Welcome

The Ruby on Rails Security Project would like to help you make your Rails applications more secure. I'm Heiko Webers of bauland42 and I also do Rails security audits. You read the official Rails Security Guide? Great, so we know each other already, I wrote it. Contact me at 42 -the AT sign- bauland42.de or on Twitter.

Do you have a Rails security strategy?
Here's the new complete Rails guide to developing an overall security strategy. If you sign up today, I’ll give it to you for free.

Search
Feeds / Syndication
Most Popular
This site is currently being updated to be more useful, enter your email to be notified

« [WebappSec] Browser Security Handbook | Main | Rails Security Guide and Book »
Wednesday
Nov192008

Circumvent Rails CSRF Protection

There is a security-related bug in Ruby on Rails 2.1.x and all 2.2. pre-releases. The CSRF protection given by
the protect_from_forgery method may possibly be circumvented by a crafted request.

The problem is that Rails by design will not check the authenticity token if the request has certain content types that are typically not generated by browsers. According to the original security message, this list also includes "text/plain" which may be generated by browsers. This form data encoding roundup gives an overview of what can be generated by today's browsers. See this changset for details of which content types will be checked.

 

Possible Exploit

The content type can be set with the enctype attribute in HTML forms:

<form method="post" enctype="text/plain" action="<%= some_post_action_path(@var) %>"><%= submit_tag "Start" %></form>

This was found in this Lighthouse ticket. The original security message states that Rails does not parse the parameters for these requests. However, I was able to craft requests where all parameters where correctly parsed and used.

 

Temporary Solution

Users of 2.1.x releases are advised to insert the following code into a file in config/initializers/

Mime::Type.unverifiable_types.delete(:text)

Or you apply this patch for the 2.1.x releases. Users of Edge Rails should upgrade to the latest version.

 

Fixes

Fixes will be in Rails version 2.1.3 and 2.2.2.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>