Connect with us

Hi, what are you looking for?


Application Security

A Hard Knock Life – Ruby on Rails Vulnerabilities and System Hardening

Last week, Ruby on Rails (RoR), a popular web application framework, was reported as vulnerable to critical vulnerabilities.

Last week, Ruby on Rails (RoR), a popular web application framework, was reported as vulnerable to critical vulnerabilities. In this column I discuss the technical details of these vulnerabilities and show how web applications’ administrators can avoid these and similar problems in the first place with some proper system hardening. We will also suggest a cost effective method to achieve the desired “hardened system” status with security solutions equipped with machine learning capabilities.

Ruby on Rails Recent Vulnerabilities: Technical Details Explained

Ruby on RailsBoth of the reported vulnerabilities stem from RoR’s parsing code. The parser’s handling of complex objects representations such as the XML and JSON serialization formats, failed to address some esoteric scenarios which gave rise to several security issues. If you don’t like any more technical details, you can proceed to the next section. 

The root cause of the CVE-2013-0155 vulnerability is an unexpected usage of the JSON serialization format. An attacker using the JSON serialization format can trick a Ruby application which expects its parameters to be of an atomic type (i.e. an integer or a string) and pass a JSON’s array instead. With this unexpected input, the attacker is able to smuggle an empty value (“NULL”) as the only element of an array, and bypass an application specific use of the “IS NULL” check designed for atomic types, as the array itself in not empty.

The essence of the CVE-2013-0156 vulnerability is an unexpected usage of the XML serialization format. The RoR parser can be told by the attacker to automatically generate some complex objects, such as the YAML type, via the XML serialization format. The YAML complex object instantiation may involve evaluating some arbitrary, attacker controlled, Ruby code. Some sources report they were able to abuse this vulnerability to run some arbitrary operating system (OS) commands.

Note that the latter vulnerability (CVE-2013-0156) is much more dangerous than the former (CVE-2013-0156). While CVE-2013-0155 is very context and application specific, CVE-2013-0156 is far more general, as it’s not related to a specific RoR application, but to all RoR applications, as the vulnerability resides in the RoR infrastructure itself.

Hardening – Making Your System a Hard Candy for Attackers

Wikipedia defines system hardening as “the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.”

Advertisement. Scroll to continue reading.

When the application is promoted from development to production, the system configuration must be hardened to disable any irrelevant parts that may help the attacker. In the hardening process detailed error messages should be disabled, excessive file and directory permissions should be restricted, source code leftovers should be deleted and so on.

In the case of the RoR vulnerabilities, a well hardened system would have saved the day for most RoR web applications. Many applications don’t use XML serialization at all. From those who do use it, only a minority are actually using the YAML serialization format. Therefore, the vast majority of the RoR powered applications don’t need a YAML support at all. If these systems would have been hardened to block the usage of XML, or YAML within XML, they would not have been vulnerable to CVE-2013-0156. A similar argument can be made for JSON system hardening with respect to the CVE-2013-0155 vulnerability.

Hardening is Made Easy with Machine Learning Solutions

Achieving the status of a fully hardened system is a very hard and time consuming task when it’s manually done. The hardening process requires a vast knowledge in many different aspects of IT and development and involves many details. Luckily, the daunting task of hardening can be done automatically. A system equipped with machine learning capabilities is able to observe the usual usage patterns of the application and detect any anomalies to it, by thus performing an automatic, ongoing, hardening process.

In the RoR vulnerabilities case, a Web Application Firewall (WAF) equipped with machine learning capabilities is able to detect the normal usage of web application, and automatically detect the abnormal usage of a new parameter or a new parameter’s format.

Another use case from a different IT domain would be user’s database privileges hardening. A Database Activity Monitoring (DAM) solution equipped with machine learning capabilities can learn the usual usage patterns of a user, e.g. the tables she actually query. When she (or most probably a malware on her machine abusing her credentials) attempts to access a table that she is technically allowed to due to excessive access privileges, but never did before, the DAM would detect it, by thus performing an automatic user’s database privileges hardening.

Summing up, system hardening is a very powerful security tool. Using security solutions which include some built in machine learning capabilities is the most cost-effective way to achieve a hardened system status.

Related: Web Application Firewalls – Three Benefits You May Not have Considered

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...