Page 323 - StudyBook.pdf
P. 323

Communication Security: Web Based Services • Chapter 5  307

                 required to connect to the database and access its data.The last thing the adminis-
                 trator wants to do is reveal to the world how information in a corporate database
                 can be accessed.
                    The Common Gateway Interface (CGI) allows communication links between
                 Internet applications and a Web server, allowing users to access programs over the
                 Web.The process begins when a user requests a CGI script or program using their
                 browser. For example, the user might fill out a form on a Web page and then
                 submit it.The request for processing of the form is made to the Web server, which
                 executes the script or application on the server.After the application has processed
                 the input, the Web server returns output from the script or application to the
                 browser.
                    PERL is another scripting language that uses an interpreter to execute various
                 functions and commands. It is similar to the C programming language in its syntax.
                 It is popular for Web-based applications, and is widely supported.Apache Web
                 Server is a good example of this support, as it has plug-ins that will load PERL
                 permanently into memory. By loading it into memory, the PERL scripts are exe-
                 cuted faster.
                    As we’ve mentioned, Microsoft has offered an alternative to CGI and PERL in
                 Active Server Pages (ASP)—HTML documents with scripts embedded into them.
                 These scripts can be written in a number of languages, including JScript and
                 VBScript, and may also include ActiveX Data Object program statements.A benefit
                 of using ASP is that it can return output through HTML documents extremely
                 quickly. It can provide a return of information faster than using CGI and PERL.



                 NOTE
                      For more information about PERL, see the PERL FAQ on the
                      www.perl.com Web site. For more information about CGI, see
                      www.w3.org/CGI/. For more information about ASP, see
                      www.w3schools.com/asp/default.asp.




                    Common to all of these methods is that the scripts and programs run on the
                 server.This means attacks using these methods will often affect the server rather
                 than the end user.Weaknesses and flaws can be used to exploit the script or pro-
                 gram and access private information or damage the server.
                    Testing and auditing programs before going live with them is very important.
                 In doing so, administrators may reveal a number of vulnerabilities or find problems,



                                                                              www.syngress.com
   318   319   320   321   322   323   324   325   326   327   328