CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Intermediate:
Hide datastring from webforms

 



taffelman
New User

Mar 7, 2002, 7:29 AM

Post #1 of 5 (666 views)
Hide datastring from webforms Can't Post

Hi

I've created a few sites without using html pages. Everything on the sites are dynamicly generated from one script and some txt data-files.

This causes the internal site links often to appear as: ../scriptname.cgi?channel=frontpage&user=guest&...etc... when displayed in the address bar on the browser. I don't like to show this to my surfers, so I always use a index.html file with two frames, one wich is 1 pixel high containing a dummy page, and the other frame showing the the site wich is generated from the script.

This has worked as an OK solution for now, but since many of my sites contains commercial contests and highscore lists from games, I have becomed more worried about those surfers that know enough to make trouble, and maybe they even have a bad day when visitung one of my sites.

My question is: Is it possible to hide the "data-strings" sent from web schemes to a script? or isn't this a security issue I need to worry about?



Lats make an example:



A webscheme sends a username and a password to a script like this: login.cgi?username=myname&password=mypassword

Then the script checks the data like this:



require "/folder/below/web_root/data/login.psw";

if ($input{username} eq $username && $input{'password'} eq $password){
print "Location: $success\n\n";
}else{
print "Location: $fail\n\n";
}

The username/password and the redirect urls ($success/$fail), ar all stored in the "login.pws" file



The question appears as: How long would a perl-pro or maybe a pro-hacker use to find out the content of the "login.psw" file?

I know most of you will tell me to use htaccess or some other cookie based login system, don't worry this is just an example because I have a lot of small datafiles and config files stored this way. And I really wonder how hard it is to read or write to my files when they are placed in a folder below the web-root, and the scripts run in the cgi-bin folder above the web-root.



If you pro's wanna compete I can set up a demo on one of my servers, and the first one to tell me the content of my datafile will get hired to write a "security" system for my sites :-)



Anny comments are welcomed.

Taffelman


yapp
User

Mar 8, 2002, 2:48 AM

Post #2 of 5 (660 views)
Re: [taffelman] Hide datastring from webforms [In reply to] Can't Post

I won't answer your question directly. (I'm not a hacker Wink)

I've just read the book "CGI programming with Perl", by O'Reilly. That book also has a very interesting chapter about security. I really got surprised some things could actually be possible..

However, what do you think about this security checklist:
- Are your files stored outside in the www root?, so users can't access them accedently using some pathname at the request line?
- do you crypt() your passwords?
- does your script use -w and -T and "use strict"?
- do you test every every input using a regexp (required for -T).
- if so, do you test for characters "not allowed", or for characters that you allow. The second version is a lot easier, and more secure (can't forget anything)
- Isn't there any script that users can abuse, so they can use it to interact with the shell? Usually that's very easy. For example, by adding backticks to script parameters. When those are concatenated into a string send to the shell as command...those backticks will execute a "inner command".
- Do you still use shell pipes, or so you perform an exec() in a different process (using fork()). exec() doesn't use the shell directly, so it's more difficult to abuse your script.
- use as much perl functions instead of interacting with the shell...
- Do you use CGI.pm? If so, have you given $CGI::POST_MAX a value? Or can users just post you some code dump files of 10MB through a textfield?
- If you use CGI, be sure to disable uploads before you create the CGI object. Otherwise, the uploading starts (that creates a temp-file at your webserver). You do have some free disk space left? i hope. (set $CGI::DISABLE_UPLOADS before you do the new CGI() thing)
- If you use CGI.pm, note that the input is parsed. Doesn't matter if the request method is POST or GET. However, you property don't want users the enter the parameters as QUERY_STRING in their browser. Then the the request_method() routine to see what method is used as request.
- What will happen to your script when someone writes a perl script (LWP-Simple) to access your script. It can fake quite somethings (browserID, referer, request method, parameters, parameter size). Never trust the browser and client.
- What happens when that previous script would be run through a for(0..100000000) loop?
- Your script also tests the size of the parameters, I hope? (and don't trust the maxlength="" property of the textfield?)
- Maybe you also want users to send use your script only when from a page within your domain. (check the HTTP_REFERER). However, the LWP client also can fake that.

Yet Another Perl Programmer

_________________________________
~~> [url=http://www.codingdomain.com]www.codingdomain.com <~~
More then 3500 X-Forum [url=http://www.codingdomain.com/cgi-perl/downloads/x-forum]Downloads! Cool

(This post was edited by yapp on Mar 8, 2002, 2:58 AM)


yapp
User

Mar 8, 2002, 2:51 AM

Post #3 of 5 (659 views)
Re: [taffelman] Hide datastring from webforms [In reply to] Can't Post


In Reply To
login.cgi?username=myname&amppassword=mypassword


You do use a <FORM method="POST">? Not secure, but that hides the QUERY_STRING in the browser. Also, maybe you can use SSL connections, or cookies that store the users password crypted. So it doesn't get send over the QUERY_STRING all the time the user visits the page.

Yet Another Perl Programmer

_________________________________
~~> [url=http://www.codingdomain.com]www.codingdomain.com <~~
More then 3500 X-Forum [url=http://www.codingdomain.com/cgi-perl/downloads/x-forum]Downloads! Cool


freddo
User

Mar 9, 2002, 7:28 AM

Post #4 of 5 (644 views)
Re: [taffelman] Hide datastring from webforms [In reply to] Can't Post

Hello Teffelman,

I will try to stay short because i like the subject a lot, and it a HUGE subject Tongue

It is generally a good start to learn how Cracker/Hacker world work, for your CGI question I recommend you checking Perl CGI problems from rain.forest.puppy (but the whole site is a nice source of info too).

You may also want to check in the fraviesque((C)~S~) culture growing on here (fire wget now it's a really DEEP site, and it's far more interesting than what it looks like) as well as his/her old website.

There's also this well know search engine (mostly script kiddie stuff).

Being Cracked! is also a nice experience to see how the whole process happen, check out the other features you can have on #RootPrompt

Try to keep up to date with what's, here are a few links:
http://www.defcon.org/
http://www.hackers.com/new/index.php
http://www.l0pht.com/
http://www.linuxsecurity.com/
http://www.ntsecurity.net/
http://www.securityfocus.com/
http://www.securitywire.com/

And fire google, search for some of the following keywords:
buffer overflow kernel call edx 75 # edx and 040ensure you find hot stuff Wink
perl pack tcp ip spoof SYN ACK # SYN ACK for network stuff

once you get a little culture on assembly, networking, and the tools of the trade, you can narrow your searches directly on VERY HOT stuff on the subject...

I hope this helps,
Freddo
;---

(This post was edited by freddo on Mar 9, 2002, 7:30 AM)


ka0osk
Novice

Mar 20, 2002, 6:47 AM

Post #5 of 5 (628 views)
Re: [taffelman] Hide datastring from webforms [In reply to] Can't Post

Why not just use a simple scramble and make:

channel=frontpage&user=guest&...etc... Frown

Into a hidden input that looks alot like this:

value="uuad7Qw0987adgnOSnsliAA87adshUxn3kqt98ybv0acahblpgh"Crazy

Stuff in alot of garbage and slice out what you want. If they can figure it out, I would be very impressed! You don't even need to use crypt when you hard code the scramble. I use something like this to send cc numbers, based on a users id, a move around and simple math scramble. The key is that there is simply not enough scrambled data to hack it.

Shocked

John Step ka0osk@netscape.net

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives