Thursday, January 3, 2013

Rails Security Digest. 'params' Case

On HN
Old tricks, new workarounds. In this post I gave mitigation advice and some explanation of WTH IS GOING ON.

1. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
The issue can be mitigated by explicitly converting the parameter to an expected value.  For example, change this:
  Post.find_by_id(params[:id])
to this:
  Post.find_by_id(params[:id].to_s)
HOW CAN I USE IT?

You need to send keys as symbols! It's not that easy. While you can use symbols in HashWithIndifferentAccess, those symbols params[:id][:symbol] is not the case - only 'symbol' key will be used by find_by_* method.

2. Maybe put poisoned payload in your session cookie?
Tenderlove explains:
>However, this exploit does not require session secrets. The person who wrote the blog post wrote about essentially two vulnerabilities: session forging and SQL injection.
You will need to know session_secret, which is hard to steal. Forget about it.

3. Maybe craft poisoned payload in params? Normal application/x-www-form-urlencoded won't work, because keys are strings. JSON decodes to strings either. params is always HWIA. Injection is never going to happen through params[:id]


2 comments:

  1. any comments on 3.2.11?

    ReplyDelete
    Replies
    1. I knew about 'making instances of any object with any args' but sorry I haven't found all platform PoC.
      we just need Object that will execute arbitary code from args in initialize..

      Delete