CGI Scripting and Vulnerabilities
description
Transcript of CGI Scripting and Vulnerabilities
![Page 1: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/1.jpg)
CGI Scripting and Vulnerabilities
COEN 351: E-commerce Security
Thomas Schwarz, S.J. 2006
![Page 2: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/2.jpg)
CGI with Perl Fundamentals Webserver passes information to the
CGI script via environmental variables. %ENV hash
CGI scripts produce output by printing an HTTP message on STDOUT
CGI scripts need to put out an HTTP header, but it does not have to be a full one.
![Page 3: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/3.jpg)
CGI with Perl Fundamentals Perl has three standard file handles.
STDIN Webservers passes request (with the header removed) to the
cgi script. If there is post data, it will be available for reading from STDIN. There is no end-of-file marker, so read the content-length
header to decide when you read the end-of-input, otherwise the script will hang.
STDOUT Perl writes HTTP header and body through STDOUT. Different webservers have different buffering policies.
STDERR Perl can send error messages to STDERR. However, webservers differ in how they treat the output.
Apache puts STDERR output into the log. iPlanet puts STDERR into the HTTP, but probably out of order,
because STDERR traffic is not buffered.
![Page 4: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/4.jpg)
CGI with Perl Fundamentals
You are now ready to create a webpage in your home directory index.html
Next step is to try a cgi script.
#!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print "<h1>Hi</h1>\n";
Path to the perl executable. Different from UNIX!
![Page 5: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/5.jpg)
CGI with Perl Fundamentals
Creating dynamic web-pages with PERL Web server passes information to CGI
scripts via environment variables. CGI scripts produce output by printing
the HTTP message on STDOUT. CGI scripts do not need to printout full
headers.
![Page 6: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/6.jpg)
CGI with Perl Fundamentals
![Page 7: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/7.jpg)
CGI with Perl Fundamentals
This script uses only a simple header. Notice the double lines in the first
print statement. This generates a basic HTTP message.
HTTP requests:
![Page 8: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/8.jpg)
CGI with Perl Fundamentals
The minimum requirement for a static website are: The “Content-Type” line. The document itself.
Need to include the she-bang line. Use taint mode as a generic precaution. Use the CGI::Carp Perl module
Perl has a handy short-cut to print out many lines of text.
![Page 9: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/9.jpg)
CGI with Perl Fundamentals
Header Types Content-type header Redirection Status Message
![Page 10: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/10.jpg)
CGI with Perl Fundamentals
#! /perl/bin/perl -wTuse CGI::Carp qw(warningsToBrowser fatalsToBrowser);
print <<EHTML;Content-type: text/html
<html><head><title>Environmental Variables</title></head><body> <h1>Hi</h1> <pre>
Server $ENV{SERVER_NAME}Listening port $ENV{SERVER_PORT}Server software $ENV{SERVER_SOFTWARE}Server protocol $ENV{SERVER_PROTOCOL}CGI version $ENV{GATEWAY_INTERFACE} </pre>
</body></html>
EHTML
Shebang with path to PerlSends diagnostic messages to the browser. Remove before posting it.
This allows you to just type in code instead of using individual print statements. The closing EHTML (or whatever token you choose) needs to be in the first position in the line and followed by an empty line.
