rubysnippets.net
  • Share your snippet?

    • CORS attack

    This attack method send unauthorized request by including malicious code or a link to cheating on web application that user have authenticated.
     
    The world without CSRF token
    - Client sign in to a bank service.
    - bank.com create a user session
    - Attacker send a link to user
    CORS
    - Assume user access the link (not knowing that it is a malicious site)
    - Browser loads the hacker's site, access the url (src of image). Although the image cannot loaded but it sent a GET request to bank.com and user didn't know.
    - Similar to POST request. Attacker can makes an ajax request via javascript events (onload, click, hover)
    - bank.com handles attacker's request using user session
    CORS
     
    The world with CSRF token
    - Rails server generates csrf token for every request and keep it on session (take a look at )
    - The config protect_from_forgery with: :exception will automatically include csrf token in all forms and Ajax requests generated by Rails
    - When user send a request to server. It will compare two csrf tokens and raise an error if they are different. So attacker is not able to guest the token to create a valid request. This will prevent CORS attack on POST request. For GET request, you should not allow user create or update data also.