1. Computing

XSS (Cross-Site Scripting) Vulnerabilities in Ruby on Rails

By

XSS (Cross-Site Scripting) Vulnerabilities in Ruby on Rails

There are two huge vulnerabilities in all web applications and web sites, and those are XSS and CSRF. What is this alphabet soup? XSS is cross-site scripting, the ability for an attacker to insert HTML and Javascript code into the victim's HTML output. And CSRF is cross-site request forgery, a much more insidious threat that many web developers don't even think about. Both can be devastating to your web application and their users, and both are mitigated out of the box with Ruby on Rails.

XSS - Cross-site Scripting

Imagine a forum. In the form for posting a reply to a thread, there's a text field for the reply body. What happens if you put HTML in there? Will it get filtered? Well you'd hope it'll get filtered, and with most web application frameworks it doesn't get filtered automatically. But why is this dangerous? Why does it matter if someone can insert a blink tag?

Alice and Bob and legitimate users of a site. They check the forums every day. Eve is an evil attacker, she'd like to compromise the accounts of Alice and Bob and read their private correspondence (she's afraid they're talking about her behind her back). Eve is going to use a technique called a "stored cross-site scripting" attack to do this.

First she'll come up with a new forum topic that Alice and Bob are sure to click on. In the body of this forum post she'll put her malicious HTML and Javascript. This malicious code is going to delete most of the page and display a fake login page. When Alice or Bob click on this link (or anyone else, for that matter), they'll be presented with what looks to be the login page for the site. Even if they're knowledgeable, Alice and Bob may just assume their login cookies have expired and they need to authenticate again. They enter their usernames and passwords and, unbeknownst to them, their usernames and passwords have just been submitted to a web server controlled by Eve. And it's all because the web application didn't filter HTML out of the forum posts.

That's a bit of a simplistic explanation, but it really does happen. Usually you'll find XSS vulnerabilities on smaller fields, in profiles, shout walls, etc. But you need to be aware of it and how Ruby on Rails takes care of it for you.

Whenever you use the <%= code %> tags, you're already filtering HTML. If you were to, for example, say <%= "<blink>testing</blink>" %> in a template, this string literal will be passed through an HTML filter automatically, you don't have to do anything to get this protection. In the past, you used to have to say <%=h code %> to get this behavior. However, it was noticed that in 99 out of 100 cases, you want the filtering. If someone forgets to type the h, you have a possible XSS vulnerability. In current versions of Ruby on Rails, you have to explicitly tell Rails you don't want the filtering using <%=raw code %>.

As an experiment, you can try outputting various strings using ERB. Note that these can come from anywhere, string literals or instance variables, it doesn't matter. Every string that passes through ERB will automatically be filtered.


<%= "<blink>Testing</blink>" %>

<%# This one won't be filtered, and the text will blink %>
<%=raw "<blink>Testing</blink>" %>

Also, note that the raw and h methods are not special ERB tags. They look like it, especially how there's no space there, but they're just methods and we're omitting the method call parentheses. If you're passing anything more than a simple expression to these methods, it's best to add the parentheses back.

The important thing to note here is that XSS is enabled by default on all output, that you need to use the raw method if you want unfiltered output and that, in general, you don't need to worry about XSS.

For information about CSRF vulnerabilities, a somewhat related and much more damaging class of vulnerability, see the article on Cross-site Request Forgeries.

  1. About.com
  2. Computing
  3. Ruby
  4. Ruby on Rails
  5. Ruby on Rails 3 Tutorials
  6. XSS (Cross-Site Scripting) Vulnerabilities in Ruby on Rails

©2014 About.com. All rights reserved.