A secure server means that the data exchanged between the user agent and the server is encrypted. Otherwise, their is typically no encryption.

It's trivial to edit hidden fields in forms. Here's one easy way: save the form to your hard-drive and change the fields. Then set the following tag in the <head> section:

<base href="http://www.somedomain.com">

[download]

Once everything's changed, just resubmit.

Most CGI scripts don't bother to check the referrer or ip address. They may check for cookies for authentication. If you suspect issues like this are occurring, you whip out your trusty LWP library and start coding.

As for the difference between encoded and encrypted: mirod was mentioning this in response to your last post. The discussion was regarding Basic authentication with .htaccess files. With such authentication, the server sends a challenge and the browser prompts you with a dialogue box for your username and password for the particular resource you wish to access. Once entered, they are joined with a colon and Base64 encoded. This encoding is little more than a Caesar Cipher. According to RFC2045, this encoding is as follows:

                        The Base64 Alphabet

     Value Encoding  Value Encoding  Value Encoding  Value Encoding
         0 A            17 R            34 i            51 z
         1 B            18 S            35 j            52 0
         2 C            19 T            36 k            53 1
         3 D            20 U            37 l            54 2
         4 E            21 V            38 m            55 3
         5 F            22 W            39 n            56 4
         6 G            23 X            40 o            57 5
         7 H            24 Y            41 p            58 6
         8 I            25 Z            42 q            59 7
         9 J            26 a            43 r            60 8
        10 K            27 b            44 s            61 9
        11 L            28 c            45 t            62 +
        12 M            29 d            46 u            63 /
        13 N            30 e            47 v
        14 O            31 f            48 w         (pad) =
        15 P            32 g            49 x
        16 Q            33 h            50 y

[download]

Needless to say, that's not encryption.

If you need stronger protection, run your Web scripts over a secure server. If you can restrict your users to IE5.5, you could also go with Digest Authentication. It's much more secure than Basic, but not widely supported.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to (Ovid) Re: CGI security take two by Ovid
in thread CGI security take two by ant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.