Hacktricks-skills ruby-json-pollution
Use this skill whenever you're testing Ruby on Rails applications for deserialization vulnerabilities, JSON parsing issues, or authorization bypasses involving the _json parameter. Trigger this when you see JSON endpoints, Rails controllers, or need to test for parameter pollution attacks. Make sure to use this skill for any web application security testing involving Ruby backends, especially when dealing with JSON request bodies, API endpoints, or authorization checks.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/pentesting-web/deserialization/ruby-_json-pollution/SKILL.MDsource content
Ruby _json Pollution Attack
A skill for identifying and exploiting the Ruby _json pollution vulnerability in Rails applications.
Overview
The
_json_json_jsonVulnerability Mechanics
How It Works
- Normal behavior: When Rails receives a JSON body with non-hashable values (arrays, etc.), it automatically stores them in a
key_json - Attack vector: An attacker can manually include
in the request body with arbitrary values_json - Exploitation: If the application checks one parameter for authorization but uses
for actual operations, the check can be bypassed_json
Example Payload
{ "id": 123, "_json": [456, 789] }
In this case, the array
[456, 789]_jsonDetection
When to Test
- Any Ruby on Rails application with JSON API endpoints
- Applications that accept JSON request bodies
- Endpoints with authorization or access control checks
- Forms or APIs that process structured data
Detection Steps
- Identify JSON endpoints: Find API endpoints that accept JSON in the request body
- Check for parameter validation: Look for endpoints that validate specific parameters
- Test _json injection: Add a
key with test values to the request body_json - Observe behavior: Check if the application processes the
parameter_json
Example Detection Request
curl -X POST https://target.com/api/resource \ -H "Content-Type: application/json" \ -d '{ "id": 1, "_json": {"test": "pollution_detected"} }'
Exploitation
Authorization Bypass
If an application checks
params[:id]params[:_json]{ "id": 1, // User's own resource (passes auth check) "_json": [999] // Target resource (used for actual operation) }
Data Manipulation
Inject arbitrary data structures through
_json{ "action": "update", "_json": { "role": "admin", "permissions": ["read", "write", "delete"] } }
Array Injection
Force array values into the parameter hash:
{ "user_id": 123, "_json": [123, 456, 789] }
Testing Checklist
- Identify all JSON API endpoints
- Map parameters used for authorization checks
- Test each endpoint with
parameter injection_json - Compare behavior with and without
parameter_json - Document any differences in application behavior
- Check for sensitive operations affected by
_json
Mitigation Recommendations
For Developers
- Explicit parameter whitelisting: Only allow specific parameters in controllers
- Avoid relying on implicit parameter handling: Be explicit about what data is accepted
- Validate all input: Check both explicit parameters and any
keys_json - Use strong parameters: Leverage Rails strong parameters feature
- Sanitize JSON input: Remove or validate
keys before processing_json
Example Strong Parameters
def permitted_params params.permit(:id, :name, :email) # _json is not permitted end
References
Related Skills
- Consider using this skill alongside other deserialization testing skills
- Combine with general API security testing for comprehensive coverage
- Use with authorization testing skills for complete access control assessment