in reply to Re^6: How to avoid Null Byte Injection?
in thread How to avoid Null Byte Injection?

Based on some earlier posts, I suspect you were running it as a CGI script, when it was originally designed to be run from the command-line. I've updated it so it should work in either environment.

--
sgifford's Web page
  • Comment on Re^7: How to avoid Null Byte Injection?

Replies are listed 'Best First'.
Re^8: How to avoid Null Byte Injection?
by Nik (Initiate) on Oct 10, 2006 at 08:34 UTC
    Thanks i will nwo try it.
    Could you pzl make me favour and try to see if you cann pass bogus input to http://nikos.no-ip.org so to see if a crafty user can still send unwanted code to my index.pl(or any other) and beak it?

    Plz its crucial to me to see if i made my script secure enough.
    I have changes a lot of things in all my scripts(perl code) and also added DigestAuth functionality to prevent certain unwated access.
    Plz give it a shot!
[reply]
      It is very time consuming to do this sort of testing. I would recommend going through your code very carefully, and finding places where it would be easy to make a mistake. Then write test cases to make sure you didn't make that mistake. Keep the tests around, and as the application evolves, you can reassure yourself you haven't made any of the mistakes you predicted by running the tests.

      Also, read everything you can about secure programming. As you learn about new vulnerabilities, scour your code for them, then write tests to ensure they aren't introduced later. This article from SecurityFocus, Five common Web application vulnerabilities, is a good start. Searching here on PerlMonks for security would probably yield some helpful information, too.

      For more advanced testing, fuzzing might be a useful technique.


      --
      sgifford's Web page
[reply]

In Section Seekers of Perl Wisdom