Ruby Missing Csrf Protection
Description
Detects when Ruby on Rails controllers have missing or disabled CSRF protection mechanisms, which could allow attackers to perform unauthorized actions on behalf of authenticated users. Cross-Site Request Forgery (CSRF) vulnerabilities can lead to malicious state-changing requests being performed without user consent.
Detection Strategy
• Review Ruby controller classes that inherit from ActionController::Base
• Check if CSRF protection is disabled through methods like 'skip_before_action :verify_authenticity_token' or 'protect_from_forgery with: :null_session'
• Flag controllers where CSRF protection mechanisms are missing or explicitly disabled
Vulnerable code example
class UserController < ActionController::Base
# VULNERABLE: Disables CSRF protection for all actions in controller
skip_forgery_protection
def update
@user.update(params[:user])
end
end✅ Secure code example
class UserController < ActionController::Base
# Enable CSRF protection with exception handling
protect_from_forgery with: :exception
def update
# Use strong parameters to explicitly permit allowed fields
@user.update(user_params)
end...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.