comment on

A secure server means that the data exchanged between the user agent and the server is encrypted. Otherwise, their is typically no encryption.

It's trivial to edit hidden fields in forms. Here's one easy way: save the form to your hard-drive and change the fields. Then set the following tag in the <head> section:

<base href="http://www.somedomain.com">
[download]

Once everything's changed, just resubmit.

Most CGI scripts don't bother to check the referrer or ip address. They may check for cookies for authentication. If you suspect issues like this are occurring, you whip out your trusty LWP library and start coding.

As for the difference between encoded and encrypted: mirod was mentioning this in response to your last post. The discussion was regarding Basic authentication with .htaccess files. With such authentication, the server sends a challenge and the browser prompts you with a dialogue box for your username and password for the particular resource you wish to access. Once entered, they are joined with a colon and Base64 encoded. This encoding is little more than a Caesar Cipher. According to RFC2045, this encoding is as follows:

                        The Base64 Alphabet

     Value Encoding  Value Encoding  Value Encoding  Value Encoding
         0 A            17 R            34 i            51 z
         1 B            18 S            35 j            52 0
         2 C            19 T            36 k            53 1
         3 D            20 U            37 l            54 2
         4 E            21 V            38 m            55 3
         5 F            22 W            39 n            56 4
         6 G            23 X            40 o            57 5
         7 H            24 Y            41 p            58 6
         8 I            25 Z            42 q            59 7
         9 J            26 a            43 r            60 8
        10 K            27 b            44 s            61 9
        11 L            28 c            45 t            62 +
        12 M            29 d            46 u            63 /
        13 N            30 e            47 v
        14 O            31 f            48 w         (pad) =
        15 P            32 g            49 x
        16 Q            33 h            50 y
[download]

Needless to say, that's not encryption.

If you need stronger protection, run your Web scripts over a secure server. If you can restrict your users to IE5.5, you could also go with Digest Authentication. It's much more secure than Basic, but not widely supported.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to (Ovid) Re: CGI security take two by Ovid
in thread CGI security take two by ant

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


No such thing as a small change
	PerlMonks