[Catalyst] Re: CSRF
Tatsuhiko Miyagawa
miyagawa at gmail.com
Wed Oct 1 10:32:25 BST 2008
On Wed, Oct 1, 2008 at 12:19 AM, Ashley <apv at sedition.com> wrote:
>> Form template:
>> <form action="[% c.request.uri() %]" method="post">
>> [% USE Digest.SHA1 -%]
>> <input type="hidden" value="csrf_check" value="[% c.sessionid | sha1_hex
>> %]" />
>> </form>
On my personal site I do similar to this, but using jQuery to
automatically add these to all forms and A links with
class="requires-token".
http://subtech.g.hatena.ne.jp/miyagawa/20080918/1221728765
Was talking about making Catalyst action to validate this token value
as an action plugin, possibly in combination with jshirley's REST
actions.
> This won't work because the attacker can grab it by a GET
Usually not. The only chance where your browser leaks these csrf_check
values would be when your app is vulnerable to CSSXSS (very rare and
IE specific) or when you have crossdomain.xml that allows everything
to be accessible from flash scripts.
http://www.arunranga.com/articles/browser-cross-site.html#Flash
> and
> while it doesn't expose the sessionid, it does remain constant
> for the life of the session. As the white paper suggests, it
> has to be pseudo-random and it looks like it has to be per
> request.
I agree on that it gives you a stronger security if the token is
per-request instead of per-session but that's a trade-off. For
instance per-request token breaks back-button-and-resubmit. Might be
good if your site is a banking site and you don't want to duplicate
the money transfers by back buttons, but that might not be the case if
your site is more casual web 2.0 and does lots of XHR stuff with the
same token etc.
That said, Catalyst::Controller::RequestToken implements the
per-request token and CSRF validation.
http://search.cpan.org/~hide/Catalyst-Controller-RequestToken-0.01/
--
Tatsuhiko Miyagawa
More information about the Catalyst
mailing list