10.0 Some notes on CGI programming languages

By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001


 

Taking input from webpages is inherently dangerous as this is often used by attackers to gain access. A good example of this being the publicized "contest" run by PCWeek where an NT and a Red Hat Linux box were setup (and somewhat secured). The Linux box was quickly compromised using a CGI program that did not check user input properly. For example if taking a username in, make sure it only contains alphanumeric characters, and is of a sane length (like 8 characters as opposed to say 400k).

10.1 Perl

Perl is by far one of the most popular languages for writing CGI programs. Perl has a number of features that can help prevent you from shooting yourself in the foot. Using Perl with the -w option will tell you about any options you are creating but not using, file handles, and so on, it is very useful for helping clean up code. A step up from this is to use Perl strict, which also helps prevents mistakes and so on.

http://www.cpan.org/doc/manual/html/lib/strict.html

Once you are using those two options the next logical step would be to use perlsec.

http://www.perl.com/CPAN-local/doc/manual/html/pod/perlsec.html

The O'Reilly books on Perl (they have an excellent book on CGI programming that is very Perl centric) are a very good source both for learning and as reference. Online there is a chapter of the "CGI Developer's Guide" (by: Eugene Eric Kim [email protected]), available at:

http://www.eekim.com/pubs/cgibook/

10.2 PHP

PHP is a scripting language you embed directly in documents, when the user requests it the document is run through the PHP engine and any dynamic content and so on is handled. Generally speaking the usual rules apply, when taking user input always assume it will be potentially mangled or even hostile.

http://www.php.net/manual/en/security.php

10.3 ASP

No notes yet.

http://www.microsoft.com/ISN/whitepapers/security.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguidnf/html/cpconaspsecurity.asp

http://msdn.microsoft.com/library/default.asp?URL=/library/dotnet/cpguide/cpconhowaspnetsecurityworks.htm

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ipubsdk/hh/ipubsdk/ipub01_2jqa.asp

http://support.microsoft.com/support/kb/articles/Q176/3/77.ASP

10.4 Python

No notes yet.

http://www.python.org/

 

[ Index | Back | Next ]