October 19, 2021

Ruby code injection – PortSwigger

Description: ruby ​​code injection

Server-side code injection vulnerabilities arise when an application embeds user-controllable data into a string that is dynamically evaluated by a code interpreter. If user data is not strictly validated, an attacker can use crafted entries to modify the code to be executed, and inject arbitrary code which will be executed by the server.

Server-side code injection vulnerabilities are usually very severe and lead to complete compromise of data and functionality of the application, and often of the server that hosts the application. It may also be possible to use the server as a platform for further attacks against other systems.

Correction: Ruby code injection

Whenever possible, applications should avoid embedding user-controllable data into dynamically evaluated code. In almost all situations, there are safer alternative methods of implementing application functions, which cannot be manipulated to inject arbitrary code into server processing.

If it is considered inevitable to embed user-supplied data into dynamically evaluated code, then the data must be strictly validated. Ideally, a whitelist of specific accepted values ​​should be used. Otherwise, only short alphanumeric strings should be accepted. Entries containing other data, including imaginable code metacharacters, should be rejected.

Vulnerability classifications

Typical severity

High

Type index

0x00100f00


Source link