Re^2: Mojolicious vs Dancer (security-wise)?

I don't know if this prevents all XSRF vectors, but it seems pretty secure.

It prevents zero XSRF vectors because XSRF is session riding , the request comes from the users browser, using the existing session cookie

Comment on Re^2: Mojolicious vs Dancer (security-wise)?

Replies are listed 'Best First'.
Re^3: Mojolicious vs Dancer (security-wise)? by davido (Cardinal) on Sep 22, 2012 at 05:19 UTC
You're correct. Maybe either Mojolicious::Plugin::CSRFProtect or Mojolicious::Plugin::CSRFDefender would be reasonable steps in the right direction. The former looks to be more thorough, while the latter looks a little more foolproof. Mojolicious::Plugin::CSRFProtect adds a hidden input field to forms, adds a token to ajax requests, rejects all non-GET/HEAD requests without the token, and simplifies the safeguarding of GET/HEAD requests and side-effect links. This seems to provide the mechanism needed to implement one of the prevention measures mentioned in the Wikipedia article to which you linked: "Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions." I'm using Mojolicious::Plugin::CSRFProtect in a project. It's convenient. All I have to do is make sure my routes for forms only respond to POST requests, and that my forms use the "`form_for`" helper. pretty slick. Dave	[reply] [d/l]

Replies are listed 'Best First'.

Re^3: Mojolicious vs Dancer (security-wise)?
by davido (Cardinal) on Sep 22, 2012 at 05:19 UTC

You're correct.

Maybe either Mojolicious::Plugin::CSRFProtect or Mojolicious::Plugin::CSRFDefender would be reasonable steps in the right direction. The former looks to be more thorough, while the latter looks a little more foolproof.

Mojolicious::Plugin::CSRFProtect adds a hidden input field to forms, adds a token to ajax requests, rejects all non-GET/HEAD requests without the token, and simplifies the safeguarding of GET/HEAD requests and side-effect links.

This seems to provide the mechanism needed to implement one of the prevention measures mentioned in the Wikipedia article to which you linked: "Requiring a secret, user-specific token in all form submissions and side-effect URLs prevents CSRF; the attacker's site cannot put the right token in its submissions."

I'm using Mojolicious::Plugin::CSRFProtect in a project. It's convenient. All I have to do is make sure my routes for forms only respond to POST requests, and that my forms use the "form_for" helper. pretty slick.

Dave

[reply]
[d/l]