Insecure HTTP methods enabled
Need
Restriction of insecure HTTP methods
Context
- Usage of Ruby for building dynamic and object-oriented applications
- Usage of Rails framework for building web applications
- Usage of Rack for building web applications in Ruby
Description
Non compliant code
# config/application.rb
module YourApp
class Application < Rails::Application
config.middleware.use ::Rack::MethodOverride
end
end
In the above code, the middleware Rack::MethodOverride
is being used in the Ruby on Rails application. This middleware allows the application to use HTTP verbs such as PUT, DELETE, and TRACE which are considered insecure.
The Rack::MethodOverride
middleware is used to override the HTTP verb sent by the client with one specified in the parameters or headers. This is done to support HTTP verbs other than GET and POST in HTML forms.
However, this can potentially expose your application to several security vulnerabilities. For instance, an attacker could exploit the PUT and DELETE methods to alter or remove files on your server. Similarly, the TRACE method can be used to perform cross-site tracing (XST) attacks, which can lead to the leakage of sensitive information.
In this case, the application is vulnerable because it allows these insecure HTTP methods.
Steps
- Disable insecure HTTP methods such as TRACE, PUT, and DELETE.
- Remove or comment out the line 'config.middleware.use ::Rack::MethodOverride' in the 'config/application.rb' file.
- Ensure that only necessary and secure HTTP methods are enabled on the server.
- Regularly update and patch the server software to mitigate any potential vulnerabilities.
Compliant code
# config/application.rb
module YourApp
class Application < Rails::Application
# config.middleware.use ::Rack::MethodOverride
end
end
The above code is a fixed version of the previously vulnerable code. The line config.middleware.use ::Rack::MethodOverride
has been commented out. This line was responsible for enabling HTTP methods such as TRACE, PUT, and DELETE on the server.
These methods can be insecure as they may allow an attacker to include and/or delete files, or perform cross-site tracing attacks. By commenting out this line, we are disabling these insecure HTTP methods, thus fixing the vulnerability.
It's important to note that only necessary and secure HTTP methods should be enabled on the server. Regularly updating and patching the server software is also a good practice to mitigate any potential vulnerabilities.