Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
  • TRADE
Crypto Flexs
  • DIRECTORY
  • CRYPTO
    • ETHEREUM
    • BITCOIN
    • ALTCOIN
  • BLOCKCHAIN
  • EXCHANGE
  • ADOPTION
  • TRADING
  • HACKING
  • SLOT
  • TRADE
Crypto Flexs
Home»BLOCKCHAIN NEWS»Github: Understanding insecure deserialization vulnerabilities in Ruby projects
BLOCKCHAIN NEWS

Github: Understanding insecure deserialization vulnerabilities in Ruby projects

By Crypto FlexsJune 21, 20243 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Github: Understanding insecure deserialization vulnerabilities in Ruby projects
Share
Facebook Twitter LinkedIn Pinterest Email





An insecure deserialization vulnerability in the Ruby project could allow an attacker to execute arbitrary commands on a remote server by sending JSON data. According to the GitHub blog, these vulnerabilities occur when the deserialization process allows instantiation of arbitrary classes or class-like structures specified in the serialized data.

How unsafe deserialization works

In Ruby, unsafe deserialization vulnerabilities are often exploited through libraries that support polymorphism, such as the Oj JSON serialization library. By chaining multiple classes together, an attacker can execute code on the system under attack. These classes, known as gadgets, are combined into gadget chains to form larger attacks.

For example, when using the Oj library to deserialize JSON, you may be vulnerable if your project contains the following configuration:

data = Oj.load(untrusted_json)

The Oj library supports instantiation of classes specified in JSON by default, which can be disabled using: Oj.safe_load Instead of.

To demonstrate how this works, consider the following class: SimpleClass and hash Method to execute command:

class SimpleClass
  def initialize(cmd)
    @cmd = cmd
  end

  def hash
    system(@cmd)
  end
end

The JSON payload that instantiates this class is:


    "^o": "SimpleClass",
    "cmd": "open -a calculator"

Load this JSON using: Oj.load doesn’t trigger hash Executes the method directly, but placing a class as a key inside the hash can trigger the method.

Oj.load(json_payload)

This will execute the command specified next. @cmd Member variable.

Building a Detection Gadget

You can build a chain of detection gadgets to detect insecure deserialization vulnerabilities. For example, a class like this: Gem::Requirement Can be used. hash method to call to_s About internal members. By generating the appropriate JSON payload, this chain can be triggered to detect vulnerabilities.

Detection gadgets can also be extended to a complete remote code execution (RCE) chain. This includes using classes and methods that are part of Ruby or its dependencies to execute arbitrary commands.

Avoid unsafe deserialization

To avoid these vulnerabilities, it is important to use a safe deserialization method. for example, Oj.safe_load Instead of Oj.load It can prevent instantiation of arbitrary classes. Additionally, tools like CodeQL can help detect unsafe deserialization by analyzing your source code for vulnerable patterns.

For developers with access to the source code, scanning code on GitHub using CodeQL can identify unsafe deserialization sinks. If you don’t have access to the source code, you can use detection gadgets to identify vulnerabilities remotely.

Understanding how insecure deserialization works and implementing secure coding practices can help prevent these vulnerabilities. For more detailed examples and detection methodology, see the original blog post on the GitHub blog.

Image source: Shutterstock



Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

POLYMARKET will re -enter the United States after the acquisition of QCEX $ 112 million.

July 22, 2025

Genius ACT specifies the House of Representatives, and Stablecoin Law can pass this week.

July 17, 2025

Tethers in September, completing USDT support for Omni, Bitcoin Cash SLP, KUSAMA, EOS and Algorand

July 12, 2025
Add A Comment

Comments are closed.

Recent Posts

Use XRP To Mine BTC And DOGE? CryptoMiningFirm Launches New Cross-chain Cloud Mining Contract To Help Global Users Earn $8,150 A Day

July 23, 2025

MultiBank.io Partners With Fireblocks And Mavryk To Launch $10B Real Estate Tokenization Platform

July 23, 2025

Cango Inc. Announces Completion Of Secondary Acquisition And Appointment Of New Leadership Team

July 23, 2025

RWA And DEXs Thrive Despite Cooling Market Activity

July 23, 2025

Bybit And Cactus Custody Announce Strategic Partnership With Cactus Oasis Integration

July 23, 2025

21Shares submitted ETFs and on major exchange lists ondo price rallies

July 23, 2025

Ethereum Based Meme Coin PEPETO Raises Above $5.5M In Presale

July 22, 2025

MultiBank Group’s $MBG Token TGE Is Live On MexC, Gate.io, Uniswap And Multibank.io.

July 22, 2025

Ark Invest sells coinbase stocks and invests in BitMine.

July 22, 2025

Altcoin benefits of capital rotation

July 22, 2025

KAITO unveils Capital Launchpad, a Web3 crowdfunding platform that will be released later this week.

July 22, 2025

Crypto Flexs is a Professional Cryptocurrency News Platform. Here we will provide you only interesting content, which you will like very much. We’re dedicated to providing you the best of Cryptocurrency. We hope you enjoy our Cryptocurrency News as much as we enjoy offering them to you.

Contact Us : Partner(@)Cryptoflexs.com

Top Insights

Use XRP To Mine BTC And DOGE? CryptoMiningFirm Launches New Cross-chain Cloud Mining Contract To Help Global Users Earn $8,150 A Day

July 23, 2025

MultiBank.io Partners With Fireblocks And Mavryk To Launch $10B Real Estate Tokenization Platform

July 23, 2025

Cango Inc. Announces Completion Of Secondary Acquisition And Appointment Of New Leadership Team

July 23, 2025
Most Popular

BEFE Coin’s Journey to $0.01: Reasons for Optimism

April 27, 2024

Bitcoin CLI-Tab Root Multiciman Sea District cannot be generated.

February 10, 2025

ElevenLabs launches realistic Cockney Accent text-to-speech technology

September 29, 2024
  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 Crypto Flexs

Type above and press Enter to search. Press Esc to cancel.