Dear Rails community,
As part of a programming languages/security research group at the
University of Maryland, we are building some static analysis tools for
Rails applications. These tools work by taking formally specified
properties of interest, and then analyzing code to verify that those
properties indeed hold. Using these tools, we found some security
vulnerabilities in Rails, and we would like to get a sense of how
important these are in practice.
1. Using CookieStore opens the door to "replay attacks", whose
importance is, we feel, underestimated. A dishonest user can replay an
old session to fool the server, of course; but more critically, it may
be possible for an attacker to steal a cookie from an honest user
after the latter is authenticated, and replay that session. The
obvious fix is to include nonce-checking for every session object to
ensure its freshness, but this may require storing nonces in the
database, which may go against the point of using CookieStore. Are
most users of Rails aware of this problem? How many actually use
ActiveRecordStore instead of CookieStore? If the latter is by far the
most common mode, then we believe that default should be
ActiveRecordStore, as it is much less susceptible to this problem.
(Session ids are usually not stateful in a bad way.)
2. The CSRF protection, at least in Rails 2.2.2, seems too weak. Rails
comes close to implementing a fix, by embedding and checking hidden
tokens (for POST requests). But it is well-known that for such a fix
to work, the tokens should be session-specific. Unfortunately, we
found that the implementation in 2.2.2 can return the same token even
if, e.g., session[:user] is different. This is bad, since an attacker
may not be an outsider: it can reasonably have an account with the
server, and if it gets back a token which it can then embed in forms
used by other, honest users, then it can execute CSRF attacks!
The common theme behind these attacks is that it may be too simplistic
to view the world as divided between a (trusted) server and an
(untrusted) attacker. Users should be isolated from other users just
as well, be it for protection against CSRF, or protection against
session replay.
Do you, as users and developers of Rails, think these are issues
important enough to worry about? We would like to hear any counter-
arguments.
Best regards,
Avik Chaudhuri.
[http://www.cs.umd.edu/~avik]