Hello PDX.rb friends, I just release a new rails plugin and thought I'd share. secure-action-plugin provides an interface for protecting your app against assumed-logged-in attacks.
In an assumed logged in attack, a malicious site assumes the visitor is logged into your site. The malicious site manually crafts a URL to a destructive action on your site (change email, delete account, etc) and opens the URL to that action in a hidden iframe. The browser then sends the user's cookies and actions may be performed on your user's behalf without them ever knowing. This technique may be used to steal accounts, inject or delete account data, or perform other malicious actions. Yikes! The plugin works by overriding ActionController.url_for and adding a signature of the user's session_id and some salt to URL query strings. By adding a sig that includes the user's session_id, it makes it impossible to for malicious sites to create URLs that will work on your site for anyone but themselves. The signature is verified before a secure action is executed. More info on the rails wiki page: http://wiki.rubyonrails.com/rails/pages/Secure+Action Project homepage: http://code.google.com/p/secure-action-plugin/ Cheers, Brian Ellin _______________________________________________ PDXRuby mailing list [email protected] IRC: #pdx.rb on irc.freenode.net http://lists.pdxruby.org/mailman/listinfo/pdxruby
