Ruby _json pollution

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Browse the full HackTricks Training catalog for the assessment tracks (ARTA/GRTA/AzRTA) and Linux Hacking Expert (LHE).

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group, the telegram group, follow @hacktricks_live on X/Twitter, or check the LinkedIn page and YouTube channel.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

This is a summary from the post https://nastystereo.com/security/rails-_json-juggling-attack.html

Basic information

When sending in a body some values not hashabled like an array they will be added into a new key called _json. However, It’s possible for an attacker to also set in the body a value called _json with the arbitrary values he wishes. Then, If the backend for example checks the veracity of a parameter but then also uses the _json parameter to perform some action, an authorisation bypass could be performed.

{
  "id": 123,
  "_json": [456, 789]
}

References

• https://nastystereo.com/security/rails-_json-juggling-attack.html

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Browse the full HackTricks Training catalog for the assessment tracks (ARTA/GRTA/AzRTA) and Linux Hacking Expert (LHE).

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group, the telegram group, follow @hacktricks_live on X/Twitter, or check the LinkedIn page and YouTube channel.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.