1 / 75

CGI Scripting and Vulnerabilities

CGI Scripting and Vulnerabilities. COEN 351: E-commerce Security. Thomas Schwarz, S.J. 2006. Setting up IIS and / or Apache. COEN 351: E-commerce Security. Thomas Schwarz, S.J. 2006. Setting up a test website under Windows. IIS Built into Windows Apache Easy download

aaron-robinson
Download Presentation

CGI Scripting and Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CGI Scripting and Vulnerabilities COEN 351: E-commerce Security Thomas Schwarz, S.J. 2006

  2. Setting up IIS and / or Apache COEN 351: E-commerce Security Thomas Schwarz, S.J. 2006

  3. Setting up a test website under Windows • IIS • Built into Windows • Apache • Easy download • Requires installation and configuration • Warning: Both are security problems. • You might do good to stop the services before using your computer in a normal manner.

  4. Test Website under Windows • Install Apache on Windows XP • http://httpd.apache.org/download.cgi • Install ActivePerl on Windows XP • http://www.activestate.com/Products/ActivePerl/ • Configure Apache • Use the instructions at • http://www.cgi101.com/book/connect/winxp.html http://www.cgi101.com/book/connect/winxp.html

  5. Test Website under Windows • Start the Apache web server for a quick test. • You might need to disable IIS. • Go to Control Panel Administrative Tools  Services and find IIS and stop it. • (You can always restart it.) • Open up a command prompt and run the Apache.exe. • After you are done, kill the process with Ctr+C. • Then use your browser to go to localhost. • If it works, you see a page. http://www.cgi101.com/book/connect/winxp.html

  6. Test Website under Windows • Configuring Apache • First create a directory that will contain your web pages. • It is always slightly safer NOT to use default location and names. • Then edit the configuration file. http://www.cgi101.com/book/connect/winxp.html

  7. Test Website under Windows • Since we are creating unsafe websites, remember to stop the Apache web-server when you are connected to the internet. http://www.cgi101.com/book/connect/winxp.html

  8. Test Website under Windows • IIS • Install and activate service • Set up directory for cgi pages. • Executables need execute permission, scripts need script or execute permission. • Need application mapping between the file name extension and the script. • IIS Manager (Administrative Tools  IIS Manager)

  9. Test Website under Windows Notice: If you are actually using your machine as a web-server, disable all unused extensions to lower your “attack surface”.

  10. Test Website under Windows • Do not start Perl scripts with the shebang: #!perl/bin/perl • Instead print "HTTP/1.0 200 OK\n"; print "Content-type: text/html\n\n"; If you run a web-site, you need to take a number of precautions: • Use NTFS security attributes / user accounts to restrict access. • Place web-site on a different partition. • Do not use default sites. Remove examples. • Patch automatically. • …

  11. CGI with Perl Fundamentals • You are now ready to create a webpage in your home directory • index.html • Next step is to try a cgi script. #!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print "<h1>Hi</h1>\n"; Path to the perl executable. Different from UNIX!

  12. CGI with Perl Fundamentals COEN 351

  13. CGI with Perl Fundamentals • Webserver passes information to the CGI script via environmental variables. • %ENV hash • CGI scripts produce output by printing an HTTP message on STDOUT • CGI scripts need to put out an HTTP header, but it does not have to be a full one.

  14. CGI with Perl Fundamentals • Perl has three standard file handles. • STDIN • Webservers passes request (with the header removed) to the cgi script. • If there is post data, it will be available for reading from STDIN. • There is no end-of-file marker, so read the content-length header to decide when you read the end-of-input, otherwise the script will hang. • STDOUT • Perl writes HTTP header and body through STDOUT. • Different webservers have different buffering policies. • STDERR • Perl can send error messages to STDERR. • However, webservers differ in how they treat the output. • Apache puts STDERR output into the log. • iPlanet puts STDERR into the HTTP, but probably out of order, because STDERR traffic is not buffered.

  15. CGI with Perl Fundamentals • You are now ready to create a webpage in your home directory • index.html • Next step is to try a cgi script. #!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print "<h1>Hi</h1>\n"; Path to the perl executable. Different from UNIX!

  16. CGI with Perl Fundamentals • Creating dynamic web-pages with PERL • Web server passes information to CGI scripts via environment variables. • CGI scripts produce output by printing the HTTP message on STDOUT. • CGI scripts do not need to printout full headers.

  17. CGI with Perl Fundamentals

  18. CGI with Perl Fundamentals • This script uses only a simple header. • Notice the double lines in the first print statement. • This generates a basic HTTP message. • HTTP requests:

  19. CGI with Perl Fundamentals • The minimum requirement for a static website are: • The “Content-Type” line. • The document itself. • Need to include the she-bang line. • Use taint mode as a generic precaution. • Use the CGI::Carp Perl module • Perl has a handy short-cut to print out many lines of text.

