[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why.
- To: "G. S. McNamara" <main@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [Ruby on Rails] Move away from CookieStore if you care about your users and their security. Here is a technical explanation why.
- From: joernchen <joernchen@xxxxxxxxxxxx>
- Date: Wed, 25 Sep 2013 11:50:37 +0200
Hi,
On Tue, Sep 24, 2013 at 09:30:58PM -0400, G. S. McNamara wrote:
> Ruby on Rails Web applications versions 2.0 through 4.0 are by default
> vulnerable to an oft-overlooked Web application security issue: Session
> cookies are valid for life.* A malicious user could use the stolen cookie
> from any authenticated request by the user to log in as them at any point
> in the future.
>
There are other fun things which might happen, imagine App_A and App_B
which share the same codebase (let's just imagine two instances of a
some kind of appliance with a RoR Web frontend). If the vendor has not
taken care to generate a unique cookie-signing secret for each appliance
you could just log into your appliance (App_A) and reuse the token on
App_B yielding a session with the same userId on App_B.
This however relies on a mechanism like "authenticated_system" which
just puts your userId in the session cookie.
cheers,
joernchen
--
joernchen ~ Phenoelit
<joernchen@xxxxxxxxxxxx> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/