[Catalyst] Re: CSRF
Ashley
apv at sedition.com
Wed Oct 1 07:57:22 BST 2008
On Sep 30, 2008, at 11:13 PM, Aristotle Pagaltzis wrote:
> * Ashley <apv at sedition.com> [2008-09-30 19:30]:
>> If scripting is involved that makes it a XSS attack instead,
>> though. No?
>
> No.
Yeah, that was unclear. I was talking about our own sites
and Cat apps, not the web at large. It was in that context
which I suggested script based attacks were by definition
going to be XSS. Malicious ActionScript is still script.
But I hadn't read the POST exploits as described in the
white paper so I was wrong.
Might be pretty simple in Cat stuff. The crux of the POST
issue seems that the target site's cookies are still safe
from the attacking site's POST. So, off the top of my
head, untested, please modify, correct, refine, put
in wiki, etc.
Form template:
<form action="[% c.request.uri() %]" method="post">
[% USE Digest.SHA1 -%]
<input type="hidden" value="csrf_check" value="[% c.sessionid |
sha1_hex %]" />
</form>
Controller form validation:
use Digest::SHA1 qw(sha1_hex);
some_error_or_other() unless
$c->user_exists
and
$c->request->body_params->{csrf_check} eq sha1_hex($c->sessionid);
-Ashley
More information about the Catalyst
mailing list