; One of the most common methods of hacking a Web site is to find and use poorly written CGI scripts. Using a CGI script, you may be able to acquire information about a site, access directo-ries and files you wouldn’t normally be able to see or download, and perform various other unwanted and unexpected actions.
; It is important that you ensure that the form used to collect data from users is compatible with the CGI script.
; Your code should analyze the data it is receiving, and provide error-handling code to deal with problems. Error handling deals with improper or unexpected data that’s passed to the CGI script. It allows you to return messages informing the user that certain fields haven’t been filled out, or to ignore certain data.
; Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, con-trol ownership of a CGI process, and allow users to run the scripts without compromising your Web server’s security.
Languages for Writing CGI Scripts
; A compiled CGI program would be written in a language like C, C++, or Visual Basic.With this type of program, the source code must first be run through a compiler program.The com-piler converts the source code into machine language that the computer on which the program is run can understand. Once compiled, the program then has the ability to be executed.
; An interpreted language combines compilation and execution.
When a user requests a script’s functionality, it is run through a program called an interpreter, which compiles it and executes it.
For example, when you run a Perl script, it is compiled every time the program is executed.
; One issue with Unix shell programs is that you are more lim-ited in controlling user input and other security issues than in other languages.
; Perl has become a common method of creating CGI scripts.
While a good choice for new programmers, it should not be mistaken as being a poor choice for complex programs. One problem with Perl is that, because it is interpreted, it is compiled and executed as one step each time the program is called. For this reason, there is greater possibility that bad data submitted by a user will be included as part of the code.
; C or C++ are another option. A common problem that occurs when Internet programs are created with C or C++ is buffer overflows. A way to avoid this problem is to use the MAXSIZE attribute for any fields used on a form.This will limit the amount of data a user can enter through normal means.
Advantages of Using CGI Scripts
; CGI is beneficial because all code is run on the server.
JavaScript, ActiveX components, Java applets, and other client-side scripts and programs all run on the user’s computer.This makes it possible for adept hackers to make use of this informa-tion and attack your site.
; With CGI, you can protect yourself by controlling permissions to various directories, hiding code within compiled programs, and other methods.
Rules for Writing Secure CGI Scripts
; Limit user interaction.
; Don’t trust input from users.
; Don’t use GET to send sensitive data.
; Never include sensitive information in a script.
; Never give more access than is absolutely necessary.
; Program on a computer other than the Web server, and ensure that temporary files and backup files of your scripts are removed from the server before your site goes live.
; Double-check the source code of any third-party CGI programs.
; Test your CGI script or program.
Q:Which is the best language for writing CGI scripts/programs?
A:There is no one “best” language for writing CGI scripts and pro-grams, although programmers who use a specific language will argue this. Shell scripts are generally used for small programs where secu-rity isn’t an issue, while larger, more complex programs will use lan-guages such as C, C++, or Visual Basic.The most common language for writing CGI scripts is Perl.
Q:When I’m writing my CGI program, do I need to worry about the type of browser a user is using to visit my site?
A: Generally, no. CGI programs run on the server side, so no code actu-ally runs on the client’s computer. Because the CGI program runs on the server, it won’t matter what type of browser a user is running.
Q: I only know older programming languages, and don’t know Perl, C, C++, or Visual Basic. I don’t have the time to learn new languages.
What can I do?
A:Any programming language that can work with CGI can be used to create CGI programs. For example, if your Web server ran on a Unix system, then any application that uses standard input and standard output could be used to create a CGI program.
Q: Can I use client-side and server-side scripting for my Web site, or am I limited to one or the other?
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author”form.
A: Client-side and server-side scripting can both be used on a site. In fact, you can use client-side and server-side scripting together for your program.There are a number of JavaScripts that check data before it is submitted to a CGI program. However, it is best if your CGI program checks the data it receives for security reasons. In addi-tion, Java applets or ActiveX components can be used as a user inter-face, and pass the data to the Web server for processing by your CGI program.
Q: My company doesn’t run its own Web server and uses an Internet service provider.The ISP doesn’t allow CGI scripts.What can I do?
A: If your ISP is firmly opposed to its customers running their own scripts, then you have few options. Many ISPs don’t allow CGI pro-grams, because security holes in them can impact the sites belonging to their other customers.You can move your site to another ISP, or get your own Web server.