Page 342 - StudyBook.pdf
P. 342

326    Chapter 5 • Communication Security: Web Based Services

                 Guest books and chat rooms are other common uses for CGI programs. Chat
             rooms allow users to post messages and chat with one another online in real time.
             This also allows users to exchange information without exchanging personal infor-
             mation such as IP addresses, e-mail addresses, or other connection information.This
             provides autonomy to the users, while allowing them to discuss topics in a public
             forum. Guest books allow users to post their comments about the site to a Web
             page. Users enter their comments and personal information (such as their name
             and/or e-mail address). Upon clicking Submit, the information is appended to a
             Web page and can usually be viewed by anyone who wishes to view the contents
             of the guest book.
                 Another popular use for CGI is comment or feedback forms, which allow users
             to voice their concerns, praise, or criticisms about a site or a company’s product. In
             many cases, companies use these for customer service so that customers have an
             easy way to contact a company representative. Users enter their name, e-mail
             address, and comments on this page.When they click Send, the information is sent
             to a specific e-mail address or can be collected in a specified folder on the Web
             server for perusal by the Web master.



              EXAM WARNING

                  You will not need to be proficient in CGI scripting for the exam. It is
                  important to understand how CGI works in order to understand the vul-
                  nerabilities of CGI. CGI exploitation is very common and is something
                  you may see in the future as a Security+ technician.





             Break-ins Resulting from Weak CGI Scripts


             One of the most common methods of hacking a Web site is to find and use poorly
             written CGI scripts. Using a CGI script, a hacker can acquire information about a
             site, access directories and files they would not normally be able to see or down-
             load, and perform various other unwanted and unexpected actions.
                 A common method of exploiting CGI scripts and programs is used when
             scripts allow user input, but the data that users are submitting is not checked.
             Controlling what information users are able to submit will dramatically reduce
             your chances of being hacked through a CGI script.This not only includes limiting
             the methods by which data can be submitted through a form (by using drop-down




          www.syngress.com
   337   338   339   340   341   342   343   344   345   346   347