2,000+ Websites Vulnerable With Ruby on Rails Flaw

Nov 28, 2013 By Sarah Vonnegut

A new exploit, discovered by a white-hat hacker, puts users of over 2,000 Websites in danger of attack. Older versions of Ruby on Rails, a popular open source Web app, employ a defective session management system that could affect the users on the thousands of sites that use it.

G.S. McNamara, a security researcher based in D.C., first found the vulnerability issue back in September. The exploit is an Insufficient Session Expiration weakness, and McNamara says it’s fairly common. It’s especially dangerous for shared computers with lots of daily user turnover, such as in libraries or internet cafes.

The Ruby on Rails CookieStore by default in older versions of the app saves a user’s session cookies on the client side indefinitely. Ruby on Rails has no way to truly invalidate the user session, so the Web app can be accessed even after it’s been terminated. The vulnerability allows a malicious actor to use an XSS attack to steal the data from just one user cookie and illicitly log in to the Ruby Web app as the user. If that user happened to be logged into his bank account, for example, the hacker would be able to perform any number of unfortunate attacks under the victims’ guise.

The defect, a ‘child’ of the Broken Authentication and Session Management vulnerability, is number 2 in the OWASP Top 10, indicating the high risk nature of the problem. The report listed Broken Session Management as a widespread occurrence with only average detectability.

Looking through the list of vulnerable sites, some pretty recognizable ones pop out:, the crowd funding site,, the internet radio player,, offering personalized online newspapers based on RSS feeds, and, the site where people offer up services for $5, among about 1,892 other exposed sites. The list in not even exhaustive; these sites are just out of 90,000 sites that McNamara analyzed.

Even the newer versions of Ruby on Rails (4.0 and up) don’t fully solve the issue, though they do take the additional step of encrypting the cookies. An attacker, McNamara, wrote to Threatpost, could still save the cookie and use it to log in as the victim, without ever seeing the encrypted data.

How To Check If A Site Is Affected & How To Fix Your Ruby on Rails Site:

To check if a site could be vulnerable to attack, just look for a “Bah7” string at the beginning of your cookies’ value, McNamara advises.

McNamara advocates that developers working with Ruby on Rails should switch to a cookie storage tool that stores the cookie on the server, as opposed to the client side. Recommendations for better session expiration security overall are to ensure that your web apps automatically log users out after the user has been idle for a certain – short – period of time. In addition, log out buttons should be highly visible so as to promote correct log out practices.

Read more:

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.