CGI security take two

ant has asked for the wisdom of the Perl Monks concerning the following question:

Hi,
Thanks for all your replies. Although it answered many
questions it raised a few too.
In one reply,the last paragraph you mentioned secure servers.
Does all data that's sent through a secure server have a higher
level of encryption? Is it still possible for people to edit
the hidden variables in a form and send it back to the server.
And one final question whats is an ecoded form? And whats the
difference between a ecoded form and an encrypted form.
Thanks again for your help in advance.

Anthony

Comment on CGI security take two

Replies are listed 'Best First'.
Re: CGI security take two by holygrail (Scribe) on Jun 22, 2001 at 18:41 UTC
Forms can always be modified. People can create their own 'forms' by writing scripts with LWP and send you whatever they like. This can be done with secure servers (if you're meaning HTTPS protocol here), as well as with normal HTTP servers The important thing is to keep this in mind when you write your perlscripts, run all CGI scripts in Taintmode (-T), and carefully check whatever is sent to the script, validate everything, and never, NEVER trust your input! --HolyGrail	[reply]
(Ovid) Re: CGI security take two by Ovid (Cardinal) on Jun 22, 2001 at 20:00 UTC
A secure server means that the data exchanged between the user agent and the server is encrypted. Otherwise, their is typically no encryption. It's trivial to edit hidden fields in forms. Here's one easy way: save the form to your hard-drive and change the fields. Then set the following tag in the `<head>` section: `<base href="http://www.somedomain.com">` [download] Once everything's changed, just resubmit. Most CGI scripts don't bother to check the referrer or ip address. They may check for cookies for authentication. If you suspect issues like this are occurring, you whip out your trusty LWP library and start coding. As for the difference between encoded and encrypted: mirod was mentioning this in response to your last post. The discussion was regarding Basic authentication with .htaccess files. With such authentication, the server sends a challenge and the browser prompts you with a dialogue box for your username and password for the particular resource you wish to access. Once entered, they are joined with a colon and Base64 encoded. This encoding is little more than a Caesar Cipher. According to RFC2045, this encoding is as follows: `The Base64 Alphabet Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26 a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y` [download] Needless to say, that's not encryption. If you need stronger protection, run your Web scripts over a secure server. If you can restrict your users to IE5.5, you could also go with Digest Authentication. It's much more secure than Basic, but not widely supported. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply] [d/l] [select]

Back to Seekers of Perl Wisdom