Re: Need help figure out CSRF vulnerability on this cgi code


go ahead... be a heretic
	PerlMonks

Re: Need help figure out CSRF vulnerability on this cgi code

by Corion (Patriarch)

on Mar 31, 2012 at 18:45 UTC ( [id://962793]=note: print w/replies, xml )

Need Help??

in reply to Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. As you output all your variables without escaping, all your variables are CSRF opportunities. See HTML::Template for escaping. Basically, add add ESCAPE=HTML to all variables in your template.

Also see Is your web application really secure? ("CSRF").

Comment on Re: Need help figure out CSRF vulnerability on this cgi code Download Code

Replies are listed 'Best First'.
Re^2: Need help figure out CSRF vulnerability on this cgi code by tinita (Parson) on Mar 31, 2012 at 20:51 UTC
Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF Basically, add add ESCAPE=HTML to all variables in your template. or better, use default_escape 'HTML', so you can't forget to do it in the template.	[reply]
Re^2: Need help figure out CSRF vulnerability on this cgi code by Anonymous Monk on Mar 31, 2012 at 20:38 UTC
Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. you also have XSS or Cross-site scripting	[reply]
Re^2: Need help figure out CSRF vulnerability on this cgi code by Anonymous Monk on Apr 01, 2012 at 02:35 UTC
Thank you all.... I have one other security issue i need your help on...posting as a new thread	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://962793]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others perusing the Monastery: (4)

As of 2025-11-11 10:28 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

What's your view on AI coding assistants?

Results (68 votes). Check out past polls.

Notices^?

	• hippo	‥ epoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!
	• erzuuli	‥ Anonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.