Presentation is loading. Please wait.

Presentation is loading. Please wait.

CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006.

Published byDina Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006."— Presentation transcript:

1 CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006

2 Setting up IIS and / or Apache COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006

3 Setting up a test website under Windows IIS Built into Windows Apache Easy download Requires installation and configuration Warning: Both are security problems. You might do good to stop the services before using your computer in a normal manner.

4 Test Website under Windows Install Apache on Windows XP http://httpd.apache.org/download.cgi Install ActivePerl on Windows XP http://www.activestate.com/Products/ActivePerl/ Configure Apache Use the instructions at http://www.cgi101.com/book/connect/winxp.html

5 Test Website under Windows Start the Apache web server for a quick test. You might need to disable IIS. Go to Control Panel  Administrative Tools  Services and find IIS and stop it. (You can always restart it.) Open up a command prompt and run the Apache.exe. After you are done, kill the process with Ctr+C. Then use your browser to go to localhost. If it works, you see a page. http://www.cgi101.com/book/connect/winxp.html

6 Test Website under Windows Configuring Apache First create a directory that will contain your web pages. It is always slightly safer NOT to use default location and names. Then edit the configuration file. http://www.cgi101.com/book/connect/winxp.html

7 Test Website under Windows Since we are creating unsafe websites, remember to stop the Apache web- server when you are connected to the internet. http://www.cgi101.com/book/connect/winxp.html

8 Test Website under Windows IIS Install and activate service Set up directory for cgi pages. Executables need execute permission, scripts need script or execute permission. Need application mapping between the file name extension and the script. IIS Manager (Administrative Tools  IIS Manager)

9 Test Website under Windows Notice: If you are actually using your machine as a web-server, disable all unused extensions to lower your “attack surface”.

10 Test Website under Windows Do not start Perl scripts with the shebang: #!perl/bin/perl Instead print "HTTP/1.0 200 OK\n"; print "Content-type: text/html\n\n"; If you run a web-site, you need to take a number of precautions: Use NTFS security attributes / user accounts to restrict access. Place web-site on a different partition. Do not use default sites. Remove examples. Patch automatically. …

11 CGI with Perl Fundamentals You are now ready to create a webpage in your home directory index.html Next step is to try a cgi script. #!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print " Hi \n"; Path to the perl executable. Different from UNIX!

12 CGI with Perl Fundamentals COEN 351

13 CGI with Perl Fundamentals Webserver passes information to the CGI script via environmental variables. %ENV hash CGI scripts produce output by printing an HTTP message on STDOUT CGI scripts need to put out an HTTP header, but it does not have to be a full one.

14 CGI with Perl Fundamentals Perl has three standard file handles. STDIN Webservers passes request (with the header removed) to the cgi script. If there is post data, it will be available for reading from STDIN. There is no end-of-file marker, so read the content-length header to decide when you read the end-of-input, otherwise the script will hang. STDOUT Perl writes HTTP header and body through STDOUT. Different webservers have different buffering policies. STDERR Perl can send error messages to STDERR. However, webservers differ in how they treat the output. Apache puts STDERR output into the log. iPlanet puts STDERR into the HTTP, but probably out of order, because STDERR traffic is not buffered.

15 CGI with Perl Fundamentals You are now ready to create a webpage in your home directory index.html Next step is to try a cgi script. #!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print " Hi \n"; Path to the perl executable. Different from UNIX!

16 CGI with Perl Fundamentals Creating dynamic web-pages with PERL Web server passes information to CGI scripts via environment variables. CGI scripts produce output by printing the HTTP message on STDOUT. CGI scripts do not need to printout full headers.

17 CGI with Perl Fundamentals

18 This script uses only a simple header. Notice the double lines in the first print statement. This generates a basic HTTP message. HTTP requests:

19 CGI with Perl Fundamentals The minimum requirement for a static website are: The “Content-Type” line. The document itself. Need to include the she-bang line. Use taint mode as a generic precaution. Use the CGI::Carp Perl module Perl has a handy short-cut to print out many lines of text.

20 CGI with Perl Fundamentals #! /perl/bin/perl -wT use CGI::Carp qw(warningsToBrowser fatalsToBrowser); print <<EHTML; Content-type: text/html Environmental Variables Hi Server $ENV{SERVER_NAME} Listening port $ENV{SERVER_PORT} Server software $ENV{SERVER_SOFTWARE} Server protocol $ENV{SERVER_PROTOCOL} CGI version $ENV{GATEWAY_INTERFACE} EHTML Shebang with path to Perl Sends diagnostic messages to the browser. Remove before posting it. This allows you to just type in code instead of using individual print statements. The closing EHTML (or whatever token you choose) needs to be in the first position in the line and followed by an empty line. Environmental variables

