[cgiapp] FormKeys / Nonce
Hello, We're looking to increase our application security foundation by adding Nonces to our HTML forms. A Nonce is a one-use token, generated with the form and validated with the submission, that helps to mitigate CSRF (cross site request forgery) attacks. A quick search of CPAN doesn't show many available options so I'm thinking of writing a module myself. A couple questions ... 1) Are there existing Nonce solutions that I might be overlooking? 2) What's the best way to integrate the concept into CGI::Application? (Plugin?) I have a prototype coded up already that adds some methods to a base class that extends CGI::Application. It generates and stores the Nonces in a CGI::Application::Plugin::Session store and then validates against that store later. Is it common/acceptable for Plugins to have dependencies on other Plugins? My current prototype requires changing the application to add calls to generate, validate, and expunge the Nonce tokens. Once a Nonce is generated, it's placed into a template var that in turn populates a hidden form field. Is there a more transparent / automated way of inserting the Nonce into the form or is it reasonable to expect the application to handle this in its runmodes? I'm interested in any feedback you might have on my specific questions or any insight that you might have having worked with Nonces in other applications or frameworks. My experience is limited. Thanks, Todd # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] FormKeys / Nonce
On 07/16/2010 02:19 PM, Todd Ross wrote: 1) Are there existing Nonce solutions that I might be overlooking? 2) What's the best way to integrate the concept into CGI::Application? (Plugin?) For both of these you should look at the CGI::Application::Plugin::ProtectCSRF module. It might not be exactly what you're looking for, but it should give you at least a basis for your own solution. -- Michael Peters Plus Three, LP # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####
Re: [cgiapp] FormKeys / Nonce
Hi Todd On Fri, 2010-07-16 at 14:31 -0400, Michael Peters wrote: On 07/16/2010 02:19 PM, Todd Ross wrote: 1) Are there existing Nonce solutions that I might be overlooking? 2) What's the best way to integrate the concept into CGI::Application? (Plugin?) For both of these you should look at the CGI::Application::Plugin::ProtectCSRF module. It might not be exactly what you're looking for, but it should give you at least a basis for your own solution. See also http://from.bz/public/documents/publications/csrf.pdf and http://blog.archive.jpsykes.com/47/practical-csrf-and-json-security/ -- Ron Savage http://savage.net.au/ Ph: 0421 920 622 # CGI::Application community mailing list #### ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp## #### ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ####