Well-Known Ruby on Rails Secret Token Used on Remote Application

Medium Nessus Plugin ID 64298


The Ruby on Rails application on the remote host reuses secret tokens.


The Ruby on Rails application on the remote host uses a well-known secret token to sign and encrypt cookies / data.


If you control the configuration to this application, generate a proper secret token and make sure it isn't publicly shared. The secret file is located at :


Ensure this value is truly unique. If you do not control it, there may be a vendor provided upgrade that makes it unique per installation.

See Also




Plugin Details

Severity: Medium

ID: 64298

File Name: ruby_on_rails_known_secret.nbin

Version: $Revision: 1.29 $

Type: remote

Family: General

Published: 2013/01/30

Modified: 2018/01/29

Dependencies: 10107

Risk Information

Risk Factor: Medium


Base Score: 5.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:H/RL:ND/RC:ND

Vulnerability Information

CPE: cpe:/a:rubyonrails:ruby_on_rails

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2012/12/21