CGI Programming. Examples



Similar documents
HTTP is Stateless. it simply allows a browser to request a single document from a web server. it remembers nothing between invoca9ons.

The HTTP Plug-in. Table of contents

JAVASCRIPT AND COOKIES

Web Application Security

An Insight into Cookie Security

10.1 The Common Gateway Interface

Cookies Overview and HTTP Proxies

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Gateway Apps - Security Summary SECURITY SUMMARY

Chapter 6 Virtual Private Networking Using SSL Connections

Login with Amazon. Getting Started Guide for Websites. Version 1.0

CGI An Example. CGI Model (Pieces)

Check list for web developers

LabVIEW Internet Toolkit User Guide

Chapter 5 Configuring the Remote Access Web Portal

Working With Virtual Hosts on Pramati Server

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Computer Networks. Lecture 7: Application layer: FTP and HTTP. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Nginx 1 Web Server Implementation

API documentation - 1 -

Exploiting the Web with Tivoli Storage Manager

Lecture 8a: WWW Proxy Servers and Cookies

HTML Form Widgets. Review: HTML Forms. Review: CGI Programs

Lecture 8a: WWW Proxy Servers and Cookies

Performance Measurement Service Choice Browser Installation and Use

SSL VPN Portal Options

CGI Programming. What is CGI?

Further web design: HTML forms

CSCI110: Examination information.

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Webmail Using the Hush Encryption Engine

Load Balancing Web Applications

Introduction to Computer Security

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Startup guide for Zimonitor

Traitware Authentication Service Integration Document

Criteria for web application security check. Version

Login with Amazon. Developer Guide for Websites

Web Server Manual. Mike Burns Greg Pettyjohn Jay McCarthy November 20, 2006

TROUBLESHOOTING RSA ACCESS MANAGER SINGLE SIGN-ON FOR WEB-BASED APPLICATIONS

Technical Guide for Remote access

Configure Single Sign on Between Domino and WPS

Oracle Forms Services Secure Web.Show_Document() calls to Oracle Reports Server 6i

So in order to grab all the visitors requests we add to our workbench a non-test-element of the proxy type.

GravityLab Multimedia Inc. Windows Media Authentication Administration Guide

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

AUDIT REPORT EXAMPLE

Form Mail Tutorial. Introduction. The cgi-bin

Web Service Reference

4 - TexShare and HARLiC CARDS ( Online Application Form) 5 REMOTE ACCESS TO DATABASES

Certified Secure Web Application Security Test Checklist

OVERVIEW OF ASP. What is ASP. Why ASP

Working with Indicee Elements

ATS Test Documentation

Session Management in Web Applications

Load testing with. WAPT Cloud. Quick Start Guide

10CS73:Web Programming

2 Downloading Access Manager 3.1 SP4 IR1

<Insert Picture Here> Oracle Web Cache 11g Overview

Avatier Identity Management Suite

Handling of "Dynamically-Exchanged Session Parameters"

PDG Software. Site Design Guide

Configuring Web services

P&WC Portal Settings. 1) Portal Language Setting:

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

HP WebInspect Tutorial

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Hello! This provides details below pertaining to the University's Bank of America VISA charge card program.

Copyright: WhosOnLocation Limited

Client Administrator Quick Reference Guide

Anonymity on the Internet Over Proxy Servers

Forms, CGI Objectives. HTML forms. Form example. Form example...

CSE 135 Server Side Web Languages Lecture # 7. State and Session Management

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

1. Welcome to QEngine About This Guide About QEngine Online Resources Installing/Starting QEngine... 5

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

WebMail Forensics. Thomas Akin, CISSP. Director, Southeast Cybercrime Institute Kennesaw State University

Common Security Vulnerabilities in Online Payment Systems

Implementation Guide SAP NetWeaver Identity Management Identity Provider

End User Guide The guide for /ftp account owner

Accelerating Wordpress for Pagerank and Profit

Connected Data. Connected Data requirements for SSO

HTML Forms and CONTROLS

Lecture 11 Web Application Security (part 1)

