Security Vulnerabilites in Ruby: What is Cross-Site Request Forgery?
Wednesday November 19, 2008
Cross-Site Request Forgery attacks are nothing new. In fact, websites have been vulnerable to this attack since the beginning of the World Wide Web. Whether they use a form-based login with a cookie or HTTP authentication with the Authorization header, any Website that implicitly authorizes all HTTP requests by its users is vulnerable. Although the vulnerability has always existed, it hadn't been formally classified until around the year 2000 and wasn't widely known until 2005. CSRF is also an easy vulnerability to overlook. Many websites are vulnerable and never even know it. Is your site one of them?
Comments
Is there a way to identify CSRF vulnerabilities in our code and remove them? Does some existing tool/plugin help us with this and other security vulnerabilities?
This will be covered in more depth in a later article, but here it is in short.
Forms should be generated by the form helpers, never by hand. The form helpers will generate a hidden field that will prevent CSRF attacks.
RESTful resources should be used, as they preserve the idempotence (a concept discussed in a later article) of requests. In short, GET requests can’t be protected, so they shouldn’t be able to make changes to the site. POST requests should always be protected, anything that changes the state of the site or the user’s interaction with the site (logins, logouts, etc) should be a POST request and protected with the above hidden fields.