Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

CGI security take two

by ant (Scribe)
on Jun 22, 2001 at 18:35 UTC ( #90735=perlquestion: print w/replies, xml ) Need Help??

ant has asked for the wisdom of the Perl Monks concerning the following question:

Hi,
Thanks for all your replies. Although it answered many
questions it raised a few too.
In one reply,the last paragraph you mentioned secure servers.
Does all data that's sent through a secure server have a higher
level of encryption? Is it still possible for people to edit
the hidden variables in a form and send it back to the server.
And one final question whats is an ecoded form? And whats the
difference between a ecoded form and an encrypted form.
Thanks again for your help in advance.

Anthony

Replies are listed 'Best First'.
Re: CGI security take two
by holygrail (Scribe) on Jun 22, 2001 at 18:41 UTC
    Forms can always be modified. People can create their own 'forms' by writing scripts with LWP and send you whatever they like. This can be done with secure servers (if you're meaning HTTPS protocol here), as well as with normal HTTP servers

    The important thing is to keep this in mind when you write your perlscripts, run all CGI scripts in Taintmode (-T), and carefully check whatever is sent to the script, validate everything, and never, NEVER trust your input!

    --HolyGrail
(Ovid) Re: CGI security take two
by Ovid (Cardinal) on Jun 22, 2001 at 20:00 UTC

    A secure server means that the data exchanged between the user agent and the server is encrypted. Otherwise, their is typically no encryption.

    It's trivial to edit hidden fields in forms. Here's one easy way: save the form to your hard-drive and change the fields. Then set the following tag in the <head> section:

    <base href="http://www.somedomain.com">

    Once everything's changed, just resubmit.

    Most CGI scripts don't bother to check the referrer or ip address. They may check for cookies for authentication. If you suspect issues like this are occurring, you whip out your trusty LWP library and start coding.

    As for the difference between encoded and encrypted: mirod was mentioning this in response to your last post. The discussion was regarding Basic authentication with .htaccess files. With such authentication, the server sends a challenge and the browser prompts you with a dialogue box for your username and password for the particular resource you wish to access. Once entered, they are joined with a colon and Base64 encoded. This encoding is little more than a Caesar Cipher. According to RFC2045, this encoding is as follows:

    The Base64 Alphabet Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26 a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y

    Needless to say, that's not encryption.

    If you need stronger protection, run your Web scripts over a secure server. If you can restrict your users to IE5.5, you could also go with Digest Authentication. It's much more secure than Basic, but not widely supported.

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://90735]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2023-01-29 15:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?