New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Checks]: Add an HTTP method confusion check #1432
Comments
Hi @linosgian, Thank you for this suggestion. So this is possible, but not straightforward, to implement in Brakeman. Essentially you have to first find all the Secondly, there is a bit of a gap between the code pattern and the potential vulnerability. It might be tricky to present the information, and I don't know what kind of false positives might come up. I'd lean towards making this an optional check (depending on results).
I think this information is available. (I've pretty much given up on handling Rails routes. They are too complicated and allow too much dynamic behavior.) |
I was wrong, this information (HTTP verbs for routes) is not available right now. I have a rough implementation of this check and am looking through results for false positives to see how important it might be to check the routes. |
Is your feature request related to a problem? Please describe.
There was an issue released recently regarding a bypass on Github's OAuth2 flow (essentially CSRF bypass). In a nutshell, the issue boils down to:
(the route only handles GET/POST)
and
The other "ingredient" of the vulnerability is the fact that Rails handles
HEAD
requests, exactly like GET, and just removes the response body before the response is sent back to the user. This means that all the processing done for GET requests will be executed for HEAD as well. The tricky part is thatrequest.get?
will return false forHEAD
requests.As shown in the code above, the developers were not explicit about which HTTP methods they handle (
else ..
), thinking that since it's not a GET request, then it must be POST (since the route only handles those two). Therefore, aHEAD
request, fell through to theelse
clause, which resulted in CSRF bypass, since CSRF is not verified in GET/HEAD requests.Describe the solution you'd like
I think that Brakeman can greatly assist security engineers/developers in finding such issues. I was thinking about tracking these kinds of calls (
request.get?
orrequest.<any http method>?
), check whether they have anelse
clause in controllers. Additionally, if possible, double check that a route handles multiple HTTP methods in order to reduce false positives.Describe alternatives you've considered
I can't come up with other solution, not knowing a great deal about Brakeman's internals, but I'm open to your suggestions.
Additional context
If you think that this is possible and something that we want to implement, I'd love to help out, with your guidance.
The text was updated successfully, but these errors were encountered: