Beware of "Assumed Logged In" Attacks

Daniel Butler — Wed, 30 Aug 2006 07:01:00 -0400

Brian Ellin of Portland, Oregon, warns us of “assumed logged in” attacks, which are cross-site attacks in which another site carefully crafts a URL that opens in a hidden frame which performs a destructive action on a different site that you are assumed to have been logged in to. His solution: the secure-action-plugin. He describes the problem and the solution:

In an assumed logged in attack, a malicious site assumes the visitor is logged into your site. The malicious site manually crafts a URL to a destructive action on your site (change email, delete account, etc.) and opens the URL to that action in a hidden iframe. The browser then sends the user’s cookies and actions may be performed on your user’s behalf without them ever knowing. This technique may be used to steal accounts, inject or delete account data, or perform other malicious actions.

The plugin works by overriding ActionController.url_for and adding a signature of the user’s session_id and some salt to URL query strings. By adding a sig that includes the user’s session_id, it makes it impossible to for malicious sites to create URLs that will work on your site for anyone but themselves. The signature is verified before a secure action is executed.

Until now, I had not conceived of this type of attack. Thanks, Brian.

Secure Action on the Rails Wiki Page
Plugin Home Page
Ruby Plugins Directory Entry

Yup Dot Com: Beware of "Assumed Logged In" Attacks

Beware of "Assumed Logged In" Attacks