Many Ruby-based web frameworks(old versions of Rails, ones which use Rack::Session::Cookie) have a secret key to sign session cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.


Change the value of secret key to a long random string.


Related Vulnerabilities