Beefy Boxes and Bandwidth Generously Provided by pair Networks Bob
Do you know where your variables are?
 
PerlMonks  

Re^2: Need help figure out CSRF vulnerability on this cgi code

by tinita (Parson)
on Mar 31, 2012 at 20:51 UTC ( #962798=note: print w/ replies, xml ) Need Help??


in reply to Re: Need help figure out CSRF vulnerability on this cgi code
in thread Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.
i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF
Basically, add add ESCAPE=HTML to all variables in your template.
or better, use default_escape 'HTML', so you can't forget to do it in the template.


Comment on Re^2: Need help figure out CSRF vulnerability on this cgi code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://962798]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2014-04-20 08:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (485 votes), past polls