Improper Restriction of Rendered UI Layers or Frames
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1021: Improper Restriction of Rendered UI Layers or Frames |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using dynamic ‘:action’ routes in Ruby on Rails can allow users to trigger arbitrary controller actions by crafting specific URLs. This weakens route restrictions and can expose unintended functionality.
Impact#
If exploited, an attacker could access and execute any public controller action, potentially exposing sensitive data or enabling unauthorized operations. This increases the risk of information leakage, privilege escalation, or unintended application behavior.