Rails 3 ActiveRecordStore session_id篡改 [英] Rails 3 ActiveRecordStore session_id tampering
问题描述
我正在 Rails 3.0.9 中共同开发一个简单的Web应用程序,并且我意识到有可能通过恶意请求篡改session_id.请记住,这是我的第一个RoR应用程序,因此我的想法可能完全错误.
I am co-developing a simple web app in Rails 3.0.9 and I have realized that there is a possible session_id tampering possible via malicious request. Mind the fact, that this is my first RoR application, so I could be totally wrong in my conceptions.
当前的应用程序功能需要会话,因此我转向ActiveRecordStore会话存储,安装并开始在原始工作流程中进行测试.我注意到,Rails框架使用名称_session_id和一些类似于哈希的随机字符串的值创建了cookie(在DB SESSION表中,该字符串与session_id列相对应).
Current application functionality requires sessions so I turned to ActiveRecordStore session storage, installed it and started testing in primitive workflows. I noticed that Rails framework creates cookie with the name _session_id and value of some random hash-like string (in DB SESSION table this string corresponds to session_id column).
如果更改了cookie中的值(例如,使用Firebug),则当前会话ID将更改为cookie数据提供的值(由
If that value in the cookie is changed, for example with Firebug, current session id changes to one provided with cookie's data (inspected with request.session_options[:id]), and the change is propagated to the database table, creating new session record with aforementioned parameters.
虽然这对会话变量没有任何影响,但会话ID已从其通常的类似于哈希的外观变为用户篡改的会话.
While this brings no implications on a variables of the session, the session id have deviated from its usual hash-like appearance to a user tampered one.
这里是一个问题-如何检测或最好防止这种行为?
Here is the question - how this behavior can be detected or preferably prevented?
推荐答案
要回答您的问题,重要的是要了解如何生成会话ID的机制. (摘自文档)
To answer your question, it is important to understand the mechanics of how the session-id is generated. (from the docs)
会话ID由随机字符串的哈希值组成.随机字符串是当前时间,0到1之间的一个随机数,Ruby解释器的进程ID号(基本上也是一个随机数)和一个常数字符串.目前,强行使用Rails的会话ID是不可行的.迄今为止,MD5并未受到损害,但是已经发生了冲突,因此从理论上讲,可以创建具有相同散列值的另一个输入文本.但这迄今为止还没有安全影响.
A session id consists of the hash value of a random string. The random string is the current time, a random number between 0 and 1, the process id number of the Ruby interpreter (also basically a random number) and a constant string. Currently it is not feasible to brute-force Rails’ session ids. To date MD5 is uncompromised, but there have been collisions, so it is theoretically possible to create another input text with the same hash value. But this has had no security impact to date.
因此,会话ID被设计为在密码上难以"猜测.攻击者可以更改session_id,但其想法是他们永远无法猜测有效的会话.
So the session ID is engineered to be cryptographically "hard" to guess. An attacker could change the session_id but the idea is that they could never guess a valid session.
如何预防?
How can this be prevented?
根据上述逻辑,如果您减少会话到期时间,则活动" session_id的数量将大大减少.因此,使攻击者更难于随机选择可用的ID.
Based on the above logic, if you lower your session expiration times, there will be considerably fewer "live" session_id's. Thus making it even harder for an attacker to randomly select a usable id.
如何检测到这种行为?
How can this behavior be detected?
最简单的方法是记录所有具有无效(未过期)会话ID的请求.如果您发现大量此类请求涌入,则可能是某人正在尝试获取非他们自己的会话.
The easiest way is to log all requests with invalid (not expired) session id's. If you see a considerable influx of such requests, someone is probably attempting to acquire a session that is not their own.
这篇关于Rails 3 ActiveRecordStore session_id篡改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