21 CGI with Perl Fundamentals #! /perl/bin/perl -wT use CGI::Carp qw(warningsToBrowser fatalsToBrowser); print <<EHTML; Content-type: text/html Environmental Variables Hi Server $ENV{SERVER_NAME} Listening port $ENV{SERVER_PORT} Server software $ENV{SERVER_SOFTWARE} Server protocol $ENV{SERVER_PROTOCOL} CGI version $ENV{GATEWAY_INTERFACE} EHTML

22 CGI with Perl Fundamentals Environmental Variables AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE DOCUMENT_ROOT GATEWAY_INTERFACE PATH_INFO PATH_TRANSLATED

23 CGI with Perl Fundamentals Environmental Variables QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_IDENT Ident daemon: UNIX and IRC clients only REMOTE_USER REQUEST_METHOD

24 CGI with Perl Fundamentals Environmental Variables SCRIPT_NAME SERVER_NAME SERVER_PROTOCOL SERVER_SOFTWARE

25 CGI with Perl Fundamentals Additional CGI Environment Variables: HTTP_ACCEPT HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE HTTP_COOKIE HTTP_FROM HTTP_HOST HTTP_REFERER HTTP_USER_AGENT

26 CGI with Perl Fundamentals Environmental Variables Secure server adds many more environmental variables. X.509 server / browser certificates HTTPS Used as a flag to indicate whether the connection is secure. Values vary by server “ON”, “on”, “Off”, “off”

27 CGI with Perl Fundamentals #!/perl/bin/perl -wT use CGI qw(:standard); use CGI::Carp qw(warningsToBrowser fatalsToBrowser); my $email = "tjschwarz\@scu.edu"; my $url = "http://www.cse.scu.edu"; print header; print start_html("Scalars"); print <<EndHTML; Hello My e-mail address is $email, and my web url is $url. EndHTML print end_html;

28 CGI with Perl Fundamentals

29 CGI can output full or partial headers. Partial headers: One of Content-type header Location header Specifies URL to redirect the client to. Status header E.g. “204 No response” Delimited by TWO new-lines

30 CGI with Perl Fundamentals

31 When using a code, remember that the HTTP status message is not displayed. Therefore, you might want to formulate your own error page.

32 CGI with Perl Fundamentals Complete Headers: Need status line. Need Content-type line Need Server header. The last two are given to you as environmental variables. Called nph (non-parsed header) scripts

33 CGI: Forms COEN 351

34 CGI: Getting Data from Client HTML provides forms as a means to gather information and send them to the server. Use either POST or GET method.

35 CGI: Getting Data from Client HTML form tags METHOD: Either GET or POST ACTION: URL of the script that should receive the HTTP request. Default is the same URL ENCTYPE: Specifies the media type used to encode the request. Default is usually adequate. onSubmit: Javascript handler.

36 Getting Data from Client

37

38 Script register.cgi receives data. HTTP request looks like this: POST register.cgi HTTP/1.1 Host: bobadilla.engr.scu.edu Content-Length: 11 Content-Type: application/x-www-form-urlencode name=thomas

39 Getting Data from Client

40

41 To read the data: Read the data from the query string: $ENV{QUERY_STRING} Determine the method $ENV{REQUEST_METHOD} If the method is POST, determine the size of the request $ENV{CONTENT_LENGTH} Read that amount of data from STDIN Parse the data and process it. Getting Data from Client

42 Determine the request method Read up to $ENV{CONTENT_LENGTH} from stdin

43 Getting Data from Client

44

45 In principle, you can write a perl parse function that will parse the input and give it to you in nice value-pair form. In reality, you want to use a perl module that prepares the input for you. See next week’s cgi lesson. Getting Data from Client

46 CGI: CGI.pm COEN 351

47 CGI.pm Perl Modules Pre-written code. Standard library modules. Other modules e.g. at Comprehensive Perl Archive Network. CGI.pm module Load with “use CGI qw(:standard);” Has various function names: header start_html end_html

48 CGI.pm CGI.pm handles Input Replaces environment variables with environment methods HTML output Easy handling of http headers start_html, end_html Error handling

49 CGI.pm Comes with two small vulnerabilities of the DOS type Can be fixed by setting values in CGI.pm Allows uploading arbitrarily large files. Set $DISABLE_UPLOADS = 1. Allows arbitrarily large post messages Set $POST_MAX = 102_400; #100KB max

50 CGI.pm CGI.pm module print start_html(“hello”) Prints out: hello end_html Prints out:

51 CGI.pm CGI.pm can be used in an object-oriented and in an imperative style. Imperative version use CGI qw(:standard); print header; print start_html("Hello World"); Object-Oriented Version use CGI; # don't need qw(:standard) $cgi = CGI->new; # ($cgi is now the object) print $cgi->header; # function call: $obj->function print $cgi->start_html("Hello World");

52 CGI.pm Input with CGI.pm Use Methods instead of Environmental Variables. content-typeCONTENT_TYPE query_stringQUERY_STRING remote_hostREMOTE_HOST server_softwareSERVER_SOFTWARE urlNot available CONTENT_LENGTH virtual_hostHTTP_HOST

