How can I prevent cross-site request forgery with Perl and Apache?

Question

Are there any transparent library that I can use or something easy so I can prevent cross-site request forgery (CSRF) with Perl and Apache? How can I generate tokens for forms and validating them server-side?

Answer 1

To protect from "Cross-site request forgery" from server side, it is best to:

1. Use HTML escape. If you use some template system like Template Toolkit, you should use its escape capabilities. If you use CGI.pm, it has "escapeHTML" sub to do this.
2. Limit life time of session cookies to relatively short periods. For CGI::Session it can be done with $session->expire($time).
3. Check referer when outputting vulnerable pages.
4. Don't use/accept GET request to modify data.

Doing this is framework specific but simple.

Answer 2

Have a look at what CGI::Application::Plugin::ProtectCSRF does. This module is for the CGI::Application framework.

It shouldn't be too hard to modify the module for other frameworks. Basically, user forms get a hidden HTML field added with the generated token, and the session object gets the same token. When the form is submitted, the form-submitted token is compared to the token in the session object (which is on the server). If they don't match, a CSRF has likely occurred.

There is also a Catalyst plugin: Catalyst::Controller::RequestToken

These modules use attribute handlers so there is very little modification required to your existing app.