Securing your Dancer app

keeping out the bad guys

Peter Mottram (SysPete) <>

Perl::Dancer Conference 2014, Hancock NY, 8th October 2014

About me

  • Currently living in Malta
  • 24 years UNIX & Linux
  • Network security, Perl, e-commerce
  • Interchange6 development team member

"slightly less than twice the size of Washington, DC"

© CIA World Fact Book

The Attackers are Winning

On the internet right now, the attacker has the advantage and will for the foreseeable future.

Bruce Schneier, AppSec USA, 18th September 2014

Three Important Trends
in Information Security

  • We are losing control of our infrastructure
  • Attacks are getting more sophisticated
  • Increasing government involvement in cyberspace

Bruce Schneier, AppSec USA, 18th September 2014



Finding the right balance

  • Security requirements
  • Cost versus budget
  • Impact on users
  • Motivations of attacker


  • Disgruntled staff or developers
  • "Drive by" attacks: viruses, worms, trojans
  • Motivated criminal attackers: organised crime
  • Criminal attackers without motive against you
  • Script kiddies

Security Principles

  • Ethics in Secure Software Development
  • Insider Threats as the Weak Link
  • Assume the Network is Compromised
  • Minimize Attack Surface
  • Secure by Default
  • Defense in Depth
  • Principles for Reducing Exposure
  • The Insecure Bootstrapping Principle
  • Input Validation

Network security

(where did it all go wrong?)

Don't trust the network!

  • Eavesdropping
  • Tampering
  • Spoofing
  • Hijacking
  • Observing
  • Brute force

Reducing Exposure

  • Compartmentalisation
  • Least privilege
  • Minimise windows of vulnerability
  • Minimise windows of privilege
  • Privilege separation

Ten Most Critical Web
Application Security Risks

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Known Vulnerable Components
  10. Unvalidated Redirects and Forwards

Source: OWASP

HTTP Headers

Strict-Transport-Security: max-age=16070400; includeSubDomains Enforces secure (HTTP over SSL/TLS) connections to server.
X-Frame-Options: deny Provides Clickjacking protection. May need tuning if frames/iframes are in use.
X-XSS-Protection: 1; mode=block XSS filtering by most modern browsers

HTTP Headers

X-Content-Type-Options: nosniff Reduces exposure to drive-by download attacks on IE & Chrome
Content-Security-Policy: default-src 'self' Helps protect against XSS and content injection. Needs very careful tuning.
Content-Security-Policy-Report-Only: default-src 'self'; report-uri Like Content-Security-Policy, but only reports

Adding HTTP headers


add_header Strict-Transport-Security "max-age=16070400; includeSubDomains";


Header add Strict-Transport-Security "max-age=16070400;includeSubDomains"


    - Headers
    - set
      - Strict-Transport-Security
      - "max-age=16070400;includeSubDomains"



        - XSRFBlock
        - cookie_name
        - MY-XSRF-Token
        - cookie_options
          httponly: 1

See also Plack::Middleware::CSRFBlock


© xkcd


  • SQL & LDAP
  • mod_security
  • DBIx::Class

Escape HTML

  • protect against XSS
  • Dancer::Plugin::EscapeHTML

            automatic_escaping: 1
            exclude_pattern: '_html$'

Hide server tokens


server_tokens off;
more_set_headers 'Server: Teapot v12.16.1773';


ServerSignature Off
ServerTokens Prod


session_name: session

Input Validation

  • Use
  • Unit boundaries
  • Trust boundaries
  • Protocol parsing
  • Application entry points
  • Network

Input Validation

Other things

  • Testing!!!
  • Passord security
  • Server security
  • POST request limits
  • Path traversal
  • Logging and notification
  • Side channel timing attacks
  • App::Cerberus
  • ...


Peter Mottram (SysPete) <>