Features are to assess the capabilities provided by each
feature and determine which ones pose unacceptable security risks. Minimally,
you must consider the following to be risks:
The feature can be used to execute external programs or
operating system commands
The feature can be used to read or write arbitrary
files located on the server
The feature maintains client information on the browser
using cookies or URL encoding.
The above risks only determine whether the feature has the
capability to cause security problems-it doesn't mean that he feature is
necessarily insecure. For example, CGI programs, ASP, and Live Wire
applications are risky according to all three risk indicators. Once you identify
a feature as risky, you have to determine whether secure applications can be
built using the feature despite its inherent risks and whether the benefits
provided by the feature are worth taking a chance. In the case of CGI programs,
ASP, and Live Wire applications, the answer is usually yes.
There is nothing inherently insecure about CGI itself.
However, CGI programs are a prime source of server-side vulnerabilities. By
deploying a CGI program, you are allowing others to execute Program is a
potential tool with which to attack your system. Any Security flaws in your CGI
programs are directly and continually Accessible, and penetrators are free to
repeatedly probe and cajole these flaws until they succeed in accomplishing
their clandestine objectives.
Do flaws exist in CGI programs? You bet. Some flaws let
attackers read data that should otherwise be concealed. Other flaws let Hackers
trash data that is collected from Web users. The most Devastating flaws let
penetrators remote execute operating System commands and programs of their
How do flaws in CGI programs occur? How are they
exploited? In Many cases these flaws occur because of poor parameter checking
and faulty assumptions on the part of the programmer. For example, consider the
case where a CGI program invokes a search- program and passes it the value of a
decoded query string. The programmer assumes that the search program will
simply search for whatever value is passed. But when the query string is
passed, the following in executed:
In this case, the CGI program returns much more than the
search results-it appends the contents of your password file to the search
results. The penetrator can then use a password-cracking program to find a password
that will let him or her login to your system.
You may wonder why anyone would develop CGI programs that
would allow such serious breaches of security. Some programmers don't know any
better they are oblivious to the fact that their pro grams may be misused. Some
are so focused on developing their Web applications that security is put on the
back burner-permanently. However, the biggest problem, by far, is that in most
CGI programs, security flaws are difficult to spot. In the cases where they are
found, they are often dismissed. "But no one would ever do that" is a
common justification for failing to remove an exploitable flaw.
Another problem facing CGI programmers is the fact that
the odds are heavily stacked against them. The programmers must eliminate all
possible security flaws in order to make their CGI programs secure. The
penetrator need only find a single exploitable flaw in order to break into the
ASP and Live Wire Applications
Although ASP and Live Wire applications provide the same
capabilities as CGI programs, they are far less prone to security
vulnerabilities. There are a number of reasons why these applications are
inherently more secure:
They automatically parse data that is passed to
applications and make it available in an easy-to-use manner. This reduces the
likelihood of a flaw occurring in the input parsing functions.
Their applications have predefined objects at their
disposal, which reduce the complexities of maintaining client information,
sharing data between clients, and sharing data between applications. By making
it easier to perform common server-side functions, ASP and Livewire help you to
develop more reliable and error-free code, thereby lowering the likelihood of
an exploitable security flaw.
Live Wire and ASP applications are written in
using a second, less familiar, language for writing CGI programs.
The less experience a programmer has with a language,
the more likely she or he is to make mistakes-potentially exploitable ones.
The above features significantly reduce the likelihood of
security vulnerabilities in Live Wire and ASP applications. However, the
potential for some vulnerability still exists. For example, suppose an
application is designed in such a way that a Livewire redirect () method takes
a client property as a parameter. A penetrator could modify client properties
(client cookies or URLs) to cause the redirect () function to return a file of
the penetrator's choosing.