|Do you know where your variables are?|
"Hardening" a web forum appby Cody Fendant (Pilgrim)
|on Apr 07, 2011 at 02:05 UTC||Need Help??|
Cody Fendant has asked for the
wisdom of the Perl Monks concerning the following question:
I've written a simple forum, using DBI, HTML::Template and CGI::Session.
It wasn't intended to be a professional product, it was just for a small group of people who can all be trusted. But what if it goes live to a wider audience?
What would you do to harden that application against people who might URL-hack or otherwise try to exploit weaknesses?
To give one example: if I've made a post, I can edit it. The Edit Post URL is foo.com/edit/123. And that's fine because I wrote post 123. What if I change the URL to 122? Can I edit someone else's post? What if I use that URL to edit my own post 123 then change the hidden form field value to 122? Can I save post 123 into post 122?
Now, I'm quoting those because I've thought of them. And I can trivially code for them. If the user id != the user id who made the post, etc. But as they say, everyone is clever enough to invent a code that they can't break themselves...
(I should say by the way that my DBI database calls all use placeholders, no interpolation of variables, so I don't think I'm vulnerable to the Bobby Tables kind of problem. But tell me if that's not enough.)
What principles or procedures should I follow to identify and prevent that kind of exploit?