Cross site scripting security


#1

I just changed my session store to use active record because it
appears session expiration and so on may be easier that way and it
seems like a better option.

In my base controller I have:

protect_from_forgery :secret => ‘hgfjh…kjhghglh’ (whatever)

self.allow_forgery_protection = false

I had commented those out during development because certain actions
would error out because of these.
For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn’t part of the
routing the forgery protection
flagged an error on it, is my guess.

Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it’s sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such …


#2

removed_email_address@domain.invalid wrote:

protect_from_forgery :secret => ‘hgfjh…kjhghglh’ (whatever)

self.allow_forgery_protection = false

I had commented those out during development because certain actions
would error out because of these.

If you’re concerned about security then commenting that out to resolve
the errors you were getting in development was probably a mistake.

For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn’t part of the
routing the forgery protection
flagged an error on it, is my guess.

Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it’s sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such …

Also note that your subject line says Cross Site Scripting (XSS), which
is not the same as Cross Site Request Forgery (CSRF). The method
protect_from_forgery does nothing (as far as I understand it) to protect
against XSS. It only provides protection against CSRF.


#3

If you’re concerned about security then commenting that out to resolve
the errors you were getting in development was probably a mistake.

Right, well I had this funny feeling about it, but at the time I was
trying to get some javascript stuff to work …

Anyway, there is a javascript call like this:

function update_server(info)
{

<%= remote_function(:url => {:action => ‘resize_field’},
:with => ‘{col:info.col,width:info.width}’)
%>
}

So I just set some routing, I’m not a routing expert, but I did this:

map.connect ‘shgrid/resize_field/:col/:width’,
:controller => ‘shgrid’,
:action => ‘resize_field’

But I get the error (below). I’m not sure if there’s a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security …

Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
Session ID: 92c3ef636f552fbeff8e574d96bedb9f
Parameters: {“col”=>“5”, “action”=>“resize_field”,
“controller”=>“shgrid”, “width”=>“66”}
User Load (0.000269) SELECT * FROM “users” WHERE (name = ‘Zack2’)
LIMIT 1
AdminSetting Load (0.000156) SELECT * FROM “admin_settings” LIMIT
1

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
action_controller/request_forgery_protection.rb:86:in
verify_authenticity_token' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/ active_support/callbacks.rb:173:insend’
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `evaluate_method’


#4

Thanks,

I’m still learning here, but what happens is if I copy the token from
some other action that works so I now have this:

<%= remote_function(:url => {:action => ‘resize_field’,
:authenticity_token
=>“sda4354326hfghgfsf-whatever”},
:with => ‘{col:info.col,width:info.width}’)
%>

then the :with part of the clause does not get into the parameters it
seems like …


#5

Larz wrote:

But I get the error (below). I’m not sure if there’s a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security …

Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
Session ID: 92c3ef636f552fbeff8e574d96bedb9f
Parameters: {“col”=>“5”, “action”=>“resize_field”,
“controller”=>“shgrid”, “width”=>“66”}
User Load (0.000269) SELECT * FROM “users” WHERE (name = ‘Zack2’)
LIMIT 1
AdminSetting Load (0.000156) SELECT * FROM “admin_settings” LIMIT
1

ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
action_controller/request_forgery_protection.rb:86:in
verify_authenticity_token' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/ active_support/callbacks.rb:173:insend’
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `evaluate_method’

Sure it will fail on that because there is no authenticity token in your
params:

Example:

Processing ThingsController#create (for 127.0.0.1 at 2009-03-26
16:42:40) [POST]
Parameters: {“commit”=>“Create”,
“authenticity_token”=>“wM7T6k++1upx4BO+fVy571jwqx0d4z0U92PPSGP+UUQ=”,
“thing”=>{“name”=>“Widget”}}

You may just want to disable forgery protection for this one action, but
use it for all others. There might be a better solution than that, but
it should get you past this problem.


#6

On Thu, Mar 26, 2009 at 3:58 PM, Larz removed_email_address@domain.invalid wrote:

I’m still learning here, but what happens is if I copy the token from
some other action that works so I now have this:

<%= remote_function(:url => {:action => ‘resize_field’,
:authenticity_token
=>“sda4354326hfghgfsf-whatever”},

To make it dynamic, I would use form_authenticity_token, not the
actual value of it.

http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#M000491


Greg D.
http://destiney.com/


#7

To make it dynamic, I would use form_authenticity_token, not the
actual value of it.

Thanks,

So I make the call like this, it works fine except I’m not sure why
the stuff in the :with part from javascript
doesn’t make it into params when I have authenticity_token in
the :url part:

<%= remote_function(:url => {:action => ‘resize_field’,
:authenticity_token =>
form_authenticity_token,
},
:with =>
‘{col:info.col,width:info.width}’)
%>


#8

The other thing seems to be that if this is set in the base
controller:
protect_from_forgery :secret => ‘10aedsfsdafdasfasdfxvcxvhg’

Then it generates the authenticity tokens, regardless of whether the
check is made. That seems to break my remote_function call as
mentioned in the previous post (because the :with js stuff doesn’t get
put into the url/ params.

since protect_from_forgery I guess it’s called at the class level, I’m
not sure I can disable it for one action and have it turned on for
others …

I can turn this off at the instance level:
self.allow_forgery_protection
but that doesn’t fix my other problem …


#9

Here is where I am at with this so far …

I decied to try to change my code to be all javascript to get around
the strange problem I was having, so I followed the
advice from this site:

http://david-burger.blogspot.com/2008/01/rails-forgery-protection-csrf-and-ajax.html

Here is what my code looks like now which seems to work. I think I am
using jquery at this point. I’ve commented out the old code:

function update_server(info)
{

<%#= remote_function(:url => {:action => ‘resize_field’},
:with =>
‘{col:info.col,width:info.width}’)
%>
$.ajax({data:
{col:info.col,width:info.width,authenticity_token:FORM_AUTH_TOKEN},
dataType:‘script’, type:‘post’, url:’/shgrid/resize_field’})

}