H3-2022-0064¶

Rails Secret Token Exposure

Description¶

All Rails apps have a, randomly-generated secret token. This token is automatically generated and is often left unsecured.

Impact¶

An unauthenticated attacker can abuse the secret token to impersonate any user in the application and gain access to potentially sensitive data.

References¶

• Rails’ Insecure Defaults
• How to hack a Rails app using its secret_token
• MITRE ATT&CK Technique: T1552.001: Unsecured Credentials: Credentials In Files