cgi scripting and vulnerabilities coen 351: e-commerce security thomas schwarz, s.j. 2006

CGI Scripting and Vulnerabilities

COEN 351: E-commerce Security

Thomas Schwarz, S.J. 2006

CGI with Perl Fundamentals Webserver passes information to the

CGI script via environmental variables. %ENV hash

CGI scripts produce output by printing an HTTP message on STDOUT

CGI scripts need to put out an HTTP header, but it does not have to be a full one.

CGI with Perl Fundamentals Perl has three standard file handles.

STDIN Webservers passes request (with the header removed) to the

cgi script. If there is post data, it will be available for reading from STDIN. There is no end-of-file marker, so read the content-length

header to decide when you read the end-of-input, otherwise the script will hang.

STDOUT Perl writes HTTP header and body through STDOUT. Different webservers have different buffering policies.

STDERR Perl can send error messages to STDERR. However, webservers differ in how they treat the output.

Apache puts STDERR output into the log. iPlanet puts STDERR into the HTTP, but probably out of order,

because STDERR traffic is not buffered.

CGI with Perl Fundamentals

You are now ready to create a webpage in your home directory index.html

Next step is to try a cgi script.

#!/perl/bin/perl -wT print "Content-type: text/html\n\n"; print "<h1>Hi</h1>\n";

Path to the perl executable. Different from UNIX!


Creating dynamic web-pages with PERL Web server passes information to CGI

scripts via environment variables. CGI scripts produce output by printing

the HTTP message on STDOUT. CGI scripts do not need to printout full

headers.


This script uses only a simple header. Notice the double lines in the first

print statement. This generates a basic HTTP message.

HTTP requests:


The minimum requirement for a static website are: The “Content-Type” line. The document itself.

Need to include the she-bang line. Use taint mode as a generic precaution. Use the CGI::Carp Perl module

Perl has a handy short-cut to print out many lines of text.


Header Types Content-type header Redirection Status Message


#! /perl/bin/perl -wTuse CGI::Carp qw(warningsToBrowser fatalsToBrowser);

print <<EHTML;Content-type: text/html

<html><head><title>Environmental Variables</title></head><body> <h1>Hi</h1> <pre>

Server $ENV{SERVER_NAME}Listening port $ENV{SERVER_PORT}Server software $ENV{SERVER_SOFTWARE}Server protocol $ENV{SERVER_PROTOCOL}CGI version $ENV{GATEWAY_INTERFACE} </pre>

</body></html>

EHTML

Shebang with path to PerlSends diagnostic messages to the browser. Remove before posting it.

This allows you to just type in code instead of using individual print statements. The closing EHTML (or whatever token you choose) needs to be in the first position in the line and followed by an empty line.

Environmental variables


#! /perl/bin/perl -wTuse CGI::Carp qw(warningsToBrowser fatalsToBrowser);

print <<EHTML;Content-type: text/html

<html><head><title>Environmental Variables</title></head><body> <h1>Hi</h1> <pre>

Server $ENV{SERVER_NAME}Listening port $ENV{SERVER_PORT}Server software $ENV{SERVER_SOFTWARE}Server protocol $ENV{SERVER_PROTOCOL}CGI version $ENV{GATEWAY_INTERFACE} </pre>

</body></html>

EHTML

CGI with Perl Fundamentals Environmental Variables

AUTH_TYPE CONTENT_LENGTH CONTENT_TYPE DOCUMENT_ROOT GATEWAY_INTERFACE PATH_INFO PATH_TRANSLATED


Environmental Variables QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_IDENT

Ident daemon: UNIX and IRC clients only REMOTE_USER REQUEST_METHOD


Environmental Variables SCRIPT_NAME SERVER_NAME SERVER_PROTOCOL SERVER_SOFTWARE

CGI with Perl Fundamentals Additional CGI Environment Variables:

HTTP_ACCEPT HTTP_ACCEPT_CHARSET HTTP_ACCEPT_ENCODING HTTP_ACCEPT_LANGUAGE HTTP_COOKIE HTTP_FROM HTTP_HOST HTTP_REFERER HTTP_USER_AGENT


Environmental Variables Secure server adds many more

environmental variables. X.509 server / browser certificates

HTTPS Used as a flag to indicate whether the

connection is secure. Values vary by server

“ON”, “on”, “Off”, “off”


#!/perl/bin/perl -wT

use CGI qw(:standard);use CGI::Carp qw(warningsToBrowser fatalsToBrowser);

my $email = "tjschwarz\@scu.edu";my $url = "http://www.cse.scu.edu";

print header;print start_html("Scalars");print <<EndHTML;<h2>Hello</h2><p>My e-mail address is $email, and my web url is<a href="$url">$url</a>.</p>EndHTML

print end_html;


CGI can output full or partial headers. Partial headers: One of

Content-type header Location header

Specifies URL to redirect the client to. Status header

E.g. “204 No response”

Delimited by TWO new-lines


When using a code, remember that the HTTP status message is not displayed.

