1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

CSRF - Cross-site Request Forgery


CSRF - Cross-site Request Forgery

There are two huge vulnerabilities in all web applications and web sites, and those are XSS and CSRF. What is this alphabet soup? XSS is cross-site scripting, the ability for an attacker to insert HTML and Javascript code into the victim's HTML output. And CSRF is cross-site request forgery, a much more insidious threat that many web developers don't even think about. Both can be devastating to your web application and their users, and both are mitigated out of the box with Ruby on Rails.

CSRF - Cross-site Request Forgery

CSRF is a much more insidious vulnerability, and one that many developers do not even realize is there. It has to do with tricking someone with privileges to do something to an attacker's advantage. For example, Eve trick Carol, the admin, to delete Bob's account.

How does this work? It has to do with two things: every request that Carol makes to the web application is accompanied by her implicit trust. She's logged in as an administrator user, and she's allowed to do virtually anything. Another thing exploited in a typical CSRF attack is the improper use of GET requests and idempotence. As per the HTTP RFC (the official specification for HTTP), a GET request is not allowed to make any changes to the internal state of a web application. This is ignored by almost all web developers, GET requests are used as admin actions all the time. So all Eve has to do is trick Alice into clicking on a link to a URL like http://some.site/admin/delete/user/bob or something along those lines and there goes Bob's account. Since it's not immediately obvious, these bugs are prevalent in many web applications, it's been called the "lurking giant" by some, thousands and thousands of these vulnerabilities have been found in the past few years.

So what does Ruby on Rails do to mitigate these? First, no GET requests are able to change anything. Rails implements the RESTful pattern, and any request that makes changes uses the POST method (which is actually used to emulate other methods like PUT and DELETE, which web browsers do not support). So right there, the CSRF class of vulnerabilities is almost stamped out since there is no way to create a link to a POST request. But there is another way.

You can make a POST request using a form. What if there is a XSS vulnerability in a second site that Carol visits? Eve could inject a form using the XSS vulnerability to the POST URL that will delete Bob's account and either trick Carol into submitting it, or use a bit of Javascript to submit it in a hidden iframe and Carol will never even know it happened. This sounds complicated, but you'd be surprised at the lengths some attackers will go to to do something nefarious of mischievous. The Rails developers have thought of this, and by default all forms submitted to Rails must have a CSRF protection token embedded in it. This token is stored in Carol's session, and all forms generated for Carol will contain this token as a hidden field. So only forms submitted by Carol, legitimately generated by Rails, will be accepted.

This token can be seen in your application layout. Do not remove this token if you edit your application layout file.

<%= stylesheet_link_tag "application", :media => "all" %>
<%= javascript_include_tag "application" %>
<%= csrf_meta_tags %>

Again, this is another case of Rails having taken care of the vulnerability, but you should still know about it. CSRF vulnerabilities should never happen with Ruby on Rails, it's as simple as that. Rails used to be vulnerable, just like everything else, but since they cleaned up Rails rather significantly around the 3.0 mark, you just don't have to worry about it.

Another common vulnerability with web applications is the XSS, or cross-site scripting, vulnerability. Rails has got that covered though, and you can read all about it here.

  1. About.com
  2. Technology
  3. Ruby
  4. Ruby on Rails
  5. Ruby on Rails 3 Tutorials
  6. CSRF - Cross-site Request Forgery

©2014 About.com. All rights reserved.