Insecure HTTP methods enabled - Ruby

Insecure HTTP methods enabled - Ruby

Need

Restriction of insecure HTTP methods

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Rails framework for building web applications
  • Usage of Rack for building web applications in Ruby

Description

Non compliant code

        # config/application.rb
module YourApp
  class Application < Rails::Application
    config.middleware.use ::Rack::MethodOverride
  end
end
        
        

In the above code, the middleware Rack::MethodOverride is being used in the Ruby on Rails application. This middleware allows the application to use HTTP verbs such as PUT, DELETE, and TRACE which are considered insecure.

The Rack::MethodOverride middleware is used to override the HTTP verb sent by the client with one specified in the parameters or headers. This is done to support HTTP verbs other than GET and POST in HTML forms.

However, this can potentially expose your application to several security vulnerabilities. For instance, an attacker could exploit the PUT and DELETE methods to alter or remove files on your server. Similarly, the TRACE method can be used to perform cross-site tracing (XST) attacks, which can lead to the leakage of sensitive information.

In this case, the application is vulnerable because it allows these insecure HTTP methods.

Steps

  • Disable insecure HTTP methods such as TRACE, PUT, and DELETE.
  • Remove or comment out the line 'config.middleware.use ::Rack::MethodOverride' in the 'config/application.rb' file.
  • Ensure that only necessary and secure HTTP methods are enabled on the server.
  • Regularly update and patch the server software to mitigate any potential vulnerabilities.

Compliant code

        # config/application.rb
module YourApp
  class Application < Rails::Application
    # config.middleware.use ::Rack::MethodOverride
  end
end
        
        

The above code is a fixed version of the previously vulnerable code. The line config.middleware.use ::Rack::MethodOverride has been commented out. This line was responsible for enabling HTTP methods such as TRACE, PUT, and DELETE on the server.

These methods can be insecure as they may allow an attacker to include and/or delete files, or perform cross-site tracing attacks. By commenting out this line, we are disabling these insecure HTTP methods, thus fixing the vulnerability.

It's important to note that only necessary and secure HTTP methods should be enabled on the server. Regularly updating and patching the server software is also a good practice to mitigate any potential vulnerabilities.

References