Best IT Recipes

Safe safe to disable csrf tokens for json rails calls?

I have an existing rails website that makes json calls on the server. Now I am developing a mobile iOS app to use the same backend and send calls to json. However, mobile queries do not work with:

WARNING: Can't verify CSRF token authenticity

Search around stackoverflow, many have suggested disabling csrf checking for json calls using something like this:

 # Or this in your application_controller.rb def verified_request? if request.content_type == "application/json" true else super() end end

But my question is: I do not understand how this prevents json csrf attacks? An attacker can always send a json request to our endpoint from his site. Does anyone know about this? I could not find a clear answer to this question.

+6
security ios
May 20 '12 at 18:28
source share
2 answers

What you are describing is very easy to use with Flash:

  var request:URLRequest = new URLRequest("http://stackoverflow.com"); request.requestHeaders.push(new URLRequestHeader('Content-Type', 'application/json')); request.data = unescape('{"a":1,"b":{"c":3}}'); request.method = URLRequestMethod.POST; navigateToURL(request, '_blank');

If you look at the CSRF security cheat sheet , you can check the referent to make sure that he belongs to a domain that you trust. If the referent is empty, it can arise from the https URL, so it should be considered unsuccessful. Reliance on the Ruby CSRF token is a stronger form of CSRF protection.

+2
May 20 '12 at 22:19
source share

This is a fix for ajax

Get csrf_token from rails or use something else, from meta p>

 // js file var csrf_token = $('meta[name=csrf-token]').attr('content');

or

 //js.erb file var csrf_token = "<%= request.session["<%= _csrf_token %>"] %>";

then add this to js

 $("body").bind("ajaxSend", function(elm, xhr, s){ if (s.type == "POST") { // place lines mentioned above here // line goes here... xhr.setRequestHeader('X-CSRF-Token', csrf_token); } });
+1
Jun 06 2018-12-06T00: 00Z
source share


More articles:


All Articles