Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

(Ovid) Re: CGI security take two

by Ovid (Cardinal)
on Jun 22, 2001 at 20:00 UTC ( [id://90773]=note: print w/replies, xml ) Need Help??


in reply to CGI security take two

A secure server means that the data exchanged between the user agent and the server is encrypted. Otherwise, their is typically no encryption.

It's trivial to edit hidden fields in forms. Here's one easy way: save the form to your hard-drive and change the fields. Then set the following tag in the <head> section:

<base href="http://www.somedomain.com">

Once everything's changed, just resubmit.

Most CGI scripts don't bother to check the referrer or ip address. They may check for cookies for authentication. If you suspect issues like this are occurring, you whip out your trusty LWP library and start coding.

As for the difference between encoded and encrypted: mirod was mentioning this in response to your last post. The discussion was regarding Basic authentication with .htaccess files. With such authentication, the server sends a challenge and the browser prompts you with a dialogue box for your username and password for the particular resource you wish to access. Once entered, they are joined with a colon and Base64 encoded. This encoding is little more than a Caesar Cipher. According to RFC2045, this encoding is as follows:

The Base64 Alphabet Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26 a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y

Needless to say, that's not encryption.

If you need stronger protection, run your Web scripts over a secure server. If you can restrict your users to IE5.5, you could also go with Digest Authentication. It's much more secure than Basic, but not widely supported.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://90773]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (4)
As of 2024-03-28 21:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found