Difference between revisions of "Perl"

From OWASP
Jump to: navigation, search
m
(linking to the OWASP ESAPI project for Perl)
 
(7 intermediate revisions by 2 users not shown)
Line 14: Line 14:
 
== Perl resources  ==
 
== Perl resources  ==
  
 +
#[[OWASP ESAPI Perl Project]] has been started.
 
#Perl [http://perldoc.perl.org/perlsec.html security] man page  
 
#Perl [http://perldoc.perl.org/perlsec.html security] man page  
 
#[http://perlmonks.org Perl Monks]  
 
#[http://perlmonks.org Perl Monks]  
Line 19: Line 20:
  
 
== Perl modules  ==
 
== Perl modules  ==
 +
An attempt to list and classify perl modules related to web security. This should lead on to discussion of vulnerabilities.
  
 
=== Web frameworks  ===
 
=== Web frameworks  ===
Line 38: Line 40:
 
|-
 
|-
 
| [http://cgi-app.org/ CGI::Application]  
 
| [http://cgi-app.org/ CGI::Application]  
| [http://search.cpan.org/perldoc?CGI::Application::Plugin::Authentication CGI::Application::Plugin::Authentication<br>]  
+
| [http://search.cpan.org/perldoc?CGI::Application::Plugin::Authentication CGI::Application::Plugin::Authentication]  
| [http://search.cpan.org/perldoc?CGI::Application::Plugin::Authorization CGI::Application::Plugin::Authorization]<br>
+
| [http://search.cpan.org/perldoc?CGI::Application::Plugin::Authorization CGI::Application::Plugin::Authorization]  
 
| Not a very coherent framework, multiple authors
 
| Not a very coherent framework, multiple authors
 
|-
 
|-
 
| [http://jifty.org/view/HomePage Jifty]  
 
| [http://jifty.org/view/HomePage Jifty]  
| <br>
+
| [http://search.cpan.org/~alexmv/Jifty-0.91117/lib/Jifty/Plugin/Authentication/Password.pm Jifty::Plugin::Authentication]
| <br>
+
| n/a
| <br>
+
| ?
 
|-
 
|-
 
| [http://mojolicious.org/ Mojolicious]  
 
| [http://mojolicious.org/ Mojolicious]  
Line 68: Line 70:
 
I am not aware of anything generic.  
 
I am not aware of anything generic.  
  
=== HTML validation  ===
+
=== HTML validation/cleanup ===
  
 
Anything similar to [[AntiSamy]] should go here.  
 
Anything similar to [[AntiSamy]] should go here.  
  
 
[http://search.cpan.org/perldoc?HTML::Scrubber HTML::Scrubber]  
 
[http://search.cpan.org/perldoc?HTML::Scrubber HTML::Scrubber]  
 +
 +
There is a discussion on this subject going on at [http://perlmonks.org/?node_id=861639 PerlMonks:Dynamic HTML cleanup].
 +
 +
  
 
=== Password strength  ===
 
=== Password strength  ===
  
 
[http://search.cpan.org/perldoc?Data::Password::Entropy Data::Password::Entropy]<br>
 
[http://search.cpan.org/perldoc?Data::Password::Entropy Data::Password::Entropy]<br>
 +
 +
=== CAPTCHA alternatives ===
 +
These are attempts to distinguish human and robot users. CAPTCHA is not perfect at this and is highly inaccessible.
 +
 +
[http://search.cpan.org/~lushe/Authen-Quiz-0.05/lib/Authen/Quiz.pm Authen::Quiz]<br>
 +
 +
[[Category:Language]]

Latest revision as of 22:44, 9 September 2011

This page should collect together any resources relating to Perl and OWASP or security in general.

It is perhaps odd that this page is so new:

  1. Perl has long been an open source language and often associated with the internet.
  2. It offers what seems to be a much under-used method of combating many sorts of exploit namely taint mode. This forces every "input" to the program to be checked for malign influences before it is allowed to effect the "outside" of the program.

Contents

Possible perl OWASP projects

  1. Perl ports of multi-language OWASP projects, for example AntiSamy.
  2. Review of CPAN modules according to OWASP standards, for example CGI::Application::Plugin::Authentication.
  3. A perl module to measure the strength of passwords.

Perl resources

  1. OWASP ESAPI Perl Project has been started.
  2. Perl security man page
  3. Perl Monks
  4. Security Issues in Perl Scripts by Jordan Dimov

Perl modules

An attempt to list and classify perl modules related to web security. This should lead on to discussion of vulnerabilities.

Web frameworks

Authentication modules will often be framework specific so let's list those.

Perl web frameworks and their security mechanisms
Framework Authentication Authorization Comments
Catalyst Catalyst::Plugin::Authentication
The same module also covers authorization via the concept of realms.
Catalyst seems to have issues with taint mode.
CGI::Application CGI::Application::Plugin::Authentication CGI::Application::Plugin::Authorization Not a very coherent framework, multiple authors
Jifty Jifty::Plugin::Authentication n/a  ?
Mojolicious


Dancer


Authentication

A lot of generic authentication modules can be found on CPAN.

Also HTTPD::User::Manage.

Authorization

I am not aware of anything generic.

HTML validation/cleanup

Anything similar to AntiSamy should go here.

HTML::Scrubber

There is a discussion on this subject going on at PerlMonks:Dynamic HTML cleanup.


Password strength

Data::Password::Entropy

CAPTCHA alternatives

These are attempts to distinguish human and robot users. CAPTCHA is not perfect at this and is highly inaccessible.

Authen::Quiz