Created
April 6, 2020 17:40
-
-
Save mattlong/d2e16907eb4e55eb4386301b02f80a9b to your computer and use it in GitHub Desktop.
Rails CSRF token analyzer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def real_csrf_token(token) | |
| Base64.strict_decode64(token) | |
| end | |
| def xor_byte_strings(s1, s2) | |
| s2_bytes = s2.bytes | |
| s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 } | |
| s2_bytes.pack("C*") | |
| end | |
| def unmask_token(masked_token) | |
| one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH] | |
| encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1] | |
| xor_byte_strings(one_time_pad, encrypted_csrf_token) | |
| end | |
| def compare_with_real_token(token, real_token) | |
| ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(real_token)) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment