anti csrf token & Penetration testing

djlerman has asked for the wisdom of the Perl Monks concerning the following question:

Hello Holders of Wisdom!!!

My company just had a major penetration test done.

The solutions for one of the issue that came up was to implement an "anti csrf token".

Our system was built in embperl and being converted to mod_perl.

What are your thoughts or suggestions?

~Donavon

Comment on anti csrf token & Penetration testing

Replies are listed 'Best First'.
Re: anti csrf token & Penetration testing by haj (Vicar) on Aug 18, 2023 at 18:23 UTC
The web stack isn't all that important for fighting CSRF, mod_perl is just fine. The challenge is in the design of the token(s), and this depends on the nature of your application. A CPAN module, WWW::CSRF, has a nice explanation of the problem, and maybe a sufficient solution for you!	[reply]
Re: anti csrf token & Penetration testing by clscott (Friar) on Aug 18, 2023 at 18:26 UTC
You'll find a number of options if you search for CSRF on CPAN and perlmonks. It would be good to get familiar with the concept, how and why it works to ensure you can test it is implemented correctly. https://owasp.org/www-community/attacks/csrf -- Clayton	[reply]
Re: anti csrf token & Penetration testing by marto (Cardinal) on Aug 18, 2023 at 21:16 UTC
On a semi related note moving to mod_perl in this day and age seems like a strange choice to me. Modern frameworks like Mojolicious have you covered, along with tamper resistant cookies etc. to make your life easier.	[reply]