Ruby Snippet #01

The Code Review Snippet challenges offer a small piece of vulnerable code for you to analyze. The goal is to identify the issue on your own before watching the explanatory video. The specific challenge discussed here relates to a Ruby on Rails application’s MFAController, which manages multi-factor authentication attempts. The controller increments a session variable to track brute force attempts, and if the attempts exceed three, it returns a forbidden status. However, due to Ruby on Rails' reliance on signed sessions stored on the user's side, an attacker could resend an old session cookie to bypass the brute force prevention, keeping the brute force attempt count low.

The main issue lies outside the visible code. Since the session is stored client-side, an attacker can manipulate it to reset their brute force attempts. This makes the brute force protection ineffective. The suggested solution is to handle brute force prevention on the server side, ensuring the session data cannot be tampered with by the user. This approach prevents attackers from resending old cookies and successfully brute-forcing the parameter code.