304    Chapter 5 • Communication Security: Web Based Services

             site will be unaffected.After this is done, it is wise to access the site using the user
             account that will normally be used to view the applet, component, or script. For
             example, if the site is to be used by everyone, view it using the anonymous user
             account.This will allow the administrator to effectively test for problems.
                 An exploit that hackers can use to their advantage involves scripts and programs
             that trust user input. For example, a guest book or other online program that takes
             user input could be used to have a Server Side Include (SSI) command run and
             possibly damage a site.As we’ll see later in this chapter, CGI programs written in
             Perl can be used to run batch files, while scripting languages can also be used to
             run shell functions.With a properly written and executed script, the cmd.exe func-
             tion could be used to run other programs on a Windows system.
                 For best security, administrators should write programs and scripts so that input
             passed from a client is not trusted.Tools such as Telnet or other programs available
             on the Internet can be used to simulate requests from Web browsers. If input is
             trusted, a hacker can pass various commands to the server through the applet or
             component.
                 As discussed in a previous section, considerable information may be found in
             Web pages. Because scripts can be embedded directly into the Web page, the script
             can be displayed along with the HTML by viewing the source code.This option is
             available through most browsers, and may be used to reveal information that the
             administrator did not want made public. Comments in the code may identify who
             wrote the code and contact information, while lines of code may reveal the hier-
             archy of the server (including paths to specific directories), or any number of tidbits
             that can be collected and used by hackers. In some cases, passwords and usernames
             may even be found in the code of an HTML document. If the wrong person were
             to view this information, it might open the system up to attack.
                 To protect a system and network, the administrator should ensure that permis-
             sions are correctly set and use other security methods available through the OS on
             which the Web server is running. For example, the NTFS file system on Windows
             OSes support access control lists (ACLs), which can be configured to control who
             is allowed to execute a script. By controlling access to pages using scripts, the net-
             work is better protected from hackers attempting to access this information.













          www.syngress.com