Conclusions

Andrew Cantino

---

• Introduction
• Course Review
• Some final CGI Security Notes & Common Sense
• Show and tell
• Some fun security challenges

---

Introduction

Well, this is the last class! Let's do some review and have a little fun.

Course Review

• Online content delivery, the Internet, and HTML
• UNIX and the command line
• Remember tab completion and history!
• UNIX file permissions
• cPanel
• Fantastico
• Perl programming
• Variables
• Conditionals and Loops
• Comparison Operators
• Functions
• Arrays and hashes
• Files
• Regular Expressions
• We didn't cover Perl efficiency, but you should see this site.
• CGI scripting
• Perl CGI library
• Remember the shebang line and the CGI headers
• HTML forms
• SQL
• Basic SQL commands and tables
• MySQL
• phpMyAdmin
• Connecting Perl to MySQL and bound parameters
• Security
• .htaccess files
• Perl security and Taint checking
• Security issues with GET and POST
• SQL security and injection attacks
• Securing Fantastico and open source packages

Some final CGI Security Notes & Common Sense

• Use Perl taint checking.
• Use bound parameters when using SQL to avoid injection attacks.
• Know all of the scripts you have. Only run scripts that you actually need.
• Use .htaccess files to restrict access (password and IP range) to administrative CGIs
• Hide source code so people can't look for bugs. Example, name.cgi~ from an Emacs edit is a security hole.
• Don't give out system information. (Because it lets people target attacks, which is essential for breaking into a system.)
• Don't trust any input, even from hidden variables. Validate in CGI script, not with JavaScript in form.
• Remember that your GET/POST forms can be created anywhere!
• Keep your scripts up-to-date. Get on the SANS mailing list!
• Use good passwords! and crypt() passwords.
• Maintain logs for your scripts separate from the server logs.
• Make yourself an unappealing target and backup your data.
• Turn off automatic indexes and make blank index.html files.
• Avoid world-writable directories, ESPECIALLY where CGI can be executed. Don't allow world-writable directories where they can be accessed from the web. If someone finds a way to create a file on your server, you certainly don't want it to be in a place where they can also execute it!
• On a similar note, keep data files in a place that is not web accessible!
• Don't use special chrs in file names.
• Disable Server Side Includes.

Show and tell

What have you made during the last month? Did you make any interesting sites with Fantastico modules?

Some fun security challenges

There are some interesting security/hacking related challenges available online. These can often be very useful in learning about security. Try some of the following:

• Cypher Challenge will make you think about security through obscurity, and why you shouldn't hide stuff in HTML source or in JavaScripts.
• Try the HackThisSite.org 'Realistic missions'. Try the first one, in particular. These are pretty difficult, but well designed, if a bit juvenile in content.
• slyfx has some good challenges.

Back to Course Index

---

This document was generated using AFT v5.094