1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Security Vulnerabilites in Ruby

What is Cross-Site Request Forgery?


Cross-Site Request Forgery, aka CSRF (pronounced Sea-Surf), is a security vulnerability that goes by many names. You might know it better as XSRF, side-jacking, session riding and maybe even the "one-click attack." No matter what name it goes by, CSRF is a serious exploitation of trust. It preys on a Website's trusted (and supposedly authenticated) users and cleverly allows them to be the ones who unknowingly initiate unauthorized actions or requests. From the point of view of the attacked site, it looks as though the user is the attacker when, in fact, at best he's probably an unwitting accomplice.

1. The Intent and Impact of CSRF

There are a number of reasons that someone would want to launch a CSRF attack and each has its own unique impact. CSRF attacks are nothing new. In fact, websites have been vulnerable to this attack since the beginning of the World Wide Web. CSRF is also an easy vulnerability to overlook.

2. An Explanation of CSRF Without XSS

A Cross-Site Request Forgery attack can be initiated from a second site, without using Cross-Site Scripting. Launching an attack from a second site lifts any restrictions attackers may have on the HTML code they're allowed to use in the attack. It allows attackers to freely use things like forms, IFRAMEs and Javascript to perform the CSRF attack.

3. An Explanation of CSRF With XSS

Cross-Site Request Forgery attacks on your site can also occur in conjunction with XSS breaches. The severity of the CSRF attack is dependent on the severity of the vulnerability in your Ruby code.
  1. About.com
  2. Technology
  3. Ruby
  4. Ruby on Rails
  5. Security
  6. Understanding Cross-Site Request Forgery (CSRF)

©2014 About.com. All rights reserved.