CVE-2022-22577: Exploring an XSS Vulnerability in Action Pack: Bypassing CSP for Non-HTML Responses

In this in-depth analysis, we will explore an XSS (Cross-Site Scripting) vulnerability found in Action Pack, a powerful component of the Ruby on Rails framework. The vulnerability, assigned the identifier CVE-2022-22577, affects versions greater than or equal to 5.2. and less than 6.2.. When exploited, this vulnerability enables an attacker to bypass the Content Security Policy (CSP) for non-HTML like responses.

Exploit Details

The vulnerability is caused by the way Action Pack processes user-supplied input, particularly concerning specific input values. Let's take a look at the impacted code snippet:

def process_action(*args)
  ret = super
  response.strip_tags!
  ret
end

In this code, the strip_tags! function is intended to remove HTML tags from the response generated by the server. However, the vulnerability arises when the response's content type is not HTML, allowing an attacker to bypass CSP and execute malicious scripts.

Links to Original References

- CVE Details: CVE-2022-22577
- GitHub Advisory: GHSA-hj98-jcf5-p5v2
- Ruby on Rails Security Announcement: Advisory

Steps to Reproduce

To clearly demonstrate the exploit, we first create a Rails application running on the vulnerable version of Action Pack by following these steps:

def index

response.content_type = 'text/plain'

`

With the Rails app set up, let's visit the /test endpoint and add a potentially malicious query parameter:

http://localhost:300/test?content=<script>alert('XSS')</script>;

If the CSP were properly implemented, the browser should not execute the JavaScript code contained within the <script> tags. However, since the vulnerability exists, an alert popup with the text 'XSS' will appear, confirming the successful exploit.

Run bundle update to apply the changes.

By taking these steps, you can ensure that your Rails application is protected against the CVE-2022-22577 vulnerability.

Conclusion

In this extensive examination of the CVE-2022-22577 vulnerability, we have demonstrated how an attacker could bypass CSP for non-HTML like responses in Ruby on Rails' Action Pack. To protect your Rails application, it is crucial to keep your software up to date and apply security patches as needed.

Timeline

Published on: 05/26/2022 17:15:00 UTC
Last modified on: 06/07/2022 14:37:00 UTC