Hello there, we have a Rails application, and out security is complaining on pentests that the CSRF protection built in in Rails is not adequate:
The testers has verified if the application properly protects against unauthorized actions by ensuring requests come from authenticated users and are not triggered by malicious websites.
Description: The testers discovered that anti-csrf tokens are not functional, and the same requests can be replayed several times without being invalidated.
Risk: An anti-CSRF token that is not invalidated after use can be reused by an attacker to perform malicious actions on behalf of the user, exposing the application to CSRF and replay attacks. This can lead to unauthorized actions such as modifying sensitive data or executing fraudulent transactions, while also making the attack difficult to detect.
Recommendation: It is crucial to invalidate or regenerate the token after each use to prevent reuse. Limiting the token’s lifetime to a session or a short period helps avoid prolonged attacks. Each request should use a unique token
I believed that CSRF protection did not need to include a nonce token. The whole point of CSRF protection is to make sure that the request originates from the legitimate form and not some random form on the Internet. However, if for any reason the token is leaked, it makes sense to have it rotated frequently (even at every request perhaps).
How can this be implemented in Rails where the token is in the session? Is it possible to include a nonce to the token that is checked to appear only once? This can cause other issues I believe with javascript requests that uses the CSRF token from the page HEAD that stays the same with Turbo visits.
Or perhaps is there a way to demonstrate that there is no added security to rotating the token?
Thank you