CSRF and Rails

 
 

CSRF stands for Cross-site request forgery.

Unlike XSS CSRF does not try to steal your informationt to log into the system. CSRF assumes that you are aleady logged in at your site and when you visit comments section of some other site then an attack is done on your site without you knowing it.

Here is how it might work

  • User logs in at www.mysite.com .
  • User visits www.gardening.com site since he is interested in gardeing .
  • He is browsing the comments posted on the gardening.com forum and one of the comments posted is <img src="http://www.mysite.com/grant_access?user_id=1&project_id=123" />
  • If the user is admin of the project "123" then unknowingly he might grant access to user_id 1 .

I know. You are thiniking that loading an image will make a GET request and granting access is hidden behind POST request. So you are safe. Well the hacker can easily change code to make a POST request. The code might look like this

<script>
 document.write('<form name=hack method=post action="http://mysite.com/grant_access?user_id=1&project_id=123"></form>')
</script>
<img src='' onLoad="document.hack.submit()" />

Now when the image is loaded then a POST request is sent to the server and the application might grant access to this new user. Not good.

Prevention

In order to prevent such things from happening Rails uses authenticity_token.

If you look at source code of any form generated through Rails scaffolding you will see that form markup contains following code

<input name="authenticity_token" type="hidden" value="LhT7dqqRByvOhJJ56BsPb7jJ2p24hxNu6ZuJA+8l+YA=" />.

The exact value of the authenticitytoken will be different. When form is submitted then Rails checks the authenticitytoken and only when it is verified the request is sent for further processing.

In a brand new rails application the application_controller.rb has only one line.

class ApplicationController < ActionController::Base
  protect_from_forgery
end

That line protect_from_forgery checks for the authentication of the incoming request.

Here is code that is responsible for generating csrf_token.

# Sets the token value for the current session.
def form_authenticity_token
  session[:_csrf_token] ||= SecureRandom.base64(32)
end

Since this csrf_token is a random value there is no way for hacker to know what the "csrftoken" is for my session. And he will not be able to pass the correct "authenticitytoken".

Note that if the site is vulnerable to XSS then the hacker submits request as if he is logged in and in that case the CSRF attack will go through.

 
Neeraj Singh's profile picture

Comments