CSRF & Working With Rails
June 12th, 2008
About a week ago Mislav Marohnic wrote about a simple CSRF attack on Working with Rails.
What Mislav exploited was the fact that Working With Rails didn’t require a POST request to create recommendations, so just by visiting his blog you’d inadvertadly recommend him (if you were logged into WWR).
In less than 24 hours Mislav got enough recommendations to boost his raking by 10 places.
WWR fixed that particular hack, they disallowed GET requests to the create action, only allowing POST ones.
However, they certainly haven’t solved the problem. It’s possible to make cross site POST requests without the user actively submitting a form. This script I made creates an iframe with a form inside, and submits the form. So, without a user realizing it, they’ve recommended me on WWR (I haven’t used it in this site btw).
It just shows that it’s fundamentally important to use a form authentication token (which Rails 2 now does by default) to prevent CSRF.
And, it’s worth bearing in mind that an open crossdomain.xml file would make any CSRF protections absolutely worthless, since you could go and grab that form authentication token with Flash.
6 comments on “CSRF & Working With Rails”
01
What does CRSF (http://crsf.net) have to do with Rails?
(just kidding - funny typo)
02
Lol, thanks - I’ve fixed that
03
Nice :)
In which browsers did you find this to work?
04
Works for me in Safari and Firefox (I haven’t got IE to test it)
05
Question:
So how do you create a “recommend me” type button then? if all data sent must have this token, you can’t use them on external sites… or can you?
06
Adam:
The button could be in an iframe, or you could have a confirmation page.
Leave a Reply