Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re^2: Need help figure out CSRF vulnerability on this cgi code

by tinita (Parson)
on Mar 31, 2012 at 20:51 UTC ( #962798=note: print w/replies, xml ) Need Help??


in reply to Re: Need help figure out CSRF vulnerability on this cgi code
in thread Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.
i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF
Basically, add add ESCAPE=HTML to all variables in your template.
or better, use default_escape 'HTML', so you can't forget to do it in the template.
  • Comment on Re^2: Need help figure out CSRF vulnerability on this cgi code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://962798]
help
Chatterbox?
[GotToBTru]: so the font on the card is probably NOT Comic Sans
[GotToBTru]: that's a relief
[LanX]: Bruce_G._Blair
[choroba]: as in embossed card?
[Discipulus]: ironically from his pubblications: "Can Disarmament Work?"
[erix]: when is the bird-brain's inauguration tweet?
[erix]: (wasn't augur something to with birds too?)
[erix]: augur
[erix]: ah, deciding on the the flight of birds - good idea ;)

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (11)
As of 2017-01-20 12:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you watch meteor showers?




    Results (174 votes). Check out past polls.