CSRF stands for Cross-site request forgery.
Unlike XSS CSRF does not try to steal your informationt to log into the system. CSRF assumes that you are aleady logged in at your site and when you visit comments section of some other site then an attack is done on your site without you knowing it.
Here is how it might work
- User logs in at www.mysite.com .
- User visits www.gardening.com site since he is interested in gardeing .
- He is browsing the comments posted on the gardening.com forum and one of the comments posted is
<img src="http://www.mysite.com/grant_access?user_id=1&project_id=123" />
- If the user is admin of the project “123” then unknowingly he might grant access to user_id 1 .
I know. You are thiniking that loading an image will make a
request and granting access is hidden behind
POST request. So you are
safe. Well the hacker can easily change code to make a
The code might look like this
1 2 3 4
Now when the image is loaded then a
POST request is sent to the
server and the application might grant access to this new user. Not
In order to prevent such things from happening Rails uses
If you look at source code of any form generated through Rails scaffolding you will see that form markup contains following code
<input name="authenticity_token" type="hidden" value="LhT7dqqRByvOhJJ56BsPb7jJ2p24hxNu6ZuJA+8l+YA=" />.
The exact value of the authenticity_token will be different. When form is submitted then Rails checks the authenticity_token and only when it is verified the request is sent for further processing.
In a brand new rails application the
only one line.
1 2 3
protect_from_forgery checks for the authentication of the
Here is code that is responsible for generating
1 2 3 4
Since this “csrf_token” is a random value there is no way for hacker to know what the “csrf_token” is for my session. And he will not be able to pass the correct “authenticity_token”.
Note that if the site is vulnerable to XSS then the hacker submits request as if he is logged in and in that case the CSRF attack will go through.