CSRF & Working With Rails

June 12th, 2008

About a week ago Mislav Marohnic wrote about a simple CSRF attack on Working with Rails.

What Mislav exploited was the fact that Working With Rails didn’t require a POST request to create recommendations, so just by visiting his blog you’d inadvertadly recommend him (if you were logged into WWR).
In less than 24 hours Mislav got enough recommendations to boost his raking by 10 places.

WWR fixed that particular hack, they disallowed GET requests to the create action, only allowing POST ones.

However, they certainly haven’t solved the problem. It’s possible to make cross site POST requests without the user actively submitting a form. This script I made creates an iframe with a form inside, and submits the form. So, without a user realizing it, they’ve recommended me on WWR (I haven’t used it in this site btw).

It just shows that it’s fundamentally important to use a form authentication token (which Rails 2 now does by default) to prevent CSRF.

And, it’s worth bearing in mind that an open crossdomain.xml file would make any CSRF protections absolutely worthless, since you could go and grab that form authentication token with Flash.

Rails | Comments | Trackback Jump to the top of this page

6 comments on “CSRF & Working With Rails”

  1. 01

    What does CRSF (http://crsf.net) have to do with Rails?

    (just kidding - funny typo)

    Kevin at June 12th, 2008 around 3:48 pm
    Jump to the top of this page
  2. 02

    Lol, thanks - I’ve fixed that

    maccman at June 12th, 2008 around 3:53 pm
    Jump to the top of this page
  3. 03

    Nice :)

    In which browsers did you find this to work?

    Mislav at June 13th, 2008 around 8:04 am
    Jump to the top of this page
  4. 04

    Works for me in Safari and Firefox (I haven’t got IE to test it)

    maccman at June 13th, 2008 around 9:52 am
    Jump to the top of this page
  5. 05

    Question:
    So how do you create a “recommend me” type button then? if all data sent must have this token, you can’t use them on external sites… or can you?

    Adam at June 30th, 2008 around 2:19 am
    Jump to the top of this page
  6. 06

    Adam:
    The button could be in an iframe, or you could have a confirmation page.

    maccman at June 30th, 2008 around 9:55 am
    Jump to the top of this page

Leave a Reply

  •  
  •  
  •  

You can keep track of new comments to this post with the comments feed.

19yr old hacking away at Ruby on Rails and Flex

Pages

Meta