Fluid Attacks Database

Description

Detects hardcoded session secret tokens in Ruby applications that use Rack sessions. Using hardcoded session secrets instead of randomly generated values makes sessions predictable and allows attackers to forge valid session tokens, potentially leading to unauthorized access and session hijacking.

Weakness:

385 - Non-encrypted confidential information - Keys

Category: Information Collection

Detection Strategy

• Check configuration files and code for Rack session middleware initialization

• Look for session secret or secret_key_base parameters that are set to string literals or constants

• Verify if the session secret value is hardcoded rather than loaded from environment variables or secure configuration

Vulnerable code example

use Rack::Session::Cookie,
  key: 'rack.session',
  secret: 'my_hardcoded_secret_123'  # Vulnerable: Secret key hardcoded in source code

✅ Secure code example

use Rack::Session::Cookie,
  key: 'rack.session',
  secret: ENV.fetch('RACK_SESSION_SECRET'), # Secret loaded from environment variable
  secure: true,                            # Ensures cookie only sent over HTTPS
  expire_after: 3600,                      # Session expires after 1 hour
  same_site: :strict                       # Prevents CSRF attacks

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.