Avoid Session Manipulation
Description
The application was found retrieving session data using user input. A malicious user may be able to retrieve information from the session that was not meant to be allowed. Session manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.
Examples
Insecure Code
ruby
session[params[:key]]Secure Code
ruby
ALLOWED_SESSION_KEYS = ['display_settings', 'locale']; user_provided_key = params[:key]; if ALLOWED_SESSION_KEYS.include?(user_provided_key); value = session[user_provided_key]; else; raise "Invalid session key provided."; endRemediation
Never use user input as a session key. Instead, consider an allow list approach to control access to session keys, ensuring only predefined keys are accessible, and user input is not used to directly access the session key values.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0550 |
| Category | AccessControl |
| Severity | CRITICAL |
| CWE | CWE-276 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | session manipulation, access control |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://brakemanscanner.org/docs/warning_types/session_manipulation/
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/audit/avoid-session-manipulation.yaml