53 CGI.pm Forms Allow browser to post data to server. Uses GET or POST message

54 CGI.pm Form using POST method

55 CGI.pm Form using GET method

56 CGI.pm HTTP request is POST f1.cgi HTTP/1.1 Host: localhost Content-Length: 40 Content-Type: application/x-www-form-urlencode name=Thomas+Schwarz&email=tschwarz%40scu.edu HTTP request with GET would be /f1.cgi?name=Thomas+Schwarz&email=tschwarz%40scu.edu

57 CGI.pm Using the CGI.pm module makes things much easier.

58 CGI.pm Accessing environmental variables http method Without argument: Name of the environmental variable currently available. With argument: The value of that environmental variable.

59 CGI.pm

60 We access parameters through the param method.

61 CGI.pm CGI incorporates creation of HTML elements in its output facility. Use the following methods: header start_html, end_html h1, h2, h3, … p, b,

62 CGI.pm my $q = new CGI; print $q->header(“text/html”); print $q->start_html( -title = “Example”); print $q->h1(“Example”); print $q->p(“An example paragraphe”); print $q->end_html;

63 CGI.pm Alternatives for output CGI methods Compact, but limited expressionability Lots of print statements Lots of typing, easy to control “here document” feature in Perl Straight html text from perl

64 CGI.pm Trapping Errors: Standard Perl construct “or die” sends output to stderr, which may or may not be sent to the client. Trapping die will work: eval { dangerous_stuff(); 1; } or do { error ($q, $@ || “Unknown Error” );

65 CGI.pm Trapping Errors Trapping die will generate difficult to read code. Use CGI::Carp Clean interface and code Quite powerful

66 CGI: Maintaining State COEN 351

67 CGI: Maintaining State HTTP is a stateless protocol. TCP connection might be closed after each request! In order to maintain state, we can use: Hidden Fields: Fat URLs Extra path information: Fat URLs Cookies

68 CGI: Maintaining State Cookie Mechanism Webserver sends a Set-Cookie HTTP header to the browser. Browser returns cookie in its cookie header.

69 CGI: Maintaining State Netscape Cookies Parameters: -name Name of cookie We can set several cookies -value -domain Browsers will only return the cookies for URLs within this domain. -expires -path -secure Browser will only return the cookie for secure URLs using https

70 CGI: Maintaining State Setting cookies: CGI.pl has a cookie constructor: CGI.pl allows you to construct headers easily: my $cookie = $q->cookie( -name => "student_id", -value => 11111, -domain => ".scu.edu", -expires => "+1y", ); print $q->header( -type => "text/html", -cookie => $cookie );

71 CGI: Maintaining State Getting cookies Available in the HTTP_COOKIE environment. Can get value directly from CGI.pl: my $cookie = $q->cookie( "student_id"); print $q->header( -type => "text/plain" ), $cookie;

72 CGI: Maintaining State

73

74

75

Download ppt "CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006."

Similar presentations

CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J. 2006.

CGI Scripting and Vulnerabilities COEN 351: E-commerce Security  Thomas Schwarz, S.J
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
CGI Programming Part 2. Input Tags Many different ways of getting data from the user. The tag is used most often. has a type attribute –Specifies the.

CGI Programming Part 2. Input Tags Many different ways of getting data from the user. The tag is used most often. has a type attribute –Specifies the.
Common Gateway Interface (CGI). CGI is a protocol: CGI is not a programming language CGI is a protocol for the exchange of information between between.

Common Gateway Interface (CGI). CGI is a protocol: CGI is not a programming language CGI is a protocol for the exchange of information between between.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
How does the server format the information it gives to the appln program? As environment variables and in standard input.

How does the server format the information it gives to the appln program? As environment variables and in standard input.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Outcomes Know what are CGI Environment Variables Know how to use environment variables How to process A simple Query Form Able to use URL Encoding rules.

Outcomes Know what are CGI Environment Variables Know how to use environment variables How to process A simple Query Form Able to use URL Encoding rules.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
CGI programming Using Apache. Concepts Browser prepares parameter list List is attached to name of program to run on server submit button sends string.

CGI programming Using Apache. Concepts Browser prepares parameter list List is attached to name of program to run on server "submit" button sends string.
Web Client/Server Communication A290/A590, Fall 2014 09/09/2014.

Web Client/Server Communication A290/A590, Fall /09/2014.
CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.

CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.
Common Gateway Interface

Common Gateway Interface
1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.

1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.

1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Overview A plain HTML document is static A CGI program is executed in real-time, so that it can output dynamic information. CGI (Common Gateway Interface)

Overview A plain HTML document is static A CGI program is executed in real-time, so that it can output dynamic information. CGI (Common Gateway Interface)

Similar presentations

Ads by Google