322    Chapter 5 • Communication Security: Web Based Services


                      ■ Avoid visiting suspect Web sites—especially those that offer
                        cracking tools, pirated programs, or pornography—from a
                        system that needs to remain secure.

                      ■ Always reject certificates or other dialog box prompts by
                        clicking No, Cancel, or Close when prompted by Web sites or
                        vendors with which you are unfamiliar.





             CGI

             Programmers working on a Web application already know that if they want their
             site to do something such as gather information through forms or customize itself
             to their users, they will have to go beyond HTML.They will have to do Web pro-
             gramming, and one of the most common methods used to make Web applications
             is the CGI, which applies rules for running external programs in a Web HTTP
             server. External programs are called gateways because they open outside information
             to the server.
                 There are other ways to customize or add client activity to a Web site. For
             example, JavaScript can be used, which is a client-side scripting language. If a
             developer is looking for quick and easy interactive changes to their Web site, CGI is
             the way to go.A common example of CGI is a “visitor counter” on a Web site.
             CGI can do just about anything to make a Web site more interactive. CGI can grab
             records from a database, use incoming forms, save data to a file, or return informa-
             tion to the client side, to name a few features. Developer‘s have numerous choices
             as to which language to use to write their CGI scripts; Perl, Java, and C++ are a
             just a few of the choices.
                 Of course, security must be considered when working with CGI.Vulnerable
             CGI programs are attractive to hackers because they are simple to locate, and they
             operate using the privileges and power of the Web server software itself.A poorly
             written CGI script can open a server to hackers.With the assistance of Nikto or
             other Web vulnerability scanners, a hacker could potentially exploit CGI vulnera-
             bilities. Scanners like Nikto are designed specifically to scan Web servers for known
             CGI vulnerabilities. Poorly coded CGI scripts have been among the primary
             methods used for obtaining access to firewall-protected Web servers. However,
             developers and Webmasters can also use hacker tools to identify and address the
             vulnerabilities on their networks and servers.





          www.syngress.com