Networking / Beginners

Resulting from Weak CGI Scripts

One of the most common methods of hacking a Web site is to find and use poorly written CGI scripts. Using a CGI script, a hacker can acquire information about a site, access directories and files they would not normally be able to see or download, and perform various other unwanted and unexpected actions.

A common method of exploiting CGI scripts and programs is used when scripts allow user input, but the data that users are submitting is not checked. Controlling what information users are able to submit will dramatically reduce your chances of being hacked through a CGI script.This not only includes limiting the methods by which data can be submitted through a form (by using dropdown lists, check boxes and other methods), but also by properly coding your program to control the type of data being passed to your application.This would include input validation on character fields, such as limiting the number of characters to only what is needed. An example would be a zip code field being limited to a small series of numeric characters.

When a new script is added to a site, the system should be tested for security holes. One tool that can be used to find such holes is a CGI scanner such as Nikto,[URL?] which is discussed later in this section. Another important point to remember is that as a Web site becomes more complex, it becomes more likely that a security hole will appear. As new folders are created, the administrator might overlook the need to set the correct policies; this vulnerability can be used to navigate into other directories or access sensitive data. A best practice is to try to keep all CGI scripts and programs in a single directory. In addition, with each new CGI script that is added, the chances increase that vulnerabilities in a script (or combination of scripts) may be used to hack the site. For this reason, the administrator should only use the scripts they definitely need to add to the site for functionality, especially for a site where security is an issue.

CGI Wrappers

Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, control ownership of a CGI process, and allow users to run the scripts without compromising the Web server's security. In using wrapper scripts, however, it is important to understand what they actually do before implementing them on a system.

CGIWrap is a commonly used wrapper that performs a number of security checks.These checks are run on each CGI script before it executes. If any one of these fails, the script is prohibited from executing. In addition to these checks, CGIWrap runs each script with the permissions of the user who owns it. In other words, if a user ran a script wrapped with CGIWrap, which was owned by a user named "bobsmith," the script would execute as if bobsmith was running it. If a hacker exploited security holes in the script, they would only be able to access the files and folders to which bobsmith has access.This makes the owner of the CGI program responsible for what it does, but also simplifies administration over the script. However, because the CGI script is given access to whatever its owner can access, this can become a major security risk if the administrator accidentally leaves an administrator account as owner of a script. CGIWrap can be found on SourceForge's Web site, http://sourceforge.net/projects/cgiwrap.

Nikto

Nikto is a command-line remote-assessment tool that you can use to scan a Web site for vulnerabilities in CGI scripts and programs. In performing this audit of your site, it can seek out misconfigurations, insecure files and scripts, default files and scripts, and outdated software on the site. However, because it can make a significant amount of requests to the remote or local server being checked, you should be careful to only analyze the sites you have permission to assess. Some options can generate over 70,000 requests to a server, possibly causing it to crash.With this in mind, Nikto is an extremely useful tool in auditing your site, and identifying where potential problems may exist in your CGI scripts and programs.

Nikto is a CGI script itself that is written in Perl, and can easily be installed on your site. Once there, you can scan your own network for problems, or specify other sites to analyze. It is Open Source, and has a number of plug-ins written for it by third parties to perform additional tests. Plug-ins are programs that can be added to Nikto's functionality, and like Nikto itself, they are also written in Perl (allowing them to be viewed and edited using any Perl editing software). In itself, Nikto performs a variety of comprehensive tests on Web servers, using its database to check for over 3,200 files/CGIs that are potentially dangerous, versions of these on over 625 servers, and version specific information on over 230 servers. It provides an excellent resource for auditing security and finding vulnerabilities in Web applications that use CGI, and is available as a free download from http://www.cirt.net/code/nikto.shtml.

[Previous] [Contents] [Next]

In this tutorial:

  1. Web Based Services Security
  2. Web Security
  3. Managing Access Control
  4. Handling Directory and Data Structures
  5. Eliminating Scripting Vulnerabilities
  6. Logging Activity
  7. Finding Rogue Web Servers
  8. Stopping Browser Exploits
  9. Web Spoofing
  10. Web Server Exploits
  11. SSL and HTTP/S
  12. HTTP/S
  13. Instant Messaging
  14. Text Messaging and Short Message Service (SMS)
  15. Web-based Vulnerabilities
  16. ActiveX
  17. Dangers Associated with Using ActiveX
  18. Protection at the Network Level
  19. JavaScript
  20. Programming Secure Scripts
  21. Understanding Code Signing
  22. Buffer Overflows
  23. Making Browsers and E-mail Clients More Secure
  24. Securing Web Browser Software
  25. CGI
  26. Resulting from Weak CGI Scripts
  27. FTP Security
  28. Secure Copy
  29. FTP Sharing and Vulnerabilities
  30. Directory Services and LDAP Security
  31. LDAP
  32. Securing LDAP