  20. CGI with Perl Fundamentals Shebang with path to Perl #! /perl/bin/perl -wT use CGI::Carp qw(warningsToBrowser fatalsToBrowser); print <<EHTML; Content-type: text/html <html> <head><title>Environmental Variables</title></head> <body> <h1>Hi</h1> <pre> Server $ENV{SERVER_NAME} Listening port $ENV{SERVER_PORT} Server software $ENV{SERVER_SOFTWARE} Server protocol $ENV{SERVER_PROTOCOL} CGI version $ENV{GATEWAY_INTERFACE} </pre> </body> </html> EHTML Sends diagnostic messages to the browser. Remove before posting it. This allows you to just type in code instead of using individual print statements. The closing EHTML (or whatever token you choose) needs to be in the first position in the line and followed by an empty line. Environmental variables

  21. CGI with Perl Fundamentals #! /perl/bin/perl -wT use CGI::Carp qw(warningsToBrowser fatalsToBrowser); print <<EHTML; Content-type: text/html <html> <head><title>Environmental Variables</title></head> <body> <h1>Hi</h1> <pre> Server $ENV{SERVER_NAME} Listening port $ENV{SERVER_PORT} Server software $ENV{SERVER_SOFTWARE} Server protocol $ENV{SERVER_PROTOCOL} CGI version $ENV{GATEWAY_INTERFACE} </pre> </body> </html> EHTML

  22. CGI with Perl Fundamentals • Environmental Variables • AUTH_TYPE • CONTENT_LENGTH • CONTENT_TYPE • DOCUMENT_ROOT • GATEWAY_INTERFACE • PATH_INFO • PATH_TRANSLATED

  23. CGI with Perl Fundamentals • Environmental Variables • QUERY_STRING • REMOTE_ADDR • REMOTE_HOST • REMOTE_IDENT • Ident daemon: UNIX and IRC clients only • REMOTE_USER • REQUEST_METHOD

  24. CGI with Perl Fundamentals • Environmental Variables • SCRIPT_NAME • SERVER_NAME • SERVER_PROTOCOL • SERVER_SOFTWARE

  25. CGI with Perl Fundamentals • Additional CGI Environment Variables: • HTTP_ACCEPT • HTTP_ACCEPT_CHARSET • HTTP_ACCEPT_ENCODING • HTTP_ACCEPT_LANGUAGE • HTTP_COOKIE • HTTP_FROM • HTTP_HOST • HTTP_REFERER • HTTP_USER_AGENT

  26. CGI with Perl Fundamentals • Environmental Variables • Secure server adds many more environmental variables. • X.509 server / browser certificates • HTTPS • Used as a flag to indicate whether the connection is secure. • Values vary by server • “ON”, “on”, “Off”, “off”

  27. CGI with Perl Fundamentals #!/perl/bin/perl -wT use CGI qw(:standard); use CGI::Carp qw(warningsToBrowser fatalsToBrowser); my $email = "tjschwarz\@scu.edu"; my $url = "http://www.cse.scu.edu"; print header; print start_html("Scalars"); print <<EndHTML; <h2>Hello</h2> <p> My e-mail address is $email, and my web url is <a href="$url">$url</a>. </p> EndHTML print end_html;

  28. CGI with Perl Fundamentals

  29. CGI with Perl Fundamentals • CGI can output full or partial headers. • Partial headers: One of • Content-type header • Location header • Specifies URL to redirect the client to. • Status header • E.g. “204 No response” • Delimited by TWO new-lines

  30. CGI with Perl Fundamentals

  31. CGI with Perl Fundamentals • When using a code, remember that the HTTP status message is not displayed. • Therefore, you might want to formulate your own error page.

  32. CGI with Perl Fundamentals • Complete Headers: • Need status line. • Need Content-type line • Need Server header. • The last two are given to you as environmental variables. • Called nph (non-parsed header) scripts

  33. CGI: Forms COEN 351

  34. CGI: Getting Data from Client • HTML provides forms as a means to gather information and send them to the server. • Use either POST or GET method.

  35. CGI: Getting Data from Client • HTML form tags • <FORM ACTION = “register.cgi” METHOD = “POST”> • METHOD: Either GET or POST • ACTION: URL of the script that should receive the HTTP request. • Default is the same URL • ENCTYPE: Specifies the media type used to encode the request. Default is usually adequate. • onSubmit: Javascript handler.

  36. Getting Data from Client

  37. Getting Data from Client

  38. Getting Data from Client • Script register.cgi receives data. • HTTP request looks like this: POST register.cgi HTTP/1.1 Host: bobadilla.engr.scu.edu Content-Length: 11 Content-Type: application/x-www-form-urlencode name=thomas

  39. Getting Data from Client

  40. Getting Data from Client

  41. Getting Data from Client • To read the data: • Read the data from the query string: • $ENV{QUERY_STRING} • Determine the method • $ENV{REQUEST_METHOD} • If the method is POST, determine the size of the request • $ENV{CONTENT_LENGTH} • Read that amount of data from STDIN • Parse the data and process it.

  42. Getting Data from Client Determine the request method Read up to $ENV{CONTENT_LENGTH} from stdin

  43. Getting Data from Client

  44. Getting Data from Client

  45. Getting Data from Client • In principle, you can write a perl parse function that will parse the input and give it to you in nice value-pair form. • In reality, you want to use a perl module that prepares the input for you. • See next week’s cgi lesson.

  46. CGI: CGI.pm COEN 351

  47. CGI.pm • Perl Modules • Pre-written code. • Standard library modules. • Other modules e.g. at Comprehensive Perl Archive Network. • CGI.pm module • Load with “use CGI qw(:standard);” • Has various function names: • header • start_html • end_html

  48. CGI.pm • CGI.pm handles • Input • Replaces environment variables with environment methods • HTML output • Easy handling of http headers • start_html, end_html • Error handling

  49. CGI.pm • Comes with two small vulnerabilities of the DOS type • Can be fixed by setting values in CGI.pm • Allows uploading arbitrarily large files. • Set $DISABLE_UPLOADS = 1. • Allows arbitrarily large post messages • Set $POST_MAX = 102_400; #100KB max

  50. CGI.pm • CGI.pm module • print start_html(“hello”) • Prints out: <html><head><title>hello</title></head><body> • end_html • Prints out: </body></html>

More Related