Re: Question on QTEMP and CGI Jobs -- WEB400

Richard

How about pressing F12 in your browser and select network, there you have
all the URL's you
need to crack a system.

I donearly all the above except for the session cookie since it isn't used
to anything and the IP
address that may be changed between calls if the browser runs behind a
balanced firewall
with selevral IP adresses and my url's are as minimum:

http://5.103.128.110:6380/pextcgi/PXMENU.pgm?ses=
03360125440363928020170420171844&req=09974693120370864820170420171812

The program name and ses ses and req has to match the server side
registration wich means that you can't have
services sharing the same req since it has to be unique.

To go back to your original question, the problem may be caused by shared
service-programs that isn't cleared
for each program call causing them to make responses left from the previous
caller.

On Sat, Mar 4, 2017 at 6:08 PM, Richard Schoen <
Richard.Schoen@xxxxxxxxxxxxxxx> wrote:

First of all I would think you should restrict how many URL object calls
which can be made via URL to your Apache site.

Then use SSL. Of course.

Then tie your session ID to an IP address and possibly a unique request ID
as I think you may have already mentioned.

Then make your service program or CGI code smart enough to observe the
security of your web session which is hopefully stored in a database server
side.

You do make your service programs security and session aware don't you ?

Methods like OAuth also work off of security tokens.

Did you find that SOX reference to not using cookies or token ids yet ?

Regards,

Richard Schoen
Director of Document Management
e. richard.schoen@xxxxxxxxxxxxxxx
p. 952.486.6802
w. helpsystems.com
--------------------------------
Subject: Re: Question on QTEMP and CGI Jobs
From: Henrik Rützou <hr@xxxxxxxxxxxx>
Date: Sat, 4 Mar 2017 17:58:30 +0100

Richard

lets say your server has a SERVICE01.PGM that returns JSON with all your
customers and a
SERVICE02.PGM tha returns all your emplyees how do a sesion cookie prevent
a user that
snifs your SERVICE01.PGM URL to change it to SERVICE02.PGM?

Besides that cookies are changable by any who knows a little about how a
browser and
nodepad works.

-----Original Message-----
From: Richard Schoen
Sent: Saturday, March 4, 2017 10:21 AM
To: web400@xxxxxxxxxxxx
Subject: RE: Question on QTEMP and CGI Jobs

Can you point me to the SOX clause that says using a cookie is bad ?

I'm guessing you're tracking your session either by cookie or a hidden
variable somewhere or a query string. No ?

Using cookies are only bad if you're storing lots of client side data in
them and don't have appropriate back end logic in place to insure a session
is not spoofed.

Don't make stupid assertions in relation to my use of cookies.

You've never seen me eat before so how would you know what I do with
cookies ? :-)

Regards,

Richard Schoen
Director of Document Management
e. richard.schoen@xxxxxxxxxxxxxxx
p. 952.486.6802
w. helpsystems.com

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.