Environmental variables
![Page 11: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/11.jpg)
CGI with Perl Fundamentals
#! /perl/bin/perl -wTuse CGI::Carp qw(warningsToBrowser fatalsToBrowser);
print <<EHTML;Content-type: text/html
<html><head><title>Environmental Variables</title></head><body> <h1>Hi</h1> <pre>
Server $ENV{SERVER_NAME}Listening port $ENV{SERVER_PORT}Server software $ENV{SERVER_SOFTWARE}Server protocol $ENV{SERVER_PROTOCOL}CGI version $ENV{GATEWAY_INTERFACE} </pre>
</body></html>
EHTML
![Page 12: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/12.jpg)
CGI with Perl Fundamentals Environmental Variables
AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE DOCUMENT_ROOT GATEWAY_INTERFACE PATH_INFO PATH_TRANSLATED
![Page 13: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/13.jpg)
CGI with Perl Fundamentals
Environmental Variables QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_IDENT
Ident daemon: UNIX and IRC clients only REMOTE_USER REQUEST_METHOD
![Page 14: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/14.jpg)
CGI with Perl Fundamentals
Environmental Variables SCRIPT_NAME SERVER_NAME SERVER_PROTOCOL SERVER_SOFTWARE
![Page 15: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/15.jpg)
CGI with Perl Fundamentals Additional CGI Environment Variables:
HTTP_ACCEPT HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE HTTP_COOKIE HTTP_FROM HTTP_HOST HTTP_REFERER HTTP_USER_AGENT
![Page 16: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/16.jpg)
CGI with Perl Fundamentals
Environmental Variables Secure server adds many more
environmental variables. X.509 server / browser certificates
HTTPS Used as a flag to indicate whether the
connection is secure. Values vary by server
“ON”, “on”, “Off”, “off”
![Page 17: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/17.jpg)
CGI with Perl Fundamentals
#!/perl/bin/perl -wT
use CGI qw(:standard);use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
my $email = "tjschwarz\@scu.edu";my $url = "http://www.cse.scu.edu";
print header;print start_html("Scalars");print <<EndHTML;<h2>Hello</h2><p>My e-mail address is $email, and my web url is<a href="$url">$url</a>.</p>EndHTML
print end_html;
![Page 18: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/18.jpg)
CGI with Perl Fundamentals
![Page 19: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/19.jpg)
CGI with Perl Fundamentals
CGI can output full or partial headers. Partial headers: One of
Content-type header Location header
Specifies URL to redirect the client to. Status header
E.g. “204 No response”
Delimited by TWO new-lines
![Page 20: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/20.jpg)
CGI with Perl Fundamentals
![Page 21: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/21.jpg)
CGI with Perl Fundamentals
When using a code, remember that the HTTP status message is not displayed.
Therefore, you might want to formulate your own error page.
![Page 22: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/22.jpg)
CGI with Perl Fundamentals
Complete Headers: Need status line. Need Content-type line Need Server header.
The last two are given to you as environmental variables.
Called nph (non-parsed header) scripts
![Page 23: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/23.jpg)
CGI: Forms
COEN 351
![Page 24: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/24.jpg)
CGI: Getting Data from Client
HTML provides forms as a means to gather information and send them to the server.
Use either POST or GET method.
![Page 25: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/25.jpg)
CGI: Getting Data from Client HTML form tags
<FORM ACTION = “register.cgi” METHOD = “POST”>
METHOD: Either GET or POST ACTION: URL of the script that should receive the
HTTP request. Default is the same URL
ENCTYPE: Specifies the media type used to encode the request. Default is usually adequate.
onSubmit: Javascript handler.
![Page 26: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/26.jpg)
Getting Data from Client
![Page 27: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/27.jpg)
Getting Data from Client
![Page 28: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/28.jpg)
Getting Data from Client Script
register.cgi receives data.
HTTP request looks like this:
POST register.cgi HTTP/1.1
Host: bobadilla.engr.scu.edu
Content-Length: 11
Content-Type: application/x-www-form-urlencode
name=thomas
![Page 29: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/29.jpg)
Getting Data from Client
![Page 30: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/30.jpg)
Getting Data from Client
![Page 31: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/31.jpg)
To read the data: Read the data from the query string:
$ENV{QUERY_STRING} Determine the method
$ENV{REQUEST_METHOD} If the method is POST, determine the size of
the request $ENV{CONTENT_LENGTH}
Read that amount of data from STDIN Parse the data and process it.
Getting Data from Client
![Page 32: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/32.jpg)
Getting Data from Client
Determine the request methodRead up to $ENV{CONTENT_LENGTH} from stdin
![Page 33: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/33.jpg)
Getting Data from Client
![Page 34: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/34.jpg)
Getting Data from Client
![Page 35: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/35.jpg)
In principle, you can write a perl parse function that will parse the input and give it to you in nice value-pair form.
In reality, you want to use a perl module that prepares the input for you.
See next week’s cgi lesson.
