Ruby on Rails

TL;DR Ruby on Rails apps have unique attack surfaces that testers should consider. Key vulnerabilities include mass assignment, IDORs, business logic flaws, session attacks, SSTI, and the notable CVE-2019-5418 which allows file content disclosure via crafted Accept headers, potentially escalating to RCE.

---

1. Mass Assignment Vulnerabilities

Description: Mass assignment occurs when Rails controllers permit unfiltered parameters to update model attributes. Attackers can supply additional fields (beyond the intended form fields) to manipulate sensitive data.

Indicators:

• Requests containing parameters like user[name]=... or user[role]=....

• Endpoints returning JSON often expose more data than the visible HTML forms.

Risk:

• Unauthorized privilege escalation (e.g., setting admin=true)

• Data modification beyond allowed scope

• IDORs or logic bypass if combined with weak ACLs

Resource:

• Brakeman mass assignment docs: https://brakemanscanner.org/docs/warning_types/mass_assignment/

• 2. Common Rails Vulnerabilities

  • IDORs / Object-level access control issues

  • Business logic flaws that bypass workflows or limits

  • Session attacks (e.g., session fixation, improper token handling)

  • SSTI in Ruby ERB templates — allows code execution if user input is rendered unsafely.

  3. CVE-2019-5418 — File Content Disclosure

  Summary:

  • A Rails LFI vulnerability allowing an attacker to read arbitrary files via crafted Accept headers.

  • Proof-of-concept allows reading /etc/passwd or other sensitive files.

  • Can escalate to RCE if combined with writable templates or unsafe file handling.

  PoC Steps (read-only, safe observation):

  1. Send a crafted Accept header:

  Accept: ../../../../../../../../../../etc/passwd{{

1. Request a Rails endpoint that processes the header.

2. Inspect response — file content may be exposed.

Exploit / Tools References:

• RCE PoC repo: Rails-doubletap-RCE

• Nuclei template: CVE-2019-5418.yaml

Additional Resources:

• CVE PoC collection: mpgn/CVE-2019-5418

• Analysis blog: ChyBeta post

• Google Groups discussion: Rails Security

• Example HackerOne report: H1 Report 541858

• Additional CVE repo: omarkurt/CVE-2019-5418