:hybrid deserialisation flagged as unsafe by brakeman #1710
-
|
Hi there, I've been scratching my head recently about the following possible remote code execution. From my understanding, while setting the cookie deserialisation to |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
@ArisBee Yes, that's the reason Rails moved from Marshal to JSON for session cookies. Crafting a malicious session cookie does require the attacker to know the secret key, though, in order to sign and (depending on Rails version) encrypt the session cookie. Accessing the secret key typically requires another vulnerability... or in the case of open source sometimes people don't change the default secret key grabbed from GitHub. In any case, it is best not to accept any user-provided input in the Marshal format. |
Beta Was this translation helpful? Give feedback.
@ArisBee Yes, that's the reason Rails moved from Marshal to JSON for session cookies.
:hybridjust means "if the session cookie is JSON, accept it. If it's Marshalled, accept it too and convert to JSON."Crafting a malicious session cookie does require the attacker to know the secret key, though, in order to sign and (depending on Rails version) encrypt the session cookie. Accessing the secret key typically requires another vulnerability... or in the case of open source sometimes people don't change the default secret key grabbed from GitHub.
In any case, it is best not to accept any user-provided input in the Marshal format.