https://github.com/heroku/identity/pull/49 - we had a CSRF issue in the approve/deny page. This was originally reported to us from an independent security researcher. It's a good example of some ambiguity in the spec. From RFC 6749, sec 3.1 :
The authorization server MUST support the use of the" GET" method [ RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.
There's two ways to …
…csrf_meta_tags %> in your application layout HEAD , jquery-ujs augments this protection by adding the CSRF token to a header on outgoingrequests.
jquery-ujs also updates the CSRF token on all non-AJAX forms on page load, which may be out-of-date if the form was rendered from a fragment cache.
jquery-ujs exposes its functions in the $.rails namespace and fires many events when submitting AJAX forms. jquery-ujs behavior can be customized by overriding …
CSRF on sign in
Devise's sign in page was vulnerable to CSRF attacks when used with the rememberable feature. Note that the CSRF vulnerability is restricted only to the sign in page, allowing an attacker to sign the user in an account controlled by the attacker. This vulnerability does not allow the attacker to access or change a user account in any way.
This issue is fixed on Devise 3.1.0 as well as 3.0.2 and 2.2.6. Users on previous Devise versions can patch their application …
Devise has been reported to be vulnerable to CSRF token fixation attacks.
The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here ) or by fixation over the same network. If the user knows the CSRF token, cross-site forgery requests can be made. More information can be found here .
Note Devise is not vulnerable to session fixation attacks (i.e. the user cannot steal another user session by fixating the session id).
CSRF - security
There's one downside to the implicit features.
They're rarely documented and covered with tests .
As with every app, there comes a moment, when you need to start providing changes. Sometimes, you may want to rewrite some layers of the application. There's a trend recently that we try to find new ways of working with Rails apps, that is less dependent on ActiveRecord. Some developers rewrite their apps to Sinatra or Padrino.
It sounds great in theory, …
…secure express.js apps : don't run as root, secure your sessions, security headers and CSRF.
§ jeremydmiller :
I think there's a Heisenberg Uncertainty Principle thing w/ software process. Measuring my "progress" has an impact on my progress
§ And now for some local news: South . couple kidnap handyman, force him to repair household appliances
My personal understanding of Rails up until an hour ago was that a CSRF violation would raise an exception. This would practically never get seen by a legitimate user operation, so few people are aware of that, but I had seen it a time or two when security auditing BCC. (Some of my geeky friends had, back in the day, exploited BCC with a CSRF and helpfully told me how to fix it. Naturally, after fixing it I verified that the site worked as expected with the fix.)
So if the CSRF …
There are two major changes in this fix, the behaviour when CSRF protection fails has changed and the token will now be required for all non-GET requests.
After applying this patch failed CSRF requests will no longer generate HTTP 500 errors, instead the session will be reset. Users can override this behaviour by overriding handle_unverified_request in their own controllers.
Users must still take care that users cannot be auto logged in via non-session data. For example, an application …
…app showingworking in tandem with restful-authentication, CSRF protection and paperclip.
Heresy is a schema free wrapper around your database, heavily inspired by bothand .
A simpleplugin for showing a text field's label inside the textbox itself. The hint disappears when it is given focus, and appears again if the inputted text is empty. Typically used for search …
Devise 1.1.6 has just been released and it follows 3.0.4 release. Rails 3.0.4 changes how CSRF works and adds a new method called handle_unverified_request that should be properly overridden by authentication frameworks. Devise 1.1.6 implements this method and others small security fixes.
If you have updated to Rails 3.0.4, you must update to check out the CHANGELOG .1.1.6 . Those using Devise 1.2.rc should use master for awhile, another is coming soon. For more information,