He's citing this as a potential cross-authorization vulnerability, not SQL injection.
The form he's demonstrating is a common misstep in Rails. Instead of writing something like:
current_user.apartments.destroy(params[:id])
The programmer wrote:
Apartment.destroy(params[:id])
Meaning that the apartment lookup is not being done within the context of the current user, it's global. This means an attacker can delete other users' apartments with crafted URLs.
When I'm testing Rails applications, I always grep the source for something like:
The form he's demonstrating is a common misstep in Rails. Instead of writing something like:
The programmer wrote: Meaning that the apartment lookup is not being done within the context of the current user, it's global. This means an attacker can delete other users' apartments with crafted URLs.When I'm testing Rails applications, I always grep the source for something like:
To find vulnerabilities of exactly this kind.