Mark Hoopes (of Meristem InfoSec) and Heidi Hoopes presented a workshop at RailsConf: 2022 titled "Gaps in the Magic - Exploiting Security Edge Cases in Rails." This class introduced the fundamental concepts of two key vulnerability classes from the OWASP Top 10, SQL injection and Unsafe Deserialization (or unmarshalling in Ruby parlance). It included practice environments where the students could exploit real-world applications (or a replica) to solidify their understanding and enable them to more effectively communicate the risks associated with these vulnerabilities.
SQL Injection
The workshop began with a breakdown of injection vulnerabilities in general and then looked at specific Active Record methods and what constructions would leave them vulnerable to attack. Students were then given a workbook application (building on the work of Justin Collins, published at https://rails-sqli.org/) where they could explore vulnerable Active Record methods and construct their own SQL injection payloads to accomplish typical hacker goals of bypassing login checks and retrieving sensitive information from the database.
This portion concluded by pointing students at an installation of a vulnerable application found on GitHub (link to be posted once a remediating pull request is accepted) and allowing them to apply their skills to recover the password hash of a simulated user.
Unmarshalling
The workshop then shifted gears to the risks of processing serialized objects that could have been created or modified by a user. Again, the discussion began with the basics of serialization and the specifics of the Marshal protocol in Ruby. Note that the talk "Caching without Marshal" by Chris Salzberg also at RailsConf 2022 gave an excellent overview of the protocol and a possible alternative and is well worth watching when available. Once the concepts behind marshalling had been presented, the process of unmarshalling was examined, focusing on the fact that the once the application has called the marshal.load method, no further defensive checks by the application are possible until a potential payload has been triggered.
Next the concept of a gadget was presented, where a gadget is a set of classes that can be arranged in such a way that when they are unmarshalled, executes code that has been embedded as an attribute of one of the classes. One gadget was discussed in detail as an example of how this is accomplished, and references to other well known gadgets were shared.
Finally, a walk-through of a vulnerability identified during a commercial engagement was performed using a replica of the real site's functionality. This included identifying the serialized object, preparing a payload, and sending the marshalled object to execute code on the demonstration server.
Resources
The SQLi Workbook application, a replica of the vulnerable commercial application, and the slides from the presentation are posted in the Resources Section.