Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Hacking CGI - security and exploitation

by cjf (Parson)
on Jun 24, 2002 at 20:54 UTC ( #176939=note: print w/replies, xml ) Need Help??

in reply to Hacking CGI - security and exploitation

A couple small problems with the paper:

  • He does mention, but then proceeds to ignore it and continually try stuff like @pair = split(/&/, $ENV{'QUERY_STRING'}); throughout the paper.
  • It's too long and not very well formatted. I mostly just read the code, the target audience definately won't read through the whole thing. Presentation is very important for these type of papers.
  • He should have had a big sign at the start saying "Don't trust user input" because that's basically what all the problems result from.

On the plus side, it was fairly in-depth (could have been broken down into separate parts though) and it's always good to see coverage of cross-site scripting and other commonly ignored security issues.

Update: In question 12 ("I heard "homemade" CGI scripts are more vulnerable to being hacked than distributed") he could have mentioned NMS scripts as a quality alternative. For bonus points he could start a flamewar and say "but crackers have access to their source code" ;).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://176939]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2018-05-27 16:50 GMT
Find Nodes?
    Voting Booth?