Cody Fendant has asked for the wisdom of the Perl Monks concerning the following question:
I've written a simple forum, using DBI, HTML::Template and CGI::Session.
It wasn't intended to be a professional product, it was just for a small group of people who can all be trusted. But what if it goes live to a wider audience?
What would you do to harden that application against people who might URL-hack or otherwise try to exploit weaknesses?
To give one example: if I've made a post, I can edit it. The Edit Post URL is foo.com/edit/123. And that's fine because I wrote post 123. What if I change the URL to 122? Can I edit someone else's post? What if I use that URL to edit my own post 123 then change the hidden form field value to 122? Can I save post 123 into post 122?
Now, I'm quoting those because I've thought of them. And I can trivially code for them. If the user id != the user id who made the post, etc. But as they say, everyone is clever enough to invent a code that they can't break themselves...
(I should say by the way that my DBI database calls all use placeholders, no interpolation of variables, so I don't think I'm vulnerable to the Bobby Tables kind of problem. But tell me if that's not enough.)
What principles or procedures should I follow to identify and prevent that kind of exploit?
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: "Hardening" a web forum app
by ww (Archbishop) on Apr 07, 2011 at 03:16 UTC | |
Re: "Hardening" a web forum app
by moritz (Cardinal) on Apr 07, 2011 at 06:45 UTC | |
[OT] URL structure (Was: "Hardening" a web forum app)
by MidLifeXis (Monsignor) on Apr 07, 2011 at 13:41 UTC | |
Re: "Hardening" a web forum app
by sundialsvc4 (Abbot) on Apr 07, 2011 at 15:51 UTC |