Web Application Security

(Security with Apache)

Length: 6 hours (half-day versions available)

Prerequisites: Attendees should have basic familiarity with Perl and some experience developing dynamic content applications (such as CGI programs) for the web,
or should be managers of dynamic content applications projects.


If you had told sysadmins in 1990 that you were going to host a network server that would run a complex program like Perl at the behest of an anonymous remote user, they would have said you were mad. But that's exactly what happens every day on the web whenever you generate dynamic content with CGI scripts, servlets, or any other mechanism. Programs of formidable complexity and power are executed thousands of times every day on your systems, by unknown users in unknown locations with no supervision. If these programs are not written with great care, they can be subverted and used to steal your information or vandalize your machine.

The tutorial will include a number of case studies of programs that appear safe but aren't, and show why `eyeball' methods of program verification are ineffective. It will spend some time discussing common problems and oversights and show how they can be avoided. The tutorial will show the complete details of Perl's unique `tainting' feature, which can detect many of these problems automatically.

We will also examine the common programming error of trusting the browser, including improper use of cookies and client-side data validation. We will take a close look at the authentication systems commonly used on the web, and at their strengths and weaknesses. Along the way the tutorial will present important basic principles of security with an emphasis on developing a sound security policy that is effective for your situation.


Part I: Deception and Disaster

  1. Introduction
  2. Overview of HTTP
  3. CGI is the World's Biggest Security Hole
  4. Do Not Trust the Browser
  5. Authentication
  6. Securing the Machine Itself
  7. Summary

Part II: The Gory Details

  1. Introduction
  2. Overview of HTTP
  3. A Detailed Guide to perl -T
  4. Laundering Case Studies
  5. Browser Disasters
  6. Cryptographic Methods
  7. Authentication Revisited
  8. Internal Security
  9. Summary


The three-hour version of Web Application Security has the sections Overview of HTTP, CGI the World's Biggest Security Hole, A Detailed Guide to perl -T, Do Not Trust the Browser, Authentication, and Securing the Machine Itself.

The three-hour version Security with Apache is the same, except that the very long section on using Perl's tainting feature is severely abbreviated, and replaced with Cryptographic Methods and Authentication Revisited.

Return to: Universe of Discourse main page | Perl Paraphernalia | Classes and Talks