SigmaHQ/rules/web/web_ruby_on_rails_security.yml

title: Ruby on Rails framework security errors
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
author: Thomas Patzke
reference:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
    - https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
logsource:
    product: ruby_on_rails
detection:
    keywords:
        - ActionController::InvalidAuthenticityToken
        - ActionController::InvalidCrossOriginRequest
        - ActionController::MethodNotAllowed
        - ActionController::BadRequest
        - ActionController::ParameterMissing
    condition: keywords
falsepositives:
    - Application bugs
    - Penetration testing
level: medium
Added Ruby on Rails security-related exceptions rule 2017-08-06 20:57:52 +00:00			`title: Ruby on Rails framework security errors`
			`description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts`
			`author: Thomas Patzke`
			`reference:`
			`- http://edgeguides.rubyonrails.org/security.html`
			`- http://guides.rubyonrails.org/action_controller_overview.html`
			`- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception`
			`- https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb`
			`logsource:`
			`product: ruby_on_rails`
			`detection:`
			`keywords:`
			`- ActionController::InvalidAuthenticityToken`
			`- ActionController::InvalidCrossOriginRequest`
			`- ActionController::MethodNotAllowed`
			`- ActionController::BadRequest`
			`- ActionController::ParameterMissing`
			`condition: keywords`
			`falsepositives:`
			`- Application bugs`
			`- Penetration testing`
			`level: medium`