_2]
Source link
