A number of applications have been identified as susceptible to brute-force attacks, and there is a possibility that many more may be at risk.
UPDATED Security firm Positive Security has issued a warning regarding poor integration of the Ransack library into Ruby on Rails (RoR) applications, which could allow attackers to extract sensitive information from backend databases.
The Ransack library facilitates the addition of object-based search capabilities to Rails applications. While it offers significant convenience and flexibility, it presents potential security issues.
Object Traversal Through Search Functionality
By default, Ransack enables query conditions for associated objects. For instance, when querying a page featuring blog entries, developers can incorporate conditions related to the post’s author via its link to the blog object.
Furthermore, Ransack provides useful commands that can be appended to field names to filter results using operators such as ‘starts with’ or ‘contains’. Absent proper safeguards, these features pose risks, allowing malicious actors to navigate through domains and access backend database systems.
An assailant could transition from the posts table to the users table to attempt to decipher a user’s hashed password. The filtering operators facilitate this process, enabling them to guess the hash one character at a time. Researchers from Positive Security established that a single bcrypt password hash can be compromised in just a few minutes and with fewer than 2,000 requests.
YOU MAY ALSO LIKE Trellix automates addressing open-source vulnerabilities at scale
<p“ the="" issue="" lies="" not="" with="" feature="" itself="" but="" web="" application="" implementations="" that="" invoke="" ransack="" search="" function="" using="" unrestricted="" user="" input,”="" stated="" lukas="" euler,="" managing="" director="" at="" positive="" security,="" in="" a="" report="" for="" The Daily Swig. “Significantly, the library documentation encourages this usage.”
A cautionary notice was recently added to the Ransack documentation, emphasizing that “searching and sorting can be performed on any column of your model.” This note followed a public discussion surrounding this concern on GitHub.
Exploitation of Ransack Searches
The researchers successfully identified hundreds of potentially vulnerable sites by examining URL datasets for Ransack patterns. While unable to validate every instance, they confirmed vulnerability in numerous websites.
“Our common approach when exploiting this vulnerability involved using a publicly exposed search feature to trace association chains from the searchable data class to sensitive attributes within the application’s user class,” Euler shared.
The most alarming discovery was the ability to utilize Ransack to compromise administrator accounts. For instance, on the platform fablabs.io, Ransack search queries could produce access to superadmin user password reset tokens, which were vulnerable due to lack of expiration.
Stay updated with the latest secure development news
“Accessing administrator accounts permitted us to easily read and manipulate all private data across two Ruby on Rails applications we examined,” Euler added.
Other notable applications identified as vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program.
While most of these issues have been addressed, it appears that Active Admin has not yet resolved its concerns. Tidelift, the vendor associated with Active Admin, reportedly did not respond to Positive Security’s queries as of the time of publication.
Later, a Tidelift representative acknowledged the problem, stating that the maintainer of Ransack is working on an update to modify its default behavior and is actively communicating with the bug reporter.
Vulnerabilities in Other Technologies
Previous investigations uncovered comparable issues in applications utilizing Hasura, a GraphQL server platform, where the researchers were able to extract admin session tokens through a series of associated chains across different objects.
“Libraries and frameworks tend to evolve over time, introducing numerous features that are often activated by default. They also aim to maintain ease of integration and usage for basic use cases,” Euler explained. “Consequently, developers may inadvertently introduce expanded features and a larger attack surface than intended.”
Euler emphasizes the importance of thoroughly understanding the complete range of features within the libraries and frameworks being utilized and advises taking precautions to minimize potential attack surfaces by disabling unnecessary features.
“This concern extends beyond Ruby on Rails; however, RoR may be particularly vulnerable to such issues compared to other frameworks due to its focus on ‘Convention over Configuration’ and the accessibility of powerful features through simple API interfaces,” Euler remarked.
This article received updates on February 1, including commentary from Tidelift regarding remediation efforts for the security vulnerabilities affecting Ransack and Active Admin.
YOU MAY ALSO LIKE RubyGems initiates 2FA-by-default trials in effort to enhance security in code repositories
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/ruby-on-rails-apps-vulnerable-to-data-theft-through-ransack-search
