Page 343 - StudyBook.pdf
P. 343
Communication Security: Web Based Services • Chapter 5 327
lists, check boxes and other methods), but also by properly coding your program to
control the type of data being passed to your application.This would include input
validation on character fields, such as limiting the number of characters to only
what is needed.An example would be a zip code field being limited to a small
series of numeric characters.
When a new script is added to a site, the system should be tested for security
holes. One tool that can be used to find such holes is a CGI scanner such as Nikto,
which is discussed later in this section.Another important point to remember is
that as a Web site becomes more complex, it becomes more likely that a security
hole will appear.As new folders are created, the administrator might overlook the
need to set the correct policies; this vulnerability can be used to navigate into other
directories or access sensitive data.A best practice is to try to keep all CGI scripts
and programs in a single directory. In addition, with each new CGI script that is
added, the chances increase that vulnerabilities in a script (or combination of
scripts) may be used to hack the site. For this reason, the administrator should only
use the scripts they definitely need to add to the site for functionality, especially for
a site where security is an issue.
Crack-A-Mac
Damage & Defense… sulting firm called Infinit Information AB offered a 100,000 kroner
One of the most publicized attacks with a CGI program occurred by
request, as part of the “Crack-A-Mac” contest. In 1997, a Swedish con-
(approximately US$15,000) cash prize to the first person who could hack
their Web server. This system ran the WebStar 2.0 Web server on a
Macintosh 8500/150 computer. After an incredible number of hacking
attempts, the contest ended with no one collecting the prize. This led to
Macintosh being considered one of the most secure platforms for run-
ning a Web site.
About a month later, the contest started again. This time, the Lasso
Web server from Blue World was used. As with the previous Web server,
no firewall was used. In this case, a commercial CGI script was installed so
that the administrator could log on remotely to administer the site. The
Web server used a security feature that prevented files from being served
that had a specific creator code, and a password file for the CGI script
used this creator code so that users would be unable to download the
file. Unfortunately, another CGI program was used on the site that
accessed data from a FileMaker Pro database, and (unlike the Web server)
did not restrict what files were made available. A hacker managed to
take advantage of this, and—after grabbing the password file—logged
Continued
www.syngress.com
