Is Rails default CSRF protection insecure

Posted by schickb on Stack Overflow See other posts from Stack Overflow or by schickb
Published on 2010-03-31T22:30:06Z Indexed on 2010/03/31 22:33 UTC
Read the original article Hit count: 397

Filed under:
|
|
|

By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue.

The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's authenticity token and make use of it for CSRF attacks until the user's session expired.

But is seems to me that if we had an XSS vulnerability like that an attacker could just as easily grab another user's session cookie and login as that user directly. Or even just make call to our REST Api as the user being attacked. No secondary CSRF attack needed.

Have I missed something? Is there a real problem with the default CSRF protection in Rails?

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Related posts about csrf