Getting Data from Client
![Page 36: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/36.jpg)
CGI: CGI.pm
COEN 351
![Page 37: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/37.jpg)
CGI.pm Perl Modules
Pre-written code. Standard library modules. Other modules e.g. at Comprehensive Perl
Archive Network. CGI.pm module
Load with “use CGI qw(:standard);” Has various function names:
header start_html end_html
![Page 38: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/38.jpg)
CGI.pm
CGI.pm handles Input
Replaces environment variables with environment methods
HTML output Easy handling of http headers
start_html, end_html Error handling
![Page 39: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/39.jpg)
CGI.pm
Comes with two small vulnerabilities of the DOS type Can be fixed by setting values in
CGI.pm Allows uploading arbitrarily large files.
Set $DISABLE_UPLOADS = 1. Allows arbitrarily large post messages
Set $POST_MAX = 102_400; #100KB max
![Page 40: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/40.jpg)
CGI.pm
CGI.pm module print start_html(“hello”)
Prints out: <html><head><title>hello</title></head><body>
end_html Prints out:
</body></html>
![Page 41: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/41.jpg)
CGI.pm CGI.pm can be used in an object-oriented
and in an imperative style.
Imperative version
use CGI qw(:standard); print header; print start_html("Hello World");
Object-Oriented Version
use CGI; # don't need qw(:standard) $cgi = CGI->new; # ($cgi is now the object) print $cgi->header; # function call: $obj->function print $cgi->start_html("Hello World");
![Page 42: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/42.jpg)
CGI.PM Output
http://perldoc.perl.org/CGI.html
![Page 43: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/43.jpg)
CGI.PM Handling Output
Simple method calls to generate html output: $q->header
q->header( -type => "text.html", -target => "main_frame", -expires => "+30m", -status => "444 What's that");
![Page 44: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/44.jpg)
CGI.PM Handling Output q->start_html q->end_html $q->hr $q->h1(...) $q->h2(...) $q->p(…)
![Page 45: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/45.jpg)
CGI.PM Handling Output Form Elements such as:
start_form end_form textfield password_field filefield button submit reset hidden ...
![Page 46: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/46.jpg)
CGI.PM Handling Output
#!/perl/bin/perl.exeuse strict;use CGI;my $q = new CGI;
print $q->header("text/html"),$q->start_html( -title => "Env Var", -bgcolor => "#f0f0f0"),$q->h3("HTTP Environmental Variables");foreach( $q->http) { print $q->p($_.": ",$q->http( $_ ), "<br><br>");}$q->end_html;
![Page 47: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/47.jpg)
CGI.PM Handling Output
The example demonstrates output as well as access to the http environmental variables. The latter are accessed through the
http method.
![Page 48: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/48.jpg)
CGI.PM Handling Output
#!/perl/bin/perl.exeuse strict;use CGI;my $q = new CGI;
print $q->header("text/html"),$q->start_html( -title => "Env Var", -bgcolor => "#f0f0f0"),$q->h3("HTTP Environmental Variables");foreach( $q->http) { print $q->p($_.": ",$q->http( $_ ), "<br><br>");}$q->end_html;
![Page 49: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/49.jpg)
CGI.pm
Alternatives for output CGI methods
Compact, but limited expressionability Lots of print statements
Lots of typing, easy to control “here document” feature in Perl
Straight html text from perl
![Page 50: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/50.jpg)
CGI.PM Handling Input
http://perldoc.perl.org/CGI.html
![Page 51: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/51.jpg)
CGI.pm
Input with CGI.pm Use Methods instead of
Environmental Variables.
content-type CONTENT_TYPE
query_string QUERY_STRING
remote_host REMOTE_HOST
server_software SERVER_SOFTWARE
url Not available
Not available CONTENT_LENGTH
virtual_host HTTP_HOST
![Page 52: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/52.jpg)
CGI.pm Input
Forms Allow browser to post data to server. Uses GET or POST message
![Page 53: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/53.jpg)
CGI.pm Input Form using POST method
![Page 54: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/54.jpg)
CGI.pm Input CGI.pmForm using GET method
Notice query string
![Page 55: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/55.jpg)
CGI.pm Input
HTTP request with POST isPOST f1.cgi HTTP/1.1Host: localhostContent-Length: 40Content-Type: application/x-www-form-urlencode
name=Thomas+Schwarz&email=tschwarz%40scu.edu
HTTP request with GET is/f1.cgi?name=Thomas+Schwarz&email=tschwarz
%40scu.edu
![Page 56: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/56.jpg)
CGI.pm Input We get input from both POST and GET
methods with the param method. param determines whether POST and GET is
used. Under normal circumstances, param does
not give you access to the query string if you are using POST.