Therefore, you might want to formulate your own error page.


Complete Headers: Need status line. Need Content-type line Need Server header.

The last two are given to you as environmental variables.

Called nph (non-parsed header) scripts

CGI: Forms

COEN 351

CGI: Getting Data from Client

HTML provides forms as a means to gather information and send them to the server.

Use either POST or GET method.

CGI: Getting Data from Client HTML form tags

<FORM ACTION = “register.cgi” METHOD = “POST”>

METHOD: Either GET or POST ACTION: URL of the script that should receive the

HTTP request. Default is the same URL

ENCTYPE: Specifies the media type used to encode the request. Default is usually adequate.

onSubmit: Javascript handler.

Getting Data from Client

Getting Data from Client Script

register.cgi receives data.

HTTP request looks like this:

POST register.cgi HTTP/1.1

Host: bobadilla.engr.scu.edu

Content-Length: 11

Content-Type: application/x-www-form-urlencode

name=thomas

To read the data: Read the data from the query string:

$ENV{QUERY_STRING} Determine the method

$ENV{REQUEST_METHOD} If the method is POST, determine the size of

the request $ENV{CONTENT_LENGTH}

Read that amount of data from STDIN Parse the data and process it.



Determine the request methodRead up to $ENV{CONTENT_LENGTH} from stdin

In principle, you can write a perl parse function that will parse the input and give it to you in nice value-pair form.

In reality, you want to use a perl module that prepares the input for you.

See next week’s cgi lesson.


CGI: CGI.pm

COEN 351

CGI.pm Perl Modules

Pre-written code. Standard library modules. Other modules e.g. at Comprehensive Perl

Archive Network. CGI.pm module

Load with “use CGI qw(:standard);” Has various function names:

header start_html end_html

CGI.pm

CGI.pm handles Input

Replaces environment variables with environment methods

HTML output Easy handling of http headers

start_html, end_html Error handling

CGI.pm

Comes with two small vulnerabilities of the DOS type Can be fixed by setting values in

CGI.pm Allows uploading arbitrarily large files.

Set $DISABLE_UPLOADS = 1. Allows arbitrarily large post messages

Set $POST_MAX = 102_400; #100KB max

CGI.pm

CGI.pm module print start_html(“hello”)

Prints out: <html><head><title>hello</title></head><body>

end_html Prints out:

</body></html>

CGI.pm CGI.pm can be used in an object-oriented

and in an imperative style.

Imperative version

use CGI qw(:standard); print header; print start_html("Hello World");

Object-Oriented Version

use CGI; # don't need qw(:standard) $cgi = CGI->new; # ($cgi is now the object) print $cgi->header; # function call: $obj->function print $cgi->start_html("Hello World");

CGI.PM Output

http://perldoc.perl.org/CGI.html

CGI.PM Handling Output

Simple method calls to generate html output: $q->header

q->header( -type => "text.html", -target => "main_frame", -expires => "+30m", -status => "444 What's that");

CGI.PM Handling Output q->start_html q->end_html $q->hr $q->h1(...) $q->h2(...) $q->p(…)

CGI.PM Handling Output Form Elements such as:

start_form end_form textfield password_field filefield button submit reset hidden ...


#!/perl/bin/perl.exeuse strict;use CGI;my $q = new CGI;

print $q->header("text/html"),$q->start_html( -title => "Env Var", -bgcolor => "#f0f0f0"),$q->h3("HTTP Environmental Variables");foreach( $q->http) { print $q->p($_.": ",$q->http( $_ ), "<br><br>");}$q->end_html;


The example demonstrates output as well as access to the http environmental variables. The latter are accessed through the

http method.


