Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

anti csrf token & Penetration testing

by djlerman (Sexton)
on Aug 18, 2023 at 16:33 UTC ( [id://11153959]=perlquestion: print w/replies, xml ) Need Help??

djlerman has asked for the wisdom of the Perl Monks concerning the following question:

Hello Holders of Wisdom!!!

My company just had a major penetration test done.

The solutions for one of the issue that came up was to implement an "anti csrf token".

Our system was built in embperl and being converted to mod_perl.

What are your thoughts or suggestions?

~Donavon

Replies are listed 'Best First'.
Re: anti csrf token & Penetration testing
by haj (Vicar) on Aug 18, 2023 at 18:23 UTC

    The web stack isn't all that important for fighting CSRF, mod_perl is just fine. The challenge is in the design of the token(s), and this depends on the nature of your application. A CPAN module, WWW::CSRF, has a nice explanation of the problem, and maybe a sufficient solution for you!

Re: anti csrf token & Penetration testing
by clscott (Friar) on Aug 18, 2023 at 18:26 UTC

    You'll find a number of options if you search for CSRF on CPAN and perlmonks.

    It would be good to get familiar with the concept, how and why it works to ensure you can test it is implemented correctly.

    https://owasp.org/www-community/attacks/csrf
    --
    Clayton
Re: anti csrf token & Penetration testing
by marto (Cardinal) on Aug 18, 2023 at 21:16 UTC

    On a semi related note moving to mod_perl in this day and age seems like a strange choice to me. Modern frameworks like Mojolicious have you covered, along with tamper resistant cookies etc. to make your life easier.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11153959]
Approved by haj
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (4)
As of 2024-07-14 14:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.