Access Control: Ruby on Rails - CRLF Injection and Cross-Site Scripting¶

Identifier: rails6_xss

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

Ruby on Rails 6.0.0-6.0.3.1 contains a CRLF injection vulnerability that allows JavaScript to be injected into responses, resulting in cross-site scripting.

How we test: We test for CRLF injection and XSS vulnerabilities in Ruby on Rails by injecting malicious payloads containing CRLF sequences and JavaScript code, then analyzing responses to detect if scripts are executed in the browser.

Reference:

https://hackerone.com/reports/904059

Configuration¶

Example¶

Example configuration:

---
security_tests:
  rails6_xss:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.