HIGH bleichenbacher attackhanami

Bleichenbacher Attack in Hanami

Scan for bleichenbacher attack in hanami

How Bleichenbacher Attack Manifests in Hanami

The Bleichenbacher attack exploits PKCS#1 v1.5 padding in RSA encryption, allowing attackers to decrypt ciphertexts without the private key through adaptive chosen-ciphertext attacks. In Hanami applications, this vulnerability typically manifests in two critical areas:

1. RSA Encryption in Database Connections

Hanami applications often use PostgreSQL or MySQL databases with SSL/TLS connections. When RSA-based key exchange is used (common with self-signed certificates or certain database configurations), the server sends its RSA public key certificate during the TLS handshake. If the application accepts weak RSA padding schemes or doesn't properly validate certificate chains, an attacker can intercept and manipulate these connections.

2. JWT Token Handling in Hanami Actions

Many Hanami applications use JWT tokens for authentication. When RSA signatures are used with PKCS#1 v1.5 padding (instead of the more secure RSASSA-PSS), attackers can forge tokens by exploiting timing differences in padding validation. This is particularly dangerous in Hanami's slice-based architecture where authentication logic might be scattered across different slices.

Real-world Example in Hanami

# Vulnerable: Using RSA with PKCS#1 v1.5 padding
require 'jwt'
require 'openssl'

class AuthSlice < Hanami::Slice
  def initialize
    @private_key = OpenSSL::PKey::RSA.new(2048)
    @public_key = @private_key.public_key
  end

  def generate_token(payload)
    # Vulnerable: Uses default RS256 which may use PKCS#1 v1.5
    JWT.encode(payload, @private_key, 'RS256')
  end

  def verify_token(token)
    # Vulnerable: No padding scheme specification
    JWT.decode(token, @public_key, true, algorithm: 'RS256')
  end
end

This code is vulnerable because it doesn't specify the padding scheme, allowing the default PKCS#1 v1.5 to be used, which is susceptible to Bleichenbacher attacks.

Hanami-Specific Detection

Detecting Bleichenbacher vulnerabilities in Hanami applications requires examining both configuration files and runtime behavior. Here are the specific detection patterns:

Gemfile Dependencies

Check for vulnerable versions of cryptography libraries:

# Check Gemfile for vulnerable versions
gem 'jwt', '>= 2.2.2'  # Older versions may use vulnerable padding
gem 'faraday', '>= 2.8.0'  # HTTP client vulnerabilities
gem 'pg', '>= 1.4.0'  # PostgreSQL client with TLS

Hanami Configuration Files

Examine config/database.rb for SSL/TLS settings:

# Vulnerable configuration
Hanami::Model.configure do
  adapter :sql, 'postgres://user:pass@host:5432/db?sslmode=require'
  # Missing: sslrootcert, sslcert, sslkey for proper certificate validation
end

Hanami Action Authentication

Review authentication actions in app/actions/:

# Vulnerable JWT verification
class Auth::VerifyAction < Hanami::Action
  include Auth::Action

  def handle(req, res)
    token = req.get_header('Authorization').split.last
    begin
      # Vulnerable: No padding specification
      payload, header = JWT.decode(token, public_key, true, algorithm: 'RS256')
      res[:user] = payload
    rescue JWT::VerificationError
      res.status = 401
    end
  end
end

Automated Scanning with middleBrick

middleBrick's API security scanner can detect these vulnerabilities automatically:

# Scan your Hanami application
middlebrick scan https://yourapp.com/api/auth

# Or integrate into CI/CD
middlebrick scan --ci --fail-below B

middleBrick specifically tests for:

  • RSA padding oracle vulnerabilities in JWT implementations
  • Insecure TLS configurations in database connections
  • Missing certificate validation in external API calls
  • Timing side-channel vulnerabilities in cryptographic operations

The scanner provides a security score (A-F) and detailed findings with remediation steps specific to Hanami applications.

Hanami-Specific Remediation

Remediating Bleichenbacher vulnerabilities in Hanami requires updating cryptographic implementations and configurations. Here are the specific fixes:

1. Update JWT Implementation

# Secure: Using RSASSA-PSS padding
require 'jwt'
require 'openssl'

class SecureAuthSlice < Hanami::Slice
  def initialize
    @private_key = OpenSSL::PKey::RSA.new(2048)
    @public_key = @private_key.public_key
  end

  def generate_token(payload)
    # Secure: RSASSA-PSS is resistant to Bleichenbacher attacks
    JWT.encode(payload, @private_key, 'RS256', 
              header: { 
                typ: 'JWT',
                alg: 'PS256'  # Use PS256 instead of RS256
              })
  end

  def verify_token(token)
    # Secure: Specify PSS padding explicitly
    JWT.decode(token, @public_key, true, 
               algorithm: 'PS256', 
               verify_iat: true,
               leeway: 30)
  end
end

