Ruby on Rails apps vulnerable to data theft through Ransack search

Numerous applications are exposed to brute-force attacks, and many more may also be at risk.

UPDATED: Inadequate integration of the Ransack library within Ruby on Rails (RoR) applications poses a risk of data theft from backend databases, as highlighted by security firm Positive Security in a recent report.

Ransack facilitates developers in incorporating object-based search functionality into their Rails applications. While this feature offers convenience and flexibility, it has raised significant security concerns.

Understanding Search Traversal

Ransack, by default, supports query conditions for related objects. For instance, a query on a page displaying blog posts can include parameters referencing the post’s author through its association with the blog object.

The library supports operators such as ‘starts with’ or ‘contains’, which can enhance search capabilities. However, without proper safeguards, this feature can be exploited by malicious users to traverse domains and access backend database systems.

An assailant might exploit the connection between the posts table and the users table, attempting to deduce a user’s password hash. Researchers from Positive Security found that it could take fewer than 2,000 requests to extract a single bcrypt password hash in just minutes.

Additionally, there is a related piece that discusses other developments: YOU MAY ALSO LIKE Trellix automates tackling open source vulnerabilities at scale.

According to Lukas Euler, managing director at Positive Security, “The risk lies in how web applications utilize this feature, particularly when invoking the Ransack search function with unrestricted user input.” He noted that the library’s documentation suggests this method of use.

A warning was recently added to the Ransack documentation, indicating that “searching and sorting are authorized on any column of your model”, which emerged from discussions regarding these vulnerabilities on GitHub.

Real-World Exploits of Ransack

By examining URL datasets for Ransack patterns, researchers discovered hundreds of potentially vulnerable websites. Despite not being able to verify each candidate, they confirmed the vulnerability in several cases.

“Our exploitation strategy commonly involved using a publicly accessible search feature to identify association chains from the search class to sensitive user attributes,” Euler explained.

One particularly concerning discovery was the capability of using Ransack to access administrator accounts. On the platform fablabs.io, it was possible to retrieve a superadmin user’s password reset token, which remained valid and could be reused due to poor design choices.

To stay informed, check out the latest secure development updates here: Catch up with the latest secure development news.

“Access to admin accounts permitted us to read and modify all of the application’s private data for two different Ruby on Rails applications we examined,” Euler added.

Noteworthy applications identified as vulnerable include CodeOcean, Pageflow, Active Admin, and openSUSE Travel Support Program, with remediations implemented across most projects except for Active Admin, whose maintainer, Tidelift, had reportedly not responded to Positive Security’s inquiries by the time of publication of their research.

A Tidelift representative later informed that the Ransack maintainer is working on an update to modify the default behavior and ongoing discussions with the bug reporter are in progress.

Vulnerability in Other Technologies

Previous research has indicated analogous issues in applications employing Hasura, a GraphQL server platform, where admin session tokens were retrievable through a multi-step association chain across different objects.

“Libraries and frameworks tend to evolve, adding more features, often enabled by default, while aiming to simplify usage for developers,” Euler remarked. “This can lead developers to unintentionally introduce more vulnerabilities than anticipated.”

The core lesson, according to Euler, is to thoroughly research the full range of features in the libraries and frameworks being utilized and to take necessary steps to reduce attack surfaces by disabling unnecessary features.

“This challenge is not limited to Ruby on Rails; however, RoR may be more susceptible to such issues due to its focus on ‘Convention over Configuration’ and providing powerful features through simplified APIs,” Euler noted.

This article was revised on February 1 to include a comment from Tidelift regarding the security issue impacting Ransack and Active Admin.

YOU MAY ALSO LIKE RubyGems trials 2FA-by-default in code repo’s latest security effort