Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using the :marshal or :hybrid cookie serializer allows cookies to be deserialized with Ruby’s Marshal format, which is unsafe. Attackers who can tamper with cookies may exploit this to run malicious code on your server.
Impact#
If exploited, an attacker could achieve remote code execution on your server by crafting a malicious cookie. This could lead to full system compromise, data theft, or further attacks against your users and infrastructure.