By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
Taking input from webpages is inherently dangerous as this is often used by attackers to gain access. A good example of this being the publicized "contest" run by PCWeek where an NT and a Red Hat Linux box were setup (and somewhat secured). The Linux box was quickly compromised using a CGI program that did not check user input properly. For example if taking a username in, make sure it only contains alphanumeric characters, and is of a sane length (like 8 characters as opposed to say 400k).
10.1 Perl
Perl is by far one of the most popular languages for writing CGI programs. Perl has a number of features that can help prevent you from shooting yourself in the foot. Using Perl with the -w option will tell you about any options you are creating but not using, file handles, and so on, it is very useful for helping clean up code. A step up from this is to use Perl strict, which also helps prevents mistakes and so on.
http://www.cpan.org/doc/manual/html/lib/strict.html
Once you are using those two options the next logical step would be to use perlsec.
http://www.perl.com/CPAN-local/doc/manual/html/pod/perlsec.html
The O'Reilly books on Perl (they have an excellent book on CGI programming that is very Perl centric) are a very good source both for learning and as reference. Online there is a chapter of the "CGI Developer's Guide" (by: Eugene Eric Kim [email protected]), available at:
http://www.eekim.com/pubs/cgibook/
10.2 PHP
PHP is a scripting language you embed directly in documents, when the user requests it the document is run through the PHP engine and any dynamic content and so on is handled. Generally speaking the usual rules apply, when taking user input always assume it will be potentially mangled or even hostile.
http://www.php.net/manual/en/security.php
10.3 ASP
No notes yet.
http://www.microsoft.com/ISN/whitepapers/security.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguidnf/html/cpconaspsecurity.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipubsdk/hh/ipubsdk/ipub01_2jqa.asp
http://support.microsoft.com/support/kb/articles/Q176/3/77.ASP
10.4 Python
No notes yet.