This gem seems to generate links as http://localhost:3000/users/masquerade/[uid] - is this not vulnerable to CSRF?

The Masquerade module in Drupal does this. It makes URLs like this:
https://example.com/masquerade/switch/123?token=[LONG TOKEN HERE]

The token is generated using a site-specific salt and is confirmable so you cant just alter it.

If I enable this gem on our site and one of the admin users visits a site which calls domain.com/users/masquerade/123 via, say, an <img src="" />, wont this trigger our site to switch users?

Hi @njt1982

I think the basic idea how to use this gem:

1. add masqueradable lib to one of your model.
2. update routes
3. make sure that you are going to use the masquerade action in place where you have the right authorization layer. Lets assume you have admin pages(/users), there you can define near of each user masquerade link. this page has admin rights to be accessed. You should define the route to make masquerade in terms of admin rights. Please check the documentation if you need to have separate authorization implementation for example using cancan library and define before filter.

The library don't actually make any code changes around authentication and authorization. if current user has access to see and run masquerade action(allowed by these pages) it means he can authorize by selected user.

token is alive specific amount of time. for just in case if the user has access to one of your user with the rights to run masquerade and copied the link from the page. it will live until token will expire. (it's configurable value as well)

Also could you provide more details about <img /> example, I believe it's possible to add this image on the page because it's still GET request but I am not sure that it's the issue of this gem. in case if it's possible to get this link outside of admin page and then user has access to make masquerade it sounds like it's design issue.

token is generated by SecureRandom class.

Hi,

So, firstly, I'm not sure where this SecureRandom token is used. I have followed the instructions and I end up with links like /user/masquerade/4. I dont see any unique token on that link which forces it to only be "alive" for a certain period. An expiring token on it would be perfect!

The basic attack vector would involve Knowing that a site uses this gem. Knowing this and assuming some things, like the default devise base path which masquerade appends to, you could craft thousands of URLs like <img src="http://example.com/user/masquerade/1" />. You'd then embed those links on a page which you expect an admin for example.com to use (maybe you craft a phishing email, or leave them in comments on a blog post you suggest they read (on a site you know doesn't filter HTML very well)). Say I am the admin. I open the link you send me. My browser will run those thousand URLs as me (it's my browser and my session).

Now, admittedly, all this does is switch my user to another one... but that could be a stepping stone to another attack vector (what if, by being a specially crafted user, it causes me to run something on my own domain as that user (so I lose protection of things like CORS and other cross site scripting protections).

Hi @njt1982

ok. I see now. it's good improvement to control the links generation by using tokens instead of using out of box approach from rails to use to_param where param is id in the urls.

I will try to find the time on this week to improve it.

Thank you!

Why am I not surprised to hear that rails already has a method for this kind of thing? ;)

Hi @njt1982 . Finally closing this issue. Now /masquerade/:uid?masquerade= would be passed with expiration time for each token. Thank you!