A number of applications have shown vulnerabilities to brute-force attacks, with hundreds more potentially at risk.
UPDATED: Poor implementation of the Ransack library in Ruby on Rails (RoR) applications could enable attackers to extract data from backend databases, according to a warning issued by security firm Positive Security.
Ransack provides developers with the ability to incorporate object-based search capabilities into their Rails applications. While its flexibility and ease of use have contributed to its popularity, these same qualities have been flagged as security risks.
Navigating Objects via Search
By default, Ransack enables queries that can include conditions about related objects. For instance, a query that displays blog posts can also incorporate information about the post’s author through its relationship with the blog entry.
Additionally, Ransack includes valuable commands for refining results with operators like ‘starts with’ or ‘contains’. However, when these capabilities are utilized unchecked, they can allow malicious entities to traverse domains to access backend database systems.
For example, an attacker could exploit this to navigate from the posts table to the users table, attempting to deduce the password hash of a user. The filtering commands can facilitate rapid guessing by allowing an attacker to evaluate the hash value one character at a time. Positive Security researchers determined that a single bcrypt password hash could be compromised within minutes and with fewer than 2,000 requests.
YOU MAY ALSO LIKE: Trellix automates the management of open-source vulnerabilities
“This represents a feature, but the concern lies in how web applications implement this feature, particularly in invoking the Ransack search function with unrestricted user inputs,” stated Lukas Euler, managing director at Positive Security. “The library documentation explicitly supports this method of library use.”
A recent notice was introduced in the Ransack documentation, alerting users that “searching and sorting are permissible on any column of your model.” This caution was added following public discussions about the vulnerabilities on GitHub.
Exploiting Ransack Search in the Field
Researchers discovered numerous potentially vulnerable sites by searching for Ransack patterns within URL datasets. Although all candidates could not be verified, the vulnerability was confirmed in several websites.
“We typically exploited the issue by leveraging a publicly available search function to trace association chains from the searchable data class to sensitive attributes of the user class,” Euler recounted.
Alarmingly, one significant finding revealed that Ransack could be used to take control of administrator accounts. For instance, on fablabs.io, a platform for sharing scientific knowledge, Ransack search queries could provide access to the superadmin user’s password reset token; this token did not expire, allowing its reuse due to another design oversight.
To keep up with the latest secure development updates, visit this page.
“Access to administrator accounts facilitated our ability to read and manipulate all private data of the applications tested,” Euler mentioned.
Other well-known applications identified as vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program.
While remediation has occurred for the majority of these projects, it appears that Active Admin has yet to respond to Positive Security’s outreach regarding the issue as of the publication of their report.
Nonetheless, a representative from Tidelift later addressed our inquiries regarding the flaw, affirming that the maintainer of Ransack is actively working on an update to modify the default behavior and is engaging in discussions with the bug reporter.
Other Vulnerable Technologies
In prior investigations, researchers detected similar vulnerabilities in applications utilizing Hasura, a GraphQL server platform. They successfully extracted admin session tokens through complex association chains across various objects.
“Libraries and frameworks tend to evolve to incorporate more features by default while also aiming to simplify integration and use for basic scenarios,” Euler explained. “Consequently, developers may unintentionally integrate an increased attack surface and additional functionalities than they anticipated.”
The takeaway, as stated by Euler, is to thoroughly research the full range of features offered by the libraries and frameworks employed and to take precautions to minimize the attack surfaces by disabling unnecessary features.
“This issue is not limited to Ruby on Rails, but RoR may be more susceptible to such problems because of its focus on ‘Convention over Configuration’ and providing powerful features through simple API interfaces,” Euler concluded.
This article was revised on February 1 to include a statement from Tidelift about remediation efforts concerning the Ransack and Active Admin security issue.
YOU MAY ALSO LIKE: RubyGems trials 2FA-by-default in code repository’s latest security initiative
Based on an article from portswhigger.net: https://portswigger.net/daily-swig/ruby-on-rails-apps-vulnerable-to-data-theft-through-ransack-search
