Vulnerability Wrap-up:

This is a intentionally broken Ruby on Rails application, developed for learning

Spoilers Ahead! Close this page if you don't want to cheat!
  1. SQLi exists on the search field on the users page. (' or 1=1 or ') Rails 3 has specific ways to sanitize input. The first 3 below will properly sanitize input, using bind variables/parameterized queries but the last query will not and takes direct insertion. That was used for the example.
    • User.all(:conditions => ['email = ?', params[:search]])
    • User.all(:conditions => { :email => params[:search] })
    • User.all(:conditions => { :email = ?, params[:search] })
    • (ignore that backslash after the #, escaping issues)

      User.all(:conditions => email = #\{params[:search]}

    • See More Here
  2. If you are able to inject in the previous example, you can get the database to dump the entire users table with the database-stored session token. If you edit your cookies and change the remember_token cookie to the new value, you can hijack any other users session
  3. The settings page has a text area that allows you to input information about yourself and use basic html tags. This creates a stored XSS vulnerability. Generally rails will automatically sanitize any output unless you tell it not to. I told it not to here and it dumps it out as raw data.
  4. File upload vulnerabilities. illustrates vulnerability when original files are left in temp directories or uploaded to rails_root/public/upload. Can be accessed by just guessing the URL.
  5. Mass assignment vulnerability occurs when the controller is allowed to accept all parameters from a CRUD action. Generally many applications allow all fields to be mass assigned because its easier to CRUD using params[:params]. This vulnerability/exploit became famous a few months ago: https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation.

  6. Mitigation: You can control which fields are mass assigned by using the attr_accessible option in your models, anything not in attr_accessible will throw an error saying they can't be mass assigned. I allowed an admin field to be mass assigned, so this exploit will allow for the creation of a brand new user with the admin option set to true (boolean). :

    curl -d   "user[email]=cyclone00000@cyclonetransfers.com&user[password]=foobar&user[password_confirmation]=foobar&user[name]=John%20Smith&user[admin]=true" localhost:3000/users
  7. The creation of an admin user will allow you to see every transaction that has happened on cyclone transfers.