Ruby on Rails Vulnerability Allows CSRF Protection Bypass

A critical vulnerability in Ruby on Rails’ Cross-Site Request Forgery (CSRF) protection mechanism has been identified, affecting all versions since the 2022/2023 “fix” and persisting in the current implementation.

This flaw undermines the framework’s ability to secure applications against CSRF attacks, potentially allowing attackers to forge or replay tokens and execute unauthorized actions on behalf of users.

CSRF Token Mechanism Exposed

The root of the issue lies in how Rails generates and handles its CSRF tokens.

Rails employs a “one-time pad” (OTP)-a random value-to mask the “raw token,” which can be either a global token or a per-form token based on whether per-form CSRF protections are enabled.

The OTP is XORed with the raw token to create an “encrypted” version, and both the OTP and the resulting encrypted token are concatenated to form a “masked token.”

This masked token is then Base64-encoded and sent to the user ...