Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Sigma rule (View on GitHub)
1title: Ruby on Rails Framework Exceptions
2id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
3status: stable
4description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
5references:
6 - http://edgeguides.rubyonrails.org/security.html
7 - http://guides.rubyonrails.org/action_controller_overview.html
8 - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
9 - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
10author: Thomas Patzke
11date: 2017-08-06
12modified: 2020-09-01
13tags:
14 - attack.initial-access
15 - attack.t1190
16logsource:
17 category: application
18 product: ruby_on_rails
19detection:
20 keywords:
21 - ActionController::InvalidAuthenticityToken
22 - ActionController::InvalidCrossOriginRequest
23 - ActionController::MethodNotAllowed
24 - ActionController::BadRequest
25 - ActionController::ParameterMissing
26 condition: keywords
27falsepositives:
28 - Application bugs
29level: medium
References
-
Securing Rails ApplicationsThis manual describes common security problems in web applications and how to avoid them with Rails.After reading this guide, you will know: All countermeasures that are highlighted. The concept of sessions in Rails, what to put in there and popular attack methods. How just visiting a site can be a security problem (with CSRF). What you have to pay attention to when working with files or providing an administration interface. How to manage users: Logging in and out and attack methods on all layers. And the most popular injection attack methods.
Read More -
Action Controller OverviewIn this guide, you will learn how controllers work and how they fit into the request cycle in your application.After reading this guide, you will know how to: Follow the flow of a request through a controller. Restrict parameters passed to your controller. Store data in the session or cookies, and why. Work with action callbacks to execute code during request processing. Use Action Controller's built-in HTTP authentication. Stream data directly to the user's browser. Filter sensitive parameters, so they do not appear in the application's log. Deal with exceptions that may be raised during request processing. Use the built-in health check end-point for load balancers and uptime monitors.
Read More -
I am writing an application that uses plain old Ruby objects (POROs) to abstract authorization logic out of controllers. Currently, I have a custom exception class called NotAuthorized that I
Read More -
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations