Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities

Ruby on Rails

PreviousRate Limit Bypass / 2FA / OTP BypassNextMass Assginment

Last updated 3 years ago

Was this helpful?

Blogs / Articles / Writeups / Presentations:

Cheatsheet:

Labs:

Twitter Threads:

https://hackerone.com/reports/134321
Airbnb - Ruby on Rails String Interpolation led to Remote Code Executionbuer.haus
https://rhys.io/post/rce-in-ruby-using-mustache-templates
https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/
https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/
https://t.co/XmASzMEMAb?amp=1
https://edoverflow.com/2017/ruby-resolv-bug/
https://www.slideshare.net/Railwaymen_org/ror-workshop-web-applications-hacking-ruby-on-rails-example
https://twitter.com/_devalias/status/1194461246394753025
https://blog.heroku.com/rails-asset-pipeline-vulnerability#:~:text=Released%20in%20CVE%2D2018%2D3760,set%20to%20compile%20at%20runtime.&text=If%20Sprockets%20can't%20find,asset%20that%20matches%20the%20request.
https://github.com/brunofacca/zen-rails-security-checklist
https://github.com/edwardqiu/awesome-rails-security
https://twitter.com/PentesterLab/status/1174476446376398848
h
https://towardsdatascience.com/building-a-vulnerable-rails-application-for-learning-2a1de8cf98d5
https://twitter.com/orange_8361/status/817658441598574592
https://twitter.com/chybeta/status/1106752671057395712
https://twitter.com/_devalias/status/1173806552723050497
https://twitter.com/_ayoubfathi_/status/1108341801193213952
https://twitter.com/intigriti/status/1177178910397796353
https://twitter.com/ph0rensic/status/1151640168417374208
https://twitter.com/Wh11teW0lf/status/1062043483786149888
https://twitter.com/search?q=CVE-2019-5418&src=typed_query
https://twitter.com/s0md3v/status/1177183347887312897
https://twitter.com/Wesecureapp_RD/status/1171726890857459712
When auditing Ruby on Rails apps, always search for .js.erb views files. There is a stupid pattern called "Server-generated JavaScript Responses" which is a way to bypass SOP and inject content via JavaScript files (just like JSONP) which leads to XSSI.
CSRF using PUT , DELETE is possible in ruby on rails frameworks if you see a hidden field called _method in the request (if it dont exist try to add it) set its value to PUT or DELETE and then submit a GET or POST request it will override the HTTP Verb and success the attack .
API TIP: 4/31- Testing a Ruby on Rails App & noticed an HTTP parameter containing a URL? Developers sometimes use "Kernel#open" function to access URLs == Game Over. Just send a pipe as the first character and then a shell command (Command Injection by design)
https://twitter.com/m4ll0k2/status/1112119619396030466
https://github.com/mpgn/CVE-2019-5418