setuid (người sử dụng ID) setgid (nhóm ID) setuid và SetGIF được yêu cầu khi người dùng chạy một chương trình có nhu cầu truy cập đầy đủ vào hệ thống thực hiện nhiệm vụ của mình . Ví dụ, khi người dùng gọi chương trình passwd cô mật khẩu, | Chapter 16 Web Applications 283 Countermeasures You can implement the following countermeasures to prevent hackers from attacking weak login systems in your Web applications 1 Any login errors that are returned to the end user should be as generic as possible saying something like Your user ID and password combination is invalid. 1 The application should never return error codes in the URL that differentiate between an invalid user ID and invalid password as shown in Figures 16-1 and 16-2. If a URL message must be returned the application should keep it as generic as possible. Here s an example success false This URL message may not be as convenient to the user but it helps hide the mechanism and the behind-the-scenes actions from a hacker. Directory Traversal A directory traversal is a really basic attack but it can turn up interesting information about a Web site. This attack is basically browsing a site and looking for clues about the server s directory structure. Testing Perform the following tests to determine information about your Web site s directory structure. Start your testing with a search for the Web server s file. This file tells search engines which directories not to index. Thinking like a hacker you may deduce that the directories listed in this file may contain some information that needs to be protected. Figure 16-3 shows a file that gives away information. 284 Part V Application Hacking Figure 16-3 A Web server s robots. txt listing. Filenames Confidential files on a Web server may have names like those of publicly accessible files. For example if this year s product line is posted as confidential information about next year s products may be . A user may place confidential files on the server without realizing that they are accessible without a direct link from the Web site. Crawlers A spider program