Is Rails default CSRF protection insecure
Posted
by schickb
on Stack Overflow
See other posts from Stack Overflow
or by schickb
Published on 2010-03-31T22:30:06Z
Indexed on
2010/03/31
22:33 UTC
Read the original article
Hit count: 399
By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue.
The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's authenticity token and make use of it for CSRF attacks until the user's session expired.
But is seems to me that if we had an XSS vulnerability like that an attacker could just as easily grab another user's session cookie and login as that user directly. Or even just make call to our REST Api as the user being attacked. No secondary CSRF attack needed.
Have I missed something? Is there a real problem with the default CSRF protection in Rails?
© Stack Overflow or respective owner