Session Manipulation
ID |
ruby.checksessionmanipulation |
Severity |
high |
Resource |
Session Manipulation |
Language |
Ruby |
Description
Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.
For example:
user_id = session[params[:name]] current_user = User.find(user_id)
In this scenario, the attacker can point the name parameter to some other session value (for example, _csrf_token) that will be interpreted
as a user ID. If the ID matches an existing account, the attacker will now have access to that account.
To prevent this type of session manipulation, avoid using user-supplied input as session keys.
Remediation
Follow secure coding practices for Ruby on Rails applications. Review the references below for detailed remediation guidance.