How to Prevent Cross-Site Request Forgery Attack?

Question

We ran Burp Suite on our product and found some security vulnerabilities. The tool detected some of the CGI files which are vulnerable to Cross-Site Request Forgery attacks (CSRF).

As usual I did search for CSRF protection module on CPAN and found CGI::Application::Plugin::ProtectCSRF.

I'm wondering how can I integrate this module into our application in a generalized way? The documentation is not clear to me. How do I configure this module and make minimal changes to make sure whole application is secured from CSRF.

I also came across mod_csrf (an Apache module to prevent CSRF). Is installing this module and setting below in apache configuration file enough to prevent CSRF?

<VirtualHost>

    CSRF_Enable on
    CSRF_Action deny
    CSRF_EnableReferer off

</VirtualHost>

Answer 1

I can understand that you found the documentation for CGI::Application::Plugin::ProtectCSRF unclear: it is a little impregnable

All that the Perl module appears to do is to add a hidden field to each HTML form with the name _csrf_id and a random value derived from various sources and encoded through SHA1. The protection comes when the response from the client requires that the same value must be returned to the server

It is quite nicely coded, but it uses custom subroutine attributes, and the documentation for the attributes pragma says this

WARNING: the mechanisms described here are still experimental. Do not rely on the current implementation

I cannot tell from my quick review whether the subroutine prototypes are essential to the module, but I recommend that you use the Apache mod_csrf module instead, which is likely to be more thoroughly tested than the Perl module, and has proper documentation