NAME
Mojolicious::Plugin::FormTamperingProtector - FormTamperingProtector
SYNOPSIS
plugin form_tampering_protector => {
namespace => 'form_tampering_protector',
action => ['/receptor1'],
blackhole => sub {
my ($c, $error) = @_;
app->log($error);
$c->res->code(400);
$c->render(text => 'An error occured');
},
};
DESCRIPTION
This software is considered to be alpha quality and isn't recommended for regular usage.
Mojolicious::Plugin::FormTamperingProtector is a Mojolicious plugin for validating post data with auto-generated validation rules out of original forms. It analizes the HTML forms before sending them to client, generate the schema, inject it into original forms within a hidden fields so the plugin can detect the schema when a post request comes.
The plugin detects following error for now.
- Unknown form fields.
-
The form fields represented by name attribute are all white listed and post data injected unknown fields are blocked.
- Unknown values of selectable fields.
-
Selectable values of checkboxes, radio buttons and select options are white listed and unknow values are blocked.
The plugin also detects characteristics of tag types. Such as unchecked checkboxes don't appear to data(not required), radio buttons can't be null only when default value is offered(not null), and so on.
- Hidden field tamperings.
-
Hidden typed input can't be ommited(required) and the value takes only one option. the plugin blocks values against the schema.
- Values against maxlength attributes.
-
Values violating of maxlength are blocked.
- HTML5 validation attributes
-
HTML5 supports some validation attributes such as [required], [pattern=*], [type=number], [min=*], [max=*]. The plugin detects them and block violations.
- CSRF
-
This also detects CSRF.
EXAMPLE
Run t/test_app.pl and try to attack the forms.
./t/test_app.pl daemon
CLASS METHODS
inject
Generates a schema strings of form structure for each forms in mojo response and inject them into itself.
my $injected = inject($html, $charset,
['/path1', '/path2'], $token_key, $session_id);
AUTHOR
Sugama Keita, <sugama@jamadam.com>
COPYRIGHT AND LICENSE
Copyright (C) Sugama Keita.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.