James Espinosa
82 lines
3.7 KiB
Plaintext
Executable File
82 lines
3.7 KiB
Plaintext
Executable File
<div class="widget">
|
|
<div class="widget-header">
|
|
<div class="title">
|
|
<span class="fs1" aria-hidden="true" data-icon=""></span> A5 - Security Misconfiguration
|
|
</div>
|
|
</div>
|
|
<div class="widget-body">
|
|
<div id="accordion1" class="accordion no-margin">
|
|
<div class="accordion-group">
|
|
<div class="accordion-heading">
|
|
<a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
|
<i class="icon-info icon-white">
|
|
</i>
|
|
Description
|
|
</a>
|
|
</div>
|
|
<div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
|
|
<div class="accordion-inner">
|
|
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="accordion-group">
|
|
<div class="accordion-heading">
|
|
<a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
|
<i class="icon-bug icon-white">
|
|
</i>
|
|
Bug
|
|
</a>
|
|
</div>
|
|
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
|
|
<div class="accordion-inner">
|
|
<p>Rails has quite a few security related configurations. One of which relates to enforcing mass assignment protection.<p>
|
|
<p>
|
|
<pre class="ruby">
|
|
<%= %q{
|
|
config.active_record.whitelist_attributes=false
|
|
} %>
|
|
</pre>
|
|
</p>
|
|
<p>This configuration forces an application developer to whitelist attributes that can be modified with mass-assignment. When this configuration is set to false <b>any attribute can be mass-assigned.</b></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="accordion-group">
|
|
<div class="accordion-heading">
|
|
<a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
|
<i class="icon-lightning icon-white">
|
|
</i>
|
|
Solution
|
|
</a>
|
|
</div>
|
|
<div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
|
|
<div class="accordion-inner">
|
|
The solution for this issue is quite simple. In your application.rb file set the configuration as follows.
|
|
<pre class="ruby">
|
|
<%= %q{
|
|
config.active_record.whitelist_attributes=true
|
|
} %>
|
|
</pre>
|
|
Once this configuration is updated to true and the application is restarted, any attributes to be mass-assigned will have to be defined as attr_accessible.
|
|
</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="accordion-group">
|
|
<div class="accordion-heading">
|
|
<a style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
|
<i class="icon-aid icon-white">
|
|
</i>
|
|
Hint
|
|
</a>
|
|
</div>
|
|
<div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
|
|
<div class="accordion-inner">
|
|
It has to do with mass-assignment, whitelisting and configuration.
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div> |