WWW::CSRF(3pm) | User Contributed Perl Documentation | WWW::CSRF(3pm) |
WWW::CSRF - Generate and check tokens to protect against CSRF attacks
use WWW::CSRF qw(generate_csrf_token check_csrf_token CSRF_OK);
Generate a token to add as a hidden <input> in all HTML forms:
my $csrf_token = generate_csrf_token($username, "s3kr1t");
Then, in any action with side effects, retrieve that form field and check it with:
my $status = check_csrf_token($username, "s3kr1t", $csrf_token); die "Wrong CSRF token" unless ($status == CSRF_OK);
Copyright 2013 Steinar H. Gunderson.
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
This module generates tokens to help protect against a website attack known as Cross-Site Request Forgery (CSRF, also known as XSRF). CSRF is an attack where an attacker fools a browser into make a request to a web server for which that browser will automatically include some form of credentials (cookies, cached HTTP Basic authentication, etc.), thus abusing the web server's trust in the user for malicious use.
The most common CSRF mitigation is sending a special, hard-to-guess token with every request, and then require that any request that is not idempotent (i.e., has side effects) must be accompanied with such a token. This mitigation depends critically on the fact that while an attacker can easily make the victim's browser make a request, the browser security model (same-origin policy, or SOP for short) prevents third-party sites from reading the results of that request.
CSRF tokens should have at least the following properties:
WWW::CSRF simplifies the (simple, but tedious) work of creating and verifying such tokens.
Note that resources that are protected against CSRF should also be protected against a different attack known as clickjacking. There are many defenses against clickjacking (which ideally should be combined), but a good start is sending a "X-Frame-Options" HTTP header set to "DENY" or "SAMEORIGIN". See the Wikipedia article on clickjacking <http://en.wikipedia.org/wiki/Clickjacking> for more information.
This module provides the following functions:
$id is the identity you wish to authenticate; usually, this would be a user name of some sort.
$secret is the secret key authenticating the token. This should be protected in the same matter you would protect other server-side secrets, e.g. database passwords--if this leaks out, an attacker can generate CSRF tokens at will.
The keys in %options are relatively esoteric and need generally not be set, but currently supported are:
The returned CSRF token is in a text-only form suitable for inserting into a HTML form without further escaping (assuming you did not send in strange things to the "Time" option).
This routine returns one of the following constants:
In general, you should only allow the requested action if "check_csrf_token" returns "CSRF_OK".
Note that you are allowed to call "check_csrf_token" multiple times with e.g. different secrets. This is useful in the case of key rollover, where you change the secret for new tokens, but want to continue accepting old tokens for some time to avoid disrupting operations.
Wikipedia has an article with more information on CSRF:
L<http://en.wikipedia.org/wiki/Cross-site_request_forgery>
2013-11-23 | perl v5.18.1 |