Every language, unfortunately, has features which can be exploited to take advantage of the inattentive. Probably the most important take-away here is that (regardless of what language you are using ...) you should validate all parameters received before you use any of them. And, you should not be content to subject your form-handling logic only to the POST/GET streams that the form in question may produce. Furthermore, you should not call those handlers only in the sequence that the application itself will produce.
Since HTTP is a completely stateless protocol, and since the data passing between client and server can be easily monitored, it is therefore possible for a rogue to manufacture any POST/GET stream and to subject any part of your application to it, in any sequence and at any time.
One of the first thing that we do at Sundial when presented with a prospective new legacy-app client is to subject their site (preferably, an isolated copy of it running on one of our servers or laptops) to this kind of aggressive, automated, “smoke testing,” which of course is automated. Nearly all of the time, the site (or mobile app!) promptly goes down in flames. Furthermore, we see this in apps written in all sorts of languages, not just Perl. The stability and integrity of the deployed app is assumed, but not yet challenged. It does not stand up to the challenge.
I can count on one hand the number of sites that actually survived five minutes, in over 10 years of doing this sort of thing. Sometimes it is ridiculously easy: take a site that exposes GET-parameters and simply append a copy of the GET-string to itself, thereby changing all of them (maybe) to array multi-valued variables. Press Enter and see what happens. It may be nothing-at-all ... or it may be goofy-wrong. The site might even spew all sorts of tantalizing debugging-info at you, sometimes even including the text of SQL queries. Similar things can happen just by changing the spelling of some parameter. Goofy-Absurd lack of quality, and this in big commercial sites that have thousands of unique hits every day.
In a perverse sort of way, those attackers are merely testing your software for you . . . O_o . . . too bad you didn’t do it first.
But, not a thing to be blamed on the Perl language . . .
|