20 April 2014

The Ruby Reflector



  Source Favicon
By Tom of Heroku 5 months ago.

https://github.com/heroku/identity/pull/49 - we had a CSRF issue in the approve/deny page. This was originally reported to us from an independent security researcher. It's a good example of some ambiguity in the OAuth spec. From RFC 6749, sec 3.1 :

The authorization server MUST support the use of the HTTP " GET" method [ RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.

There's two ways to …

blog.heroku.com Read
  Source Favicon

…csrf_meta_tags %> in your application layout HEAD , jquery-ujs augments this protection by adding the CSRF token to a header on outgoing AJAX requests.

jquery-ujs also updates the CSRF token on all non-AJAX forms on page load, which may be out-of-date if the form was rendered from a fragment cache.


jquery-ujs exposes its functions in the $.rails namespace and fires many events when submitting AJAX forms. jquery-ujs behavior can be customized by overriding …

robots.thoughtbot.com Read
  Source Favicon
By José Valim of Plataformatec Blog 8 months ago.

CSRF on sign in

Devise's sign in page was vulnerable to CSRF attacks when used with the rememberable feature. Note that the CSRF vulnerability is restricted only to the sign in page, allowing an attacker to sign the user in an account controlled by the attacker. This vulnerability does not allow the attacker to access or change a user account in any way.

This issue is fixed on Devise 3.1.0 as well as 3.0.2 and 2.2.6. Users on previous Devise versions can patch their application …

blog.plataformatec.com.br Read
  Source Favicon
By José Valim of Plataformatec Blog 9 months ago.

Devise has been reported to be vulnerable to CSRF token fixation attacks.

The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here ) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. More information can be found here .

Note Devise is not vulnerable to session fixation attacks (i.e. the user cannot steal another user session by fixating the session id).

blog.plataformatec.com.br Read
  Source Favicon
By Andrzej Krzywda of Andrzej on Software 10 months ago.

CSRF - security

There's one downside to the implicit features.

They're rarely documented and covered with tests .

As with every app, there comes a moment, when you need to start providing changes. Sometimes, you may want to rewrite some layers of the application. There's a trend recently that we try to find new ways of working with Rails apps, that is less dependent on ActiveRecord. Some developers rewrite their apps to Sinatra or Padrino.

It sounds great in theory, …

andrzejonsoftware.blogspot.com Read
  Source Favicon
By Assaf of Labnotes over 1 year ago.

…secure express.js apps : don't run as root, secure your sessions, security headers and CSRF.

§ Using web fonts in email .

§ jeremydmiller :

I think there's a Heisenberg Uncertainty Principle thing w/ software process. Measuring my "progress" has an impact on my progress

§ And now for some local news: South Bay couple kidnap handyman, force him to repair household appliances .

blog.labnotes.org Read
  Source Favicon
By Patrick of Kalzumeus Software over 2 years ago.

My personal understanding of Rails up until an hour ago was that a CSRF violation would raise an exception. This would practically never get seen by a legitimate user operation, so few people are aware of that, but I had seen it a time or two when security auditing BCC. (Some of my geeky friends had, back in the day, exploited BCC with a CSRF and helpfully told me how to fix it. Naturally, after fixing it I verified that the site worked as expected with the fix.)

So if the CSRF

kalzumeus.com Read
  Source Favicon
By michael of Riding Rails - home 3 years ago.

There are two major changes in this fix, the behaviour when CSRF protection fails has changed and the token will now be required for all non-GET requests.

After applying this patch failed CSRF requests will no longer generate HTTP 500 errors, instead the session will be reset. Users can override this behaviour by overriding handle_unverified_request in their own controllers.

Users must still take care that users cannot be auto logged in via non-session data. For example, an application …

weblog.rubyonrails.org Read
  Source Favicon
By Trevor of Trevor Turk over 3 years ago.

…app showing SWFUpload working in tandem with restful-authentication, CSRF protection and paperclip.

kabuki/heresy - GitHub

Heresy is a schema free wrapper around your database, heavily inspired by both CouchDB and FriendFeed.

enriquez/ezpz-hint - GitHub

A simple jQuery plugin for showing a text field's label inside the textbox itself. The hint disappears when it is given focus, and appears again if the inputted text is empty. Typically used for search …

almosteffortless.com Read
  Source Favicon
By José Valim of Plataformatec Blog 3 years ago.

Devise 1.1.6 has just been released and it follows Rails 3.0.4 release. Rails 3.0.4 changes how CSRF works and adds a new method called handle_unverified_request that should be properly overridden by authentication frameworks. Devise 1.1.6 implements this method and others small security fixes.

If you have updated to Rails 3.0.4, you must update to Devise 1.1.6 . Those using Devise 1.2.rc should use master for awhile, another RC is coming soon. For more information, check out the CHANGELOG .

blog.plataformatec.com.br Read