Re: Crash-Test Dummies: A Few Thoughts on Website Testing

It appears my post here is related; disregard if not.

Years ago, I wrote an accounting application for an ISP. It used CGI::Application. I forced the system to use only one entry point and to error out on any URL passed in that wasn't from this entry point.

I then implemented CGI::Application::Plugin::LinkIntegrity to protect against rogue URL input, after entry has been gained.

Although specific to CGI::Application, it wouldn't be hard to drum up something similar for any other module or even custom code. This, along with -T and other routine validation should make things a bit more resistant to tampering.

Comment on Re: Crash-Test Dummies: A Few Thoughts on Website Testing Select or Download Code

Replies are listed 'Best First'.
Re^2: Crash-Test Dummies: A Few Thoughts on Website Testing by Your Mother (Archbishop) on Oct 12, 2015 at 21:56 UTC
"Tamper resistant" doesn't ring the same as "tamper proof" from the LinkIntegrity doc but I don't know the software. Relying on referring URIs, if that's what you meant by "one entry point," is completely insecure.	[reply]
Re^3: Crash-Test Dummies: A Few Thoughts on Website Testing by Anonymous Monk on Oct 12, 2015 at 23:53 UTC
it appears to be a nonce appended to links to prevent replay attacks and session riding... CSRF ... https://www.owasp.org/index.php/Session_Management#Page_and_Form_Tokens , Cryptographic nonce, Plack::Middleware::CSRFBlock But stevieb appears to be a fan of sundialsvc4, so there is no way I'd ever consider using that module of his, bad company	[reply]