Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Hacking CGI - security and exploitation

by cjf (Parson)
on Jun 24, 2002 at 20:54 UTC ( #176939=note: print w/ replies, xml ) Need Help??


in reply to Hacking CGI - security and exploitation

A couple small problems with the paper:

  • He does mention CGI.pm, but then proceeds to ignore it and continually try stuff like @pair = split(/&/, $ENV{'QUERY_STRING'}); throughout the paper.
  • It's too long and not very well formatted. I mostly just read the code, the target audience definately won't read through the whole thing. Presentation is very important for these type of papers.
  • He should have had a big sign at the start saying "Don't trust user input" because that's basically what all the problems result from.

On the plus side, it was fairly in-depth (could have been broken down into separate parts though) and it's always good to see coverage of cross-site scripting and other commonly ignored security issues.

Update: In question 12 ("I heard "homemade" CGI scripts are more vulnerable to being hacked than distributed") he could have mentioned NMS scripts as a quality alternative. For bonus points he could start a flamewar and say "but crackers have access to their source code" ;).


Comment on Re: Hacking CGI - security and exploitation
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176939]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (16)
As of 2014-07-31 19:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (251 votes), past polls