Building Java Servlets with Oracle JDeveloper

Snapt Balancer Manual

Application Security Testing. Generic Test Strategy


Oracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001

What is Web Security? Motivation

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Transcription:

CGI Programming Perl is used as an example throughout. Most of what is said here applies to any common programming language (ie C, C++, python etc.). Perls CGI library provides tools to simplify web page creation header, start_html, h1 form creation start_form,textfield, checkbox_group, submit, end_form parsing QUERY_STRING/stdin param session maintainence (later) 41 - CGI Programming CSC309 1 Examples A complex example: http://127.0.0.1/cgi-bin/cgilibexample.pl Its source A simple example: AddForm.html Its source 41 - CGI Programming CSC309 2 1

Statelessness Browser/webserver interaction is stateless by default Stateless = no memory of the browsers state (probably determined by previous forms filled in and pages viewed) is kept either at the browser or webserver. Example: Want to allow access to the addition script only once a user is logged in. Don't want to require a user to login at every page. 41 - CGI Programming CSC309 3 Adding State: Cookies Store state at the browser: cookies Are name=value pairs (like parameters in a CGI query string) CGI scripts can create cookies and send them to the browser in the HTTP header. The browser maintains a list of cookies that belong to a particular Web server, and returns them to the CGI script during subsequent interactions. Supported by Netscape 1.1 (and later), Internet Explorer perls CGI lib has several methods that support cookies. 41 - CGI Programming CSC309 4 2

Cookies (continued) Example: LoginForm (using cookies) Note: Browsers limit the size of cookies. Users can refuse to accept them Optional parameters Expiration time - cookie will be stored and returned until expiration time. If not specified, cookie lives until browser is exited. Domain - (ie cs.toronto.edu) return cookie to any server in this domain. If not specified, return cookie only to servers on host sending cookie. Path - cookies sent only to scripts within the path. If not specified, return cookies to any script. Secure flag - return cookies only on a secure (SSL) channel 41 - CGI Programming CSC309 5 Adding State (Hidden Variables) Store state in web pages: Add hidden variables. Supported by all browsers Requires all hidden variables to appear in all forms. State is sent inside each web page. For form based applications only. Following hyperlinks causes a loss of state (unless you use some javascript tricks). Current submitted page represents current state independent of what was done previously. Example: (see AddForm.html (the source)) <input type=hidden name=secret value="don't tell anyone!!"> 41 - CGI Programming CSC309 6 3

Adding State (URL Rewriting) Store state in the URL: Rewrite URLs so that they include state variables Each URL is now a CGI-get request Supported by all browsers Requires all URLs contain all state information (long URLs) Current submitted page represents current state independent of what was done previously. 41 - CGI Programming CSC309 7 Examples Go to http://127.0.0.1/cgi-bin/urlrewrite.pl Follow the links a few times Play with the reload and back buttons Visit the site by URL alone http://127.0.0.1/cgi-bin/urlrewrite.pl Trick the application to thinking you have visited it 1000 times. Source: URLRewrite.pl 41 - CGI Programming CSC309 8 4

Adding State (Store State at Server) Current state is stored at the server (ie in a file or database) Each request includes a token identifying the browsers session (tokens can be passed via cookies, hidden vars, url rewriting). At each request, the executing CGI script uses the token to fetch session state Carefull: Browser back button problem. The page the user is viewing may not reflect state stored at the server. Solution: Use pragma: no-cache http header to prevent page caching in client and proxies. Note: Combinations of the above techniques used in practise 41 - CGI Programming CSC309 9 Concurrency More than one copy of a script may be executing at the same time. Manage shared resources (ie files) see flock in perlfunc Coordinate processes using system semaphores/mutex Carefull: You must understand the system the system the web server is running on. (ie. File locking does not work if the file system is NFS mounted). lockexample (not a web based example) 41 - CGI Programming CSC309 10 5

Examples Go to http://127.0.0.1/cgi-bin/expire1.pl, then follow the links a few times, finally, use the back button a few times. Sources expire1.pl (can not be cached) expire2.pl (can be cached) 41 - CGI Programming CSC309 11 6