csrf vs testing

22 views
Skip to first unread message

dal...@gmail.com

unread,
Nov 3, 2020, 9:55:14 AM11/3/20
to Mojolicious
This might be an obvious question, but I haven't found a good answer

I'm rewriting our old webapplications into Mojolicious. Goes just fine.

Might as well add csrf protection (exactly when is csrf tokens recommended?)

But then how do we test with csrf protection (via $v = $v->csrf_protect; from Mojolicious::Validator::Validation) enabled?

So if for example I'm testing my editing mode and is using (data is 'good' data that validates if there is no csrf protection)

$t -> post_ok( $url, form => $data )

What exactly are we suppose to add to our tests such that we can test with csrf_protect?

/daleif

Sebastian Riedel

unread,
Nov 3, 2020, 12:09:56 PM11/3/20
to Mojolicious
These CSRF protection features are mostly legacy features these days for backwards compatibility. Now we have SameSite cookies, to which modern browsers default.

--
sebastian

Lars Madsen

unread,
Nov 5, 2020, 3:09:03 AM11/5/20
to mojol...@googlegroups.com
ahh, nice, thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/Cngym3QNeQs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/6cce769b-2b91-4532-aa01-cf5cc58a0d5bn%40googlegroups.com.

dc...@prosentient.com.au

unread,
Nov 5, 2020, 5:38:02 PM11/5/20
to mojol...@googlegroups.com

I think that most browsers default to SameSite=Lax (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite), so you could still do a CSRF attack via a GET request / top-level navigation, although that’s only if you’ve coded your application to *do* things in a GET request.  

 

If you explicitly use SameSite=Strict, then I suppose that CSRF protections could probably matter less. I hadn’t actually thought about that until now. I wonder about CSRF attacks that don’t require cookies. It’s been a few months since I’ve chatted with security experts, but I think I was advised to ensure CSRF protection as well as secure strict cookies.

 

David Cook

Software Engineer

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages