Are there any transparent library that I can use or something easy so I can prevent cross-site request forgery (CSRF) with Perl and Apache? How can I generate tokens for forms and validating them server-side?
+5
A:
To protect from "Cross-site request forgery" from server side, it is best to:
- Use HTML escape. If you use some template system like Template Toolkit, you should use it's escape capabilities. If you use CGI.pm, it has "escapeHTML" sub to do this.
- Limit life time of session cookies to relatively short periods. For CGI::Session it can be done with $session->expire($time).
- Check referer when outputting vulnerable pages.
- Don't use/accept GET request to modify data.
Doing this is framework specific but simple.
Alexandr Ciornii
2009-05-08 23:14:28
+2
A:
Have a look at what CGI::Application::Plugin::ProtectCSRF does. This module is for the CGI::Application framework.
It shouldn't be too hard to modify the module for other frameworks. Basically, user forms get a hidden HTML field added with the generated token, and the session object gets the same token. When the form is submitted, the form-submitted token is compared to the token in the session object (which is on the server). If they don't match, a CSRF has likely occurred.
There is also a Catalyst plugin: Catalyst::Controller::RequestToken
These modules use attribute handlers so there is very little modification required to your existing app.
Mark
2009-12-01 22:58:49