Security problems with CookieStore and CSRF protection

Dear Rails community,
As part of a programming languages/security research group at the
University of Maryland, we are building some static analysis tools for
Rails applications. These tools work by taking formally specified
properties of interest, and then analyzing code to verify that those
properties indeed hold. Using these tools, we found some security
vulnerabilities in Rails, and we would like to get a sense of how
important these are in practice.

1. Using CookieStore opens the door to "replay attacks", whose
importance is, we feel, underestimated. A dishonest user can replay an
old session to fool the server, of course; but more critically, it may
be possible for an attacker to steal a cookie from an honest user
after the latter is authenticated, and replay that session. The
obvious fix is to include nonce-checking for every session object to
ensure its freshness, but this may require storing nonces in the
database, which may go against the point of using CookieStore. Are
most users of Rails aware of this problem? How many actually use
ActiveRecordStore instead of CookieStore? If the latter is by far the
most common mode, then we believe that default should be
ActiveRecordStore, as it is much less susceptible to this problem.
(Session ids are usually not stateful in a bad way.)

2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails
comes close to implementing a fix, by embedding and checking hidden
tokens (for POST requests). But it is well-known that for such a fix
to work, the tokens should be session-specific. Unfortunately, we
found that the implementation in 2.2.2 can return the same token even
if, e.g., session[:user] is different. This is bad, since an attacker
may not be an outsider: it can reasonably have an account with the
server, and if it gets back a token which it can then embed in forms
used by other, honest users, then it can execute CSRF attacks!

The common theme behind these attacks is that it may be too simplistic
to view the world as divided between a (trusted) server and an
(untrusted) attacker. Users should be isolated from other users just
as well, be it for protection against CSRF, or protection against
session replay.

Do you, as users and developers of Rails, think these are issues
important enough to worry about? We would like to hear any counter-
arguments.

Best regards,
Avik Chaudhuri.
[http://www.cs.umd.edu/~avik]

1. Using CookieStore opens the door to "replay attacks", whose
importance is, we feel, underestimated. A dishonest user can replay an
old session to fool the server, of course; but more critically, it may
be possible for an attacker to steal a cookie from an honest user
after the latter is authenticated, and replay that session. The
obvious fix is to include nonce-checking for every session object to
ensure its freshness, but this may require storing nonces in the
database, which may go against the point of using CookieStore. Are
most users of Rails aware of this problem? How many actually use
ActiveRecordStore instead of CookieStore? If the latter is by far the
most common mode, then we believe that default should be
ActiveRecordStore, as it is much less susceptible to this problem.
(Session ids are usually not stateful in a bad way.)

All true, but I've always thought that at the point where people can
steal your cookies then you're a bit shafted anyway. The replayability
does make it a bit worse than just stealing a session cookie, but then
a lot of sites have a 'remember me' cookie, why bother stealing the
session when you could steal that ?

2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails
comes close to implementing a fix, by embedding and checking hidden
tokens (for POST requests). But it is well-known that for such a fix
to work, the tokens should be session-specific. Unfortunately, we
found that the implementation in 2.2.2 can return the same token even
if, e.g., session[:user] is different. This is bad, since an attacker
may not be an outsider: it can reasonably have an account with the
server, and if it gets back a token which it can then embed in forms
used by other, honest users, then it can execute CSRF attacks!

That's seems odd - glancing at the code it would seem that in 2.2.2
the secret is a digest of the session_id and a secret (for non cookie
stores) and in the case of a cookie store a digest of a random
identifier and a secret. How were you able to get it to return the
same token for 2 different sessions ?

Fred

Hi Fred,

> 2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails
> comes close to implementing a fix, by embedding and checking hidden
> tokens (for POST requests). But it is well-known that for such a fix
> to work, the tokens should be session-specific. Unfortunately, we
> found that the implementation in 2.2.2 can return the same token even
> if, e.g., session[:user] is different. This is bad, since an attacker
> may not be an outsider: it can reasonably have an account with the
> server, and if it gets back a token which it can then embed in forms
> used by other, honest users, then it can execute CSRF attacks!

That's seems odd - glancing at the code it would seem that in 2.2.2
the secret is a digest of the session_id and a secret (for non cookie
stores) and in the case of a cookie store a digest of a random
identifier and a secret. How were you able to get it to return the
same token for 2 different sessions ?

According to the code for 2.2.2 (and also the current version), the
token is not inherently "user-specific"; it may remain the same even
when other session fields change. Thus, the app _must_ use
reset_session when a different user logs in to force a different token
to be computed. (In particular, just clearing out the relevant fields,
e.g., session[:user_id], is not enough, since session[:_csrf_token] or
session[:csrf_id] remains set.) Otherwise, we may get the following
scenario, for example.

1. Attacker logs into a public computer, gets CSRF token from a page
returned by the server, includes a form with that token on a popular
website he controls, and leaves without logging out.

2. Honest user logs into the same computer (and say reset_session is
not used, so the token field in the session remains set and doesn't
change). He opens the popular site on the side, and accidentally
causes the malicious form to be sent.

I discussed this issue with Michael Koziarski; he claims, perhaps
rightly so, that this is ultimately a session fixation attack, and the
doc already advises use of reset_session in that case. True, but I
believe that the doc is inadequate in this case; clearly this attack
uses CSRF, and the fact that protection in this case requires
protect_from_forgery as well as reset_session is not clarified enough.

Best,
-Avik.

Ah, with you know - thought you were saying that two completely
unrelated sessions might end up with the same auth token.

Fred