Cross-Site Request Forgery - CSRF

You visit a malicious site which has an image like this

Learn Ruby on Rails - Ruby on Rails tutorial - Cross-Site Request Forgery - CSRF - Ruby on Rails examples - Ruby On Rails programs

Only accepting POST does not really help

By default Rails 2.0 will check all POST requests for a session token

Learn Ruby on Rails - Ruby on Rails tutorial - Cross-Site Request Forgery - CSRF - Ruby on Rails examples - Ruby On Rails programs

All forms generated by Rails will supply this token

CSRF Protection in Rails

Very useful and on-by-default, but make sure that

GET requests are safe and idempotent
Session cookies are not persistent (expires-at)

SQL Injection

The users input is not correctly escaped before using it in SQL statements

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

SQL Injection Protection in Rails

Always use the escaped form

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

If you have to manually use a user-submitted value, use `quote()`

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

JavaScript Hijacking

Learn Ruby on Rails - Ruby on Rails tutorial - Javascript hijacking - Ruby on Rails examples - Ruby On Rails programs

JSON response

Learn Ruby on Rails - Ruby on Rails tutorial - Json response - Ruby on Rails examples - Ruby On Rails programs

The JSON response will be evaled by the Browser’s JavaScript engine.
With a redefined `Array()` function this data can be sent back to http://my.evil.site

JavaScript Hijacking Prevention

Don’t put important data in JSON responses
Use unguessable URLs
Use a Browser that does not support the redefinition of Array & co,
currently only FireFox 3.0
Don’t return a straight JSON response, prefix it with garbage:

Learn Ruby on Rails - Ruby on Rails tutorial - Hijacking Prevention - Ruby on Rails examples - Ruby On Rails programs

The Rails JavaScript helpers don’t support prefixed JSON responses

Mass Assignment

User model

Learn Ruby on Rails - Ruby on Rails tutorial - mass assignment - Ruby on Rails examples - Ruby On Rails programs

Handling in Controller

Learn Ruby on Rails - Ruby on Rails tutorial - Handling controller - Ruby on Rails examples - Ruby On Rails programs

A malicious user could just submit any value he wants

Learn Ruby on Rails - Ruby on Rails tutorial - Handling controller - Ruby on Rails examples - Ruby On Rails programs

Use `attr_protected` and `attr_accessible`

Learn Ruby on Rails - Ruby on Rails tutorial - attr protected vsattr accessible - Ruby on Rails examples - Ruby On Rails programs

Start with `attr_protected` and migrate to `attr_accessible` because of the different default policies for new attributes.

Cross-Site Request Forgery - CSRF

Learn Ruby on Rails - Ruby on Rails tutorial - Cross-Site Request Forgery - CSRF - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - Cross-Site Request Forgery - CSRF - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - Cross-Site Request Forgery - CSRF - Ruby on Rails examples - Ruby On Rails programs

CSRF Protection in Rails

SQL Injection

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

SQL Injection Protection in Rails

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - sql injection - Ruby on Rails examples - Ruby On Rails programs

JavaScript Hijacking

Learn Ruby on Rails - Ruby on Rails tutorial - Javascript hijacking - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - Json response - Ruby on Rails examples - Ruby On Rails programs

JavaScript Hijacking Prevention

Learn Ruby on Rails - Ruby on Rails tutorial - Hijacking Prevention - Ruby on Rails examples - Ruby On Rails programs

Mass Assignment

Learn Ruby on Rails - Ruby on Rails tutorial - mass assignment - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - Handling controller - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - Handling controller - Ruby on Rails examples - Ruby On Rails programs

Learn Ruby on Rails - Ruby on Rails tutorial - attr protected vsattr accessible - Ruby on Rails examples - Ruby On Rails programs

Related Searches to Cross-Site Request Forgery - CSRF

Wikitechy

Workshop

Join our Community

Other Languages