|
| From: | Javier Fernandez-Sanguino |
| Subject: | Re: [Tiger-user] Checking CGI scripts |
| Date: | Tue, 20 May 2003 20:48:44 +0200 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 |
Bob Hall wrote:
Just as a poser, I was wondering if anybody had come up with a good way to check whether a web server CGI script or program is vulnerable to being exploited by means of carefully constructed input? To me it seems like a very difficult problem to solve, but I could be mistaken.
That is a difficult problem to tackle, at least from Tiger point of view. And seems a work that could be better approached with remote VA tools (like Nessus, or application-level tools such as Spike) and source-code auditing tools.
I don't believe it's something we can program checks to test and determine that automatically and I believe nothing beats a good code review.
However, you might want to take a look at http://www.owasp.org/ (the different web-programming related guides available) which are much more up-to-date than the WWW Security FAQ.
Tiger could, however, look for the presence of _known_ vulnerable CGIs installed on the system (for example, say you have installed the perl interpreter in the CGI or have the sample CGIs from the webserver). Although determine their location means usually parsing the Apache configuration file. That is doable, however.
Regards Javi
| [Prev in Thread] | Current Thread | [Next in Thread] |