Help Needed: Auto-incrementing ID vulnerability causing database malfunctions

rubyonrails-core
1

Hello everyone,

We’ve been experiencing some issues with our system that pertain to certain endpoints that utilize auto-incrementing IDs. It seems that these IDs can be manipulated by attackers, allowing them to modify the ID to a value near the maximum limit, such as 2147483647. This causes the next user who creates a new row in the table to be assigned an ID that exceeds the MySQL ID limit, resulting in a 500 error status and widespread malfunctions across all the customers utilizing the vulnerable functionality.

We’re looking for some guidance on how to fix this issue. Does anyone have any suggestions on how to prevent attackers from manipulating the auto-incrementing IDs?

Any help or insights you can provide would be greatly appreciated. Thank you in advance!

2

In your controller you probably have some kind of find_widget type logic which looks like this:

def find_thing
  @thing = Thing.find(params[:id])
end

Consider that this does not require :id to be in the strong params! So probably you do currently allow :id in the strong params like this:

def thing_params
  params.require(:thing).permit(:id, :first_name, :last_name, :title, :address, ... )
end

Try removing :id and make sure that your #create / #update still work. If so then all should be well – those goofballs on the Internet won’t be able to tweak your primary key IDs around with BurpSuite or similar!