I have a CGI server side script that accepts GET and POST with the login parameter. I want to test to make sure that it is not weak, therefore the plan is to use Pearl LWP, and send the GET and login parameters in the post, and compare the results. The interface has been changed so that in the post we can send the user name and password to the session cookies (not sure that this is a great idea), how do I check it? Here's what I've done so far:
#! Use / usr / bin / perl LWP; Print "This is libwww-perl- $ LWP :: VERSION \ n"; # Use the User Agent Object to Create LWP :: UserAgent; My $ ua = LWP :: UserAgent-> New; $ Ua- & gt; Agent ("MyApp / 0.1"); # Create a request #m $ req = HTTP :: request-> new (post = & gt; 'http://search.cpan.org/search'); #my $ req = HTTP :: Request-> New (GET = & gt; 'https://qa.co.net:443/cgi-bin/n-cu.cgi'); My $ req = HTTP :: Request-> New (GET = & gt; 'https://qa.co.net:443/cgi-bin/n-cu.cgi?mode=frameset&jscript=1&remote_user& Login = foo & password = foo http / 1.1 '); $ Req-> Content_type ('application / x-www form-urlencoded'); $ Req-> Content ('query = libwww-pearl & mode = district'); # Request user agent and save my $ res = $ ua- & gt; Request ($ req) get feedback back; # Check the response of the response ($ res-> is_success) {print $ res-> material; #print $ res- & gt; Code; #print $ res- & gt; message; } And {print $ res-> status_line, "\ n"; } This is not about to do this, because it does not contain session cookie content, but may be a good start though. Is this right and the right way to get it?
Here's what has been implemented in CGI:
#cr_login POST & amp; Amp; Login to get - Leave it to go as ultimate if ($ m eq 'GET' & amp; defined ($ req- & gt; param ('login'))) {$ msg = 'Parameter "Login" is invalid for this request type. '; + My $ seclog = $ event_logging_directory '/invalid_request.log'; + Open (s, "> $ seclog") or $!! + My $ logmsg = sprintf ("% 4d-% 02d-% 02d% 02d:% 02d:% 02d", today_and_new ()) + ".mode:" $ Req-> Ultimate ('mode') + "| Login:" $ Req-> Ultimate ('Login') + "| Remote_Edder:" $ ENV {REMOTE_ADDR} + "| $ message \ n"; + Print s $ logm; And:
Post-request for n-cu.cgi should use the parameter "cr_login" if the parameter "login" is passed in the post request If it has been done, then he should make a mistake and should return to the login screen. Get request for N-cu.cgi should use the "parameter" login if the parameter "cr_login" has been passed in the post request, then it should make a mistake and should return to the login screen. How do we do this:
-
Keep session cookies and references alive:
My $ browser = LWP :: UserAgent-> New (keep_alive = & gt; 10); $ Browser- & gt; Cookie_zer ({}); $ Browser- & gt; Agent ('Mozilla / 8.0'); # $ Browser- & gt; Ssl_opts ({verify_hostname = & gt; 0}); $ Browser- & gt; Show_progress (1);
)), "\ N \ n"; My $ content = $ response- & gt; As_string; Print "$ content \ n";
Password being sent to the cookie? No.
GET for Disclaimer / Login
Password over SSL / login / username on SSL. In
, GET / POST is represented by the REQUEST_METHOD environment variable.
You can not prevent people from issuing a GET request to your server, but you can refuse to process it like this (Uncertor Code - you have to fill in the details):
if ($ ENV {REQUEST_METHOD} '' POST '') ## A redirect issue for a suitable error page, then return} My $ q = CGI-> new (); My $ user = $ q- & gt; Parameters ('Username'); My $ password = $ q- & gt; Parameters ('password'); My $ encrypted_password = my_password_encryptor ($ password); Unless (can_log_in ($ user, $ encrypted_password)) # redirect the error message - and return or fall-through ...} and {$ session- & gt; Set_user_logged_in (); } Most people do not own their own authentication or session handling role. They mostly use one from CPAN, or are included with the big app framework. If you are doing CGI, then you can use CGI :: session.
You can give and / or its offspring at a glance Those authors have already solved a bunch of problems that you are facing.
No comments:
Post a Comment