Ransack Library’s Search and Sort Feature Puts Ruby on Rails Applications at Risk of Information Theft
Reading Time: 3 Minutes
Security firm Positive Security has warned that poor integration of the Ransack library into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases.
Ransack is a popular library that allows developers to add object-based search to their Rails applications. However, its convenience and flexibility has led to security issues.
By default, Ransack supports query conditions for associated objects and also provides useful commands that can be appended to field names to filter results with operators such as ‘starts with’ or ‘contains’.
However, this feature can enable malicious actors to easily traverse domains to reach backend database systems.
For example, an attacker can go from the posts table to the users table and try to guess the password hash of a user. The filtering operators enable the miscreant to speed up the process by guessing the hash value one character at a time.
A single bcrypt password hash can be extracted within a few minutes and with less than 2,000 requests, the Positive Security researchers found.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Vulnerability confirmed in many websites
The researchers found hundreds of potentially vulnerable sites by searching for Ransack patterns in URL datasets. Although they could not verify every single candidate, they were able to confirm the vulnerability in dozens of websites.
The researchers were able to use Ransack to take over administrator accounts, which gave them access to all of the application’s private data for two of the Ruby on Rails applications they tested.
Other popular applications that were found vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program. The issue has been remediated in all of these projects apart from Active Admin, whose vendor, Tidelift, apparently failed to respond to Positive security’s emails.
Trending: A primer on OS Command Injection Attacks
Trending: Recon Tool: Shotlooter
Lessons learned
Lukas Euler, managing director at Positive Security, said “Libraries and frameworks generally evolve over time to add more and more features that are often enabled by default, while also trying to keep the integration and usage for simple use cases easy for developers. As a result, developers often inadvertently integrate many more additional features and attack surface than they expect.”
The lesson, Euler says, is to always research the full feature range of the libraries and frameworks you’re using and take steps to minimize your attack surface by disabling anything you don’t need.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
