homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

Ruby on Rails Cookiestore Vulnerability

WebmasterWorld Administrator engine us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

Msg#: 4626539 posted 11:34 am on Nov 28, 2013 (gmt 0)

Back in September, security researcher G.S. McNamara warned that certain Ruby on Rails versions were plagued by a vulnerability that allowed hackers to hijack user sessions. Last week, the researcher provided a list of website that were vulnerable.

The security hole stems from the use of CookieStore, which holds the user session hash in the web browser as a cookie. However, even after a new cookie is created, the old one is still valid, which means that it can be used to hijack user accounts.

This is known as insufficient session expiration weakness. The expert warns that this type of flaw is particularly dangerous on websites that donít use SSL. Ruby on Rails Cookiestore Vulnerability [news.softpedia.com]
Itís also worth noting that while only Ruby on Rails versions older than 4.0 donít encrypt cookies by default, cybercriminals can abuse even encrypted cookies to hijack accounts.



WebmasterWorld Senior Member 5+ Year Member

Msg#: 4626539 posted 1:06 pm on Nov 28, 2013 (gmt 0)

Django is also vulnerable to this if you use use cookie storage for sessions, but this is not the default.

Also, any site that does not use SSL for all logged in users is vulnerable to a MITM attack. The difference here is that the window of opportunity is larger.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved