Section 5.8. Dynamic Web Pages


5.8. Dynamic Web Pages

Thus far, this chapter has viewed web pages as static HTML files. But many of the pages that we interact with are generated by server-side scripts, such as Java Server Pages, Perl CGI, or PHP scripts. In this section, I discuss how you can uncover information about that software. This is difficult to accomplish, but I'll show you some approaches that may prove successful.

5.8.1. The Black Box Problem

The reason that server-side scripts are difficult to study is that you cannot use a web browser to view the source code for the script. When your browser submits the URL of a Perl CGI script, it receives a web page back from the server that the script generates. Normally, the only time you can see the source code is if the site explicitly makes that available or if their web server is improperly configured.

In most cases, the script acts like a Black Box, which takes certain parameters as input and produces a web page as its output. The challenge for forensics is to figure out what is going inside the box simply by changing the inputs and seeing what effect that has. This is a crude technique, but on occasion it can yield some surprising results, as I will illustrate.

You can get an idea of the type of software that is generating a dynamic web page from the URL of the page. PHP scripts typically carry the suffix .php, Java Server Pages use .jsp, and Perl CGI scripts often use .cgi or .pl. Those conventions can easily be overcome if access to the server configuration file is available. But in most cases the suffixes are correct and offer the first clue in understanding the software.

5.8.2. Why PHP?

In almost all of the phishing web sites that I have examined, the script that captures the data entered into the form has been a PHP script. Perl CGI scripts, perhaps the major player in the world of legitimate web sites, is conspicuous here by its absence. While advocates of PHP might put this disparity down to the superior features of the language, the reality is more mundane.

The default configuration of Apache web servers allows only Perl CGI scripts to execute in the /cgi-bin directory, whereas PHP scripts can be run from any location. To overcome that restriction requires access to the httpd.conf file, which in turn usually requires being logged in as root. In the many instances where a phishing web site has been installed in a hacked system, the trouble needed to enable Perl CGI scripts is not worth the effort.



Internet Forensics
Internet Forensics
ISBN: 059610006X
EAN: 2147483647
Year: 2003
Pages: 121

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net