Cross-Site Request Forgery: Missing protect_from_forgery

ruby.checkforgerysetting

Severity

high

Resource

Cross-Site Request Forgery

Language

Ruby

Description

Cross-Site Request Forgery (CSRF) is a security vulnerability that occurs when a malicious actor tricks a user’s browser into performing unwanted actions on a trusted web application where the user is authenticated. It primarily exploits the trust that a web application has in an authenticated user’s browser.

It can lead to unauthorized actions being executed in a web application on behalf of the user, potentially compromising personal data, making unauthorized transactions, or performing administrative operations.

Rationale

Verifies that protect_from_forgery is enabled in direct subclasses of ActionController::Base

Remediation

The most common protection strategy against CSRF is to use anti-CSRF tokens, to ensure that requests are originated from the legitimate user. The token should be generated on the server backend, and included in every form or request to the backend.

Additional protection techniques that do not seclude the need for anti-CSRF token:

Validate Referer Header: In some cases, checking the Referer or Origin headers can provide another layer of protection, ensuring that the request originates from the same site.
Force User Interaction: Force significant actions to require additional confirmation steps, like re-authentication or other forms of verification.
SameSite Cookie Attribute: Use the SameSite attribute for cookies to prevent them from being sent in cross-site requests.

Implementing these strategies in your applications will significantly reduce the risk of CSRF attacks.

Configuration

This detector does not need any configuration.

References

CWE-352 : Cross-Site Request Forgery (CSRF)
OWASP - Top 10 2021 Category A01 : Broken Access Control.
Cross-Site Request Forgery Prevention Cheat Sheet, in OWASP Cheat Sheet Series.