2. Secure Database Connections

# Secure: Proper SSL configuration
Hanami::Model.configure do
  adapter :sql, 'postgres://user:pass@host:5432/db'
  
  # Secure SSL configuration
  pool 5
  encoding 'unicode'
  timeout 5000
  
  # Explicit SSL settings
  sslmode 'verify-full'
  sslrootcert '/path/to/ca.pem'
  sslcert '/path/to/client-cert.pem'
  sslkey '/path/to/client-key.pem'
end

3. Update Gemfile with Secure Dependencies

# Secure Gemfile
# Cryptographic libraries with security fixes
gem 'jwt', '>= 2.2.2'
gem 'faraday', '>= 2.8.0'
gem 'pg', '>= 1.4.0'

# Additional security gems
gem 'rbnacl', '>= 7.0.0'  # Modern cryptography
gem 'ed25519', '>= 1.2.0'  # EdDSA signatures

4. Implement Certificate Pinning

# Secure: Certificate pinning in Hanami actions
class ExternalApiSlice < Hanami::Slice
  def initialize
    @client = Faraday.new('https://api.example.com') do |builder|
      builder.adapter :net_http
      
      # Certificate pinning
      builder.ssl.verify_mode = OpenSSL::SSL::VERIFY_PEER
      builder.ssl.ca_file = '/path/to/certificate.pem'
      builder.ssl.cert_store = build_cert_store
    end
  end

  private

  def build_cert_store
    store = OpenSSL::X509::Store.new
    store.set_default_paths
    store.add_file('/path/to/api-certificate.pem')
    store
  end
end

5. Add Security Middleware

# Secure: Security middleware for Hanami
class SecurityMiddleware
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)
    
    # Add security headers
    headers['X-Content-Type-Options'] = 'nosniff'
    headers['X-Frame-Options'] = 'DENY'
    headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
    
    [status, headers, body]
  end
end

# Register in config.ru
use SecurityMiddleware

6. Continuous Monitoring with middleBrick Pro

After remediation, use middleBrick Pro to continuously monitor your Hanami application:

# Continuous monitoring
middlebrick monitor --api-url https://yourapp.com --schedule hourly --alert-slack

middleBrick Pro will:

  • Continuously scan for new vulnerabilities
  • Alert on configuration changes that introduce risks
  • Provide compliance reports for audits
  • Integrate with GitHub Actions for CI/CD security gates

This comprehensive approach ensures your Hanami application remains protected against Bleichenbacher and other cryptographic attacks.

Scan for bleichenbacher attack in hanami Free API security scan

Frequently Asked Questions

How does the Bleichenbacher attack specifically affect Hanami applications?
The Bleichenbacher attack primarily affects Hanami applications through RSA padding oracle vulnerabilities in JWT token handling and insecure TLS configurations in database connections. When Hanami applications use PKCS#1 v1.5 padding (common with default RS256 JWT settings) or accept weak SSL/TLS configurations, attackers can exploit timing differences to decrypt data or forge tokens. The slice-based architecture of Hanami can make these vulnerabilities harder to detect since authentication logic is distributed across different slices.
Can middleBrick detect Bleichenbacher vulnerabilities in my Hanami application?

Related Pages

Bleichenbacher Attack in Hanami on AwsBleichenbacher attack patterns in Hanami with AWS SDK risks and concrete Ruby remediation code.Bleichenbacher Attack in Hanami on AzureExplore Bleichenbacher attack patterns in Hanami on Azure, with concrete Azure code fixes and constant-time practices.Bleichenbacher Attack in Hanami on DigitaloceanBleichenbacher attack in Hanami on Digitalocean: risks and constant-time remediation with code examplesBleichenbacher Attack in Hanami on CloudflareBleichenbacher attack in Hanami behind Cloudflare: understanding the risk and implementing constant-time decryption and Pci Dss: Bleichenbacher Attack in HanamiExplore how PCI DSS requirements intersect with Bleichenbacher attacks in Hanami APIs and apply concrete, constant-time Soc2: Bleichenbacher Attack in HanamiExplore Bleichenbacher attacks in Hanami apps and SOC2-aligned fixes, with Hanami code examples and how middleBrick deteIso 27001: Bleichenbacher Attack in HanamiExplore ISO 27001 controls relevant to Bleichenbacher attacks in Hanami apps, with concrete code fixes and secure codingCis: Bleichenbacher Attack in HanamiExplore how CIS mappings and Hanami code patterns interact in Bleichenbacher attacks, with concrete remediation examplesBleichenbacher Attack in Hanami with Mutual TlsBleichenbacher attack in Hanami with Mutual TLS: risks and constant-time decryption fixes with code examplesBleichenbacher Attack in Hanami with Api KeysUnderstanding Bleichenbacher risks with API keys in Hanami and secure remediation patterns using constant-time comparisoBleichenbacher Attack in Hanami with Bearer TokensExplains how Bleichenbacher attacks against Bearer tokens in Hanami arise, with concrete remediation and code examples.Bleichenbacher Attack in Hanami with Hmac SignaturesExplore Bleichenbacher attacks on Hanami APIs using Hmac Signatures and learn constant-time verification fixes with conc