Ruby on Rails weak/known secret token

Description
  • Each Ruby on Rails web application contains a secret token (usually stored in the file <strong>secret_token.rb</strong>). This token <strong>secret_token</strong> is used to sign cookies that the application sets. Without this, it's impossible to trust cookies that the browser sends, and hence difficult to rely on session based authentication. It's very important that an attacker doesn't know the value of this secret token. Your application is using a weak/known token and Acunetix managed to guess this token. Knowing the secret token allows an attacker to impersonate any user in the application and even achive Remote Code Execution by deserialization of a crafted Ruby Object.
Remediation
  • Change the value of the secret_token (from RAILS_ROOT/config/initializers/secret_token.rb) to a random string.
References