#!/perl/bin/perl.exeuse strict;use CGI;my $q = new CGI;

print $q->header("text/html"),$q->start_html( -title => "Env Var", -bgcolor => "#f0f0f0"),$q->h3("HTTP Environmental Variables");foreach( $q->http) { print $q->p($_.": ",$q->http( $_ ), "<br><br>");}$q->end_html;

CGI.pm

Alternatives for output CGI methods

Compact, but limited expressionability Lots of print statements

Lots of typing, easy to control “here document” feature in Perl

Straight html text from perl

CGI.PM Handling Input

http://perldoc.perl.org/CGI.html

CGI.pm

Input with CGI.pm Use Methods instead of

Environmental Variables.

content-type CONTENT_TYPE

query_string QUERY_STRING

remote_host REMOTE_HOST

server_software SERVER_SOFTWARE

url Not available

Not available CONTENT_LENGTH

virtual_host HTTP_HOST

CGI.pm Input

Forms Allow browser to post data to server. Uses GET or POST message

CGI.pm Input Form using POST method

CGI.pm Input CGI.pmForm using GET method

Notice query string

CGI.pm Input

HTTP request with POST isPOST f1.cgi HTTP/1.1Host: localhostContent-Length: 40Content-Type: application/x-www-form-urlencode

name=Thomas+Schwarz&email=tschwarz%40scu.edu

HTTP request with GET is/f1.cgi?name=Thomas+Schwarz&email=tschwarz

%40scu.edu

CGI.pm Input We get input from both POST and GET

methods with the param method. param determines whether POST and GET is

used. Under normal circumstances, param does

not give you access to the query string if you are using POST.

Work-around: Use url_param Change CGI.PM

CGI.pm

Using the CGI.pm module makes things much easier.

CGI.pm

Accessing environmental variables http method

Without argument: Name of the environmental variable currently

available. With argument:

The value of that environmental variable.

CGI.pm

CGI.pm

We access parameters through the param method.

CGI.pm

Trapping Errors: Standard Perl construct “or die” sends

output to stderr, which may or may not be sent to the client.

Trapping die will work:

eval {dangerous_stuff();1;

} or do {error ($q, $@ || “Unknown

Error” );

CGI.pm

Trapping Errors Trapping die will generate difficult to

read code. Use CGI::Carp

Clean interface and code Quite powerful

CGI: Maintaining State

COEN 351

CGI: Maintaining State

HTTP is a stateless protocol. TCP connection might be closed after

each request! In order to maintain state, we can

use: Hidden Fields: Fat URLs Extra path information: Fat URLs Cookies

CGI: Maintaining State with Cookies

Cookie Mechanism Webserver sends a Set-Cookie HTTP

header to the browser. Browser returns cookie in its cookie

header.

CGI: Maintaining State with Cookies Netscape Cookies Parameters:

-name Name of cookie We can set several cookies

-value -domain

Browsers will only return the cookies for URLs within this domain.

-expires -path -secure

Browser will only return the cookie for secure URLs using https


Setting cookies: CGI.pl has a cookie constructor:

CGI.pl allows you to construct headers easily:

my $cookie = $q->cookie( -name => "student_id", -value => 11111, -domain => ".scu.edu", -expires => "+1y",

);

print $q->header( -type => "text/html", -cookie => $cookie );


Capture of cookie slapping


Getting cookies Available in the HTTP_COOKIE

environment. Can get value directly from CGI.pl:

my $cookie = $q->cookie( "student_id");print $q->header( -type => "text/plain" ), $cookie;


Security Issues with Cookies: Cookies can be altered

Sensitive cookie values need to be fully encrypted

Cannot trust expiration date

CGI: Maintaining State:Query Strings

Query strings are set by the GET http method

To maintain state via query strings:1. Handling all requests through cgi

Change web-server settings

2. Use regular expression to parse query string for fields

CGI: Maintaining State:Query Strings

Performance suffers Static webpages impossible Use mod-perl etc. to speed up cgi

processing

CGI: Maintaining State:Hidden Fields

Hidden fields in forms are not displayed in browser, but are still sent to web-server.

Hidden fields have no performance overhead and always work, BUT

Hidden fields are easily altered and cannot be trusted

CGI: Maintaining State:Hidden Fields

Maintain state at web-server Use persistent files or database to

maintain state. Performance suffers, but security is

highest.

cgi scripting and vulnerabilities coen 351: e-commerce security thomas schwarz, s.j. 2006

Documents