Unvalidated redirects and forwards are #10 on the OWASP Top Ten. Redirects which rely on user-supplied values can be used to “spoof” websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated. Railroader will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

Railroader reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors. The obvious form of this is the use of eval with user input. However, Railroader also reports on dangerous uses of send, constantize, and other methods which allow creation of arbitrary objects or calling of arbitrary methods. Back to Warning Types

As seen in CVE-2013-0156, calling YAML.load with user input can lead to remote execution of arbitrary code. (To see a real point-and-fire exploit, see the Metasploit payload). While upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe. For example: #Do not do this! YAML.load(params[:file]) Back to Warning Types

Response splitting is a simple attack that can be used as part or a larger exploit chain. A malicious user sends data that causes the HTTP response header to include unintended newline characters which are interpreted as the end of the header. The attacker may then forge their own response body and an entirely false HTTP response, essentailly hijacking the entire page load. Versions of Rails 2 previous to 2.3.13 were vulnerable to this type of attack.

Injection is #1 on the 2010 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes. Railroader focuses on ActiveRecord methods dealing with building SQL statements. A basic (Rails 2.x) example looks like this: User.first(:conditions => "username = '#{params[:username]}'") Railroader would produce a warning like this:

Simply using SSL isn’t enough to ensure the data you are sending is secure. Man in the middle (MITM) attacks are well known and widely used. In some cases, these attacks rely on the client to establish a connection that doesn’t check the validity of the SSL certificate presented by the server. In this case, the attacker can present their own certificate and act as a man in the middle.

Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior. For example: user_id = session[params[:name]] current_user = User.find(user_id) In this scenario, the attacker can point the name parameter to some other session value (for example, _csrf_token) that will be interpreted as a user ID.

HTTP Only It is recommended that session cookies be set to “http-only”. This helps prevent stealing of cookies via cross site scripting. Secret Length Railroader will warn if the key length for the session cookies is less than 30 characters. Version control inclusion Railroader will warn if the config/initializers/secret_token.rb is included in the version control. It is recommended that secret_token.rb is excluded from version control, and included in .gitignore

window.location.replace("http://railroaderscanner.org/docs/warning_types/session_setting/"); Content has moved to Session Setting Back to Warning Types

Objects in Ruby may be serialized to strings. The main method for doing so is the built-in Marshal class. The YAML, JSON, and CSV libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings. Deserialization of arbitrary objects can lead to remote code execution, as was demonstrated with CVE-2013-0156. Railroader warns when loading user input with Marshal, YAML, or CSV. JSON is covered by the checks for CVE-2013-0333