Numerous applications are vulnerable to brute-force attacks, and many more may also be at risk.
UPDATED Security firm Positive Security has issued a warning about poor integration of the Ransack library within Ruby on Rails (RoR) applications, which could enable attackers to extract sensitive information from backend databases.
Ransack provides developers with the ability to implement object-based search functionalities in their Rails applications. Its ease of use and flexibility, while advantageous, create vulnerabilities from a security standpoint.
Object Traversal via Search
Ransack’s default settings allow query conditions for associated objects. For instance, when querying a page with blog posts, developers can set conditions regarding the author through its connection with the blog object.
The library supports handy commands that filter results with operators such as ‘starts with’ or ‘contains’. However, when used without adequate safeguards, this feature enables malicious actors to navigate through domains and access backend database systems.
For instance, an attacker may move from the posts table to the users table and attempt to guess a user’s password hash. The filtering operators can expedite this process, allowing a single bcrypt password hash to be compromised in a matter of minutes with under 2,000 requests, as discovered by Positive Security researchers.
YOU MAY ALSO LIKE Trellix assists in managing open-source vulnerabilities effectively
“The problem lies in how web applications utilize this feature, specifically by invoking the Ransack search function with unrestricted user input as parameters,” explained Lukas Euler, Managing Director at Positive Security, in an interview with The Daily Swig. “However, the library documentation explicitly suggests this method of usage.”
A recent notice was added to the Ransack documentation, warning users that “searching and sorting are permissible on any column of your model”. This advisory followed public discussions on GitHub concerning this issue.
Ransack Exploit Cases
The researchers identified hundreds of potentially vulnerable websites by searching for Ransack patterns within URL datasets. While not all candidates were verified, vulnerability confirmation was achieved for dozens of sites.
“A typical approach we took in exploiting this issue was utilizing a publicly accessible search feature to examine association chains from the searchable data class to sensitive attributes of the application’s user class,” stated Euler.
One of their most concerning discoveries was the potential to leverage Ransack for administrative account takeovers. For example, on fablabs.io, a platform for scientific information sharing, Ransack search queries could retrieve the superadmin user’s password reset token, which did not expire due to another design flaw, allowing reuse.
Stay updated with the latest secure development news
“Access to admin accounts enabled us to conveniently read and manipulate all private data within two Ruby on Rails applications we tested,” Euler revealed.
Further applications identified as vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program. Remediations have been implemented in most of these projects except for Active Admin, whose vendor, Tidelift, reportedly failed to respond to Positive Security’s outreach as of the publication of their findings.
However, a Tidelift representative later communicated regarding the flaw, indicating that the maintainer of Ransack is working on an update to modify the default behavior and is in discussions with the bug reporter.
Other Technologies at Risk
In earlier investigations, the researchers discovered analogous vulnerabilities in an application utilizing Hasura, a GraphQL server platform, through which they managed to extract admin session tokens via a multi-step association chain across various objects.
“Libraries and frameworks inherently evolve over time to introduce increasing features, often enabled by default, while striving to maintain simplicity for developers in basic use cases,” Euler noted. “As a consequence, developers often unwittingly integrate more features and create a larger attack surface than they realize.”
Euler advises that developers should always investigate the complete range of features provided by the libraries and frameworks they employ and take steps to reduce their attack surface by disabling any unneeded functionalities.
“This issue isn’t exclusive to Ruby on Rails; however, RoR may be more susceptible to these types of problems compared to other frameworks due to its focus on ‘Convention over Configuration’ and the accessibility of powerful features via simple API interfaces,” Euler added.
This article was revised on February 1 to include a comment from Tidelift regarding the remediation of the security issue affecting Ransack and Active Admin.
YOU MAY ALSO LIKE RubyGems trials 2FA by default in a recent security initiative
Based on an article from
