README

Path: vendor/plugins/crumblr/README
Last Update: Wed Nov 21 08:48:55 -0800 2007

Crumblr

A plugin to protect against Cross-Site Request Forgery. From en.wikipedia.org/wiki/Crsf:

Cross-site request forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

Prevention

For the web site, switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent these attacks. Use Crumblr to include a secret, user-specific token in forms that is verified in addition to the cookie.

Example usage

  app/controllers/account_controller.rb:

    class AccountController < ApplicationController
      before_filter :verify_crumb
      ...
    end

  app/views/account/login.rhtml:

    <% form_for :form, :url => {:action=> "login"} do |f| -%>
      <%= crumb_tags %>
      ...
    <% end -%>

Resources compatible

Crumblr works with well with resources. Crumbs are verified for all HTTP verbs but GET as GET is commonly used w/o form submission.

License & Author

Crumblr, a Ruby on Rails plugin to protect against Cross-Site Request Forgery

Copyright (C) 2007 Bart Teeuwisse <bart [dot] teeuwisse [at] thecodemill.biz>

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

[Validate]