NAME

Mojolicious::Plugin::FormTamperingProtector - FormTamperingProtector

SYNOPSIS

plugin form_tampering_protector => {
    namespace => 'form_tampering_protector',
    action => ['/receptor1'],
    blackhole => sub {
        my ($c, $error) = @_;
        app->log($error);
        $c->res->code(400);
        $c->render(text => 'An error occured');
    },
};

DESCRIPTION

This software is considered to be alpha quality and isn't recommended for regular usage.

Mojolicious::Plugin::FormTamperingProtector is a Mojolicious plugin for validating post data with auto-generated validation rules out of original forms. It analizes the HTML forms before sending them to client, generate the schema, inject it into original forms within a hidden fields so the plugin can detect the schema when a post request comes.

The plugin detects following error for now.

Unknown form fields.

The form fields represented by name attribute are all white listed and post data injected unknown fields are blocked.

Unknown values of selectable fields.

Selectable values of checkboxes, radio buttons and select options are white listed and unknow values are blocked.

The plugin also detects characteristics of tag types. Such as unchecked checkboxes don't appear to data(not required), radio buttons can't be null only when default value is offered(not null), and so on.

Hidden field tamperings.

Hidden typed input can't be ommited(required) and the value takes only one option. the plugin blocks values against the schema.

Values against maxlength attributes.

Values violating of maxlength are blocked.

HTML5 validation attributes

HTML5 supports some validation attributes such as [required], [pattern=*], [type=number], [min=*], [max=*]. The plugin detects them and block violations.

CSRF

This also detects CSRF.

EXAMPLE

Run t/test_app.pl and try to attack the forms.

./t/test_app.pl daemon

CLASS METHODS

inject

Generates a schema strings of form structure for each forms in mojo response and inject them into itself.

my $injected = inject($html, $charset,
                            ['/path1', '/path2'], $token_key, $session_id);

AUTHOR

Sugama Keita, <sugama@jamadam.com>

COPYRIGHT AND LICENSE

Copyright (C) Sugama Keita.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.