-
Notifications
You must be signed in to change notification settings - Fork 691
A8 CSRF
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Cross-Site Request Forgery (CSRF) - The following code was taken from: /app/controllers/application_controller.rb and /app/views/layouts/application.html.erb
application_controller.rb
# Our security guy keep talking about sea-surfing, cool story bro.
# protect_from_forgery
application.html.erb
<%#= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will not validate either its presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
<html>
<body>
<form action="http://railsgoat.dev/schedule.json" method="POST">
<input type="hidden" name="schedule[event_name]" value="Bad Guy" />
<input type="hidden" name="schedule[event_type]" value="pto" />
<input type="hidden" name="schedule[event_desc]" value="Fun Fun" />
<input type="hidden" name="date_range1" value="06/08/2013 - 06/09/2013" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
By default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
Once protect_from_forgery is added back, add the following code within the header section of the application.html.erb file (or any other application layout file).
<%= csrf_meta_tags %>
That will allow you to parse the meta tag with JS. However, keep in mind that any form generated by Rails is populated with an authenticity token so, if you leverage something like JQuery to make an Ajax request, you can include all values within the form by using the technique shown next.
Leverage the serialize() method, shown on line 3. This grabs all the values from the form, including the authenticity token.
("#example_submit_button_id").click(function(event) {
var valuesToSubmit = $("#example_form_id").serialize();
event.preventDefault();
$.ajax({
url: "/example",
data: valuesToSubmit,
type: "POST",
success: function(response) {
alert('success!');
},
error: function(event) {
alert('failure!');
}
});
});
}
PTO is precious, glad my calendar is safe!
© The Open Web Application Security Project - OWASP, 2015
Sections are divided by their OWASP Top Ten label (A1-A10) and marked as R4 and R5 for Rails 4 and 5.