Work-around: Use url_param Change CGI.PM
![Page 57: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/57.jpg)
CGI.pm
Using the CGI.pm module makes things much easier.
![Page 58: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/58.jpg)
CGI.pm
Accessing environmental variables http method
Without argument: Name of the environmental variable currently
available. With argument:
The value of that environmental variable.
![Page 59: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/59.jpg)
CGI.pm
![Page 60: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/60.jpg)
CGI.pm
We access parameters through the param method.
![Page 61: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/61.jpg)
CGI.pm
Trapping Errors: Standard Perl construct “or die” sends
output to stderr, which may or may not be sent to the client.
Trapping die will work:
eval {dangerous_stuff();1;
} or do {error ($q, $@ || “Unknown
Error” );
![Page 62: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/62.jpg)
CGI.pm
Trapping Errors Trapping die will generate difficult to
read code. Use CGI::Carp
Clean interface and code Quite powerful
![Page 63: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/63.jpg)
CGI: Maintaining State
COEN 351
![Page 64: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/64.jpg)
CGI: Maintaining State
HTTP is a stateless protocol. TCP connection might be closed after
each request! In order to maintain state, we can
use: Hidden Fields: Fat URLs Extra path information: Fat URLs Cookies
![Page 65: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/65.jpg)
CGI: Maintaining State with Cookies
Cookie Mechanism Webserver sends a Set-Cookie HTTP
header to the browser. Browser returns cookie in its cookie
header.
![Page 66: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/66.jpg)
CGI: Maintaining State with Cookies Netscape Cookies Parameters:
-name Name of cookie We can set several cookies
-value -domain
Browsers will only return the cookies for URLs within this domain.
-expires -path -secure
Browser will only return the cookie for secure URLs using https
![Page 67: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/67.jpg)
CGI: Maintaining State with Cookies
Setting cookies: CGI.pl has a cookie constructor:
CGI.pl allows you to construct headers easily:
my $cookie = $q->cookie( -name => "student_id", -value => 11111, -domain => ".scu.edu", -expires => "+1y",
);
print $q->header( -type => "text/html", -cookie => $cookie );
![Page 68: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/68.jpg)
CGI: Maintaining State with Cookies
Capture of cookie slapping
![Page 69: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/69.jpg)
CGI: Maintaining State with Cookies
Getting cookies Available in the HTTP_COOKIE
environment. Can get value directly from CGI.pl:
my $cookie = $q->cookie( "student_id");print $q->header( -type => "text/plain" ), $cookie;
![Page 70: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/70.jpg)
CGI: Maintaining State with Cookies
Security Issues with Cookies: Cookies can be altered
Sensitive cookie values need to be fully encrypted
Cannot trust expiration date
![Page 71: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/71.jpg)
CGI: Maintaining State:Query Strings
Query strings are set by the GET http method
To maintain state via query strings:1. Handling all requests through cgi
Change web-server settings
2. Use regular expression to parse query string for fields
![Page 72: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/72.jpg)
CGI: Maintaining State:Query Strings
Performance suffers Static webpages impossible Use mod-perl etc. to speed up cgi
processing
![Page 73: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/73.jpg)
CGI: Maintaining State:Hidden Fields
Hidden fields in forms are not displayed in browser, but are still sent to web-server.
Hidden fields have no performance overhead and always work, BUT
Hidden fields are easily altered and cannot be trusted
![Page 74: CGI Scripting and Vulnerabilities](https://reader036.fdocuments.net/reader036/viewer/2022062323/5681529a550346895dc0c01b/html5/thumbnails/74.jpg)
CGI: Maintaining State:Hidden Fields
Maintain state at web-server Use persistent files or database to
maintain state. Performance suffers, but security is
highest.