The best way to avoid security vulnerabilities with new server

By: aathishankaran Emailed: 1598 times Printed: 2044 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

Features are to assess the capabilities provided by each feature and determine which ones pose unacceptable security risks. Minimally, you must consider the following to be risks: 

Ø      The feature can be used to execute external programs or operating system commands

Ø      The feature can be used to read or write arbitrary files located on the server

Ø      The feature maintains client information on the browser using cookies or URL encoding. 

The above risks only determine whether the feature has the capability to cause security problems-it doesn't mean that he feature is necessarily insecure. For example, CGI programs, ASP, and Live Wire applications are risky according to all three risk indicators. Once you identify a feature as risky, you have to determine whether secure applications can be built using the feature despite its inherent risks and whether the benefits provided by the feature are worth taking a chance. In the case of CGI programs, ASP, and Live Wire applications, the answer is usually yes. 

CGI Programs 

There is nothing inherently insecure about CGI itself. However, CGI programs are a prime source of server-side vulnerabilities. By deploying a CGI program, you are allowing others to execute Program is a potential tool with which to attack your system. Any Security flaws in your CGI programs are directly and continually Accessible, and penetrators are free to repeatedly probe and cajole these flaws until they succeed in accomplishing their clandestine objectives. 

Do flaws exist in CGI programs? You bet. Some flaws let attackers read data that should otherwise be concealed. Other flaws let Hackers trash data that is collected from Web users. The most Devastating flaws let penetrators remote execute operating System commands and programs of their choosing. 

How do flaws in CGI programs occur? How are they exploited? In Many cases these flaws occur because of poor parameter checking and faulty assumptions on the part of the programmer. For example, consider the case where a CGI program invokes a search- program and passes it the value of a decoded query string. The programmer assumes that the search program will simply search for whatever value is passed. But when the query string is passed, the following in executed: 

search string; cat/etc/passwd 

In this case, the CGI program returns much more than the search results-it appends the contents of your password file to the search results. The penetrator can then use a password-cracking program to find a password that will let him or her login to your system. 

You may wonder why anyone would develop CGI programs that would allow such serious breaches of security. Some programmers don't know any better they are oblivious to the fact that their pro grams may be misused. Some are so focused on developing their Web applications that security is put on the back burner-permanently. However, the biggest problem, by far, is that in most CGI programs, security flaws are difficult to spot. In the cases where they are found, they are often dismissed. "But no one would ever do that" is a common justification for failing to remove an exploitable flaw. 

Another problem facing CGI programmers is the fact that the odds are heavily stacked against them. The programmers must eliminate all possible security flaws in order to make their CGI programs secure. The penetrator need only find a single exploitable flaw in order to break into the Web server. 

ASP and Live Wire Applications 

Although ASP and Live Wire applications provide the same capabilities as CGI programs, they are far less prone to security vulnerabilities. There are a number of reasons why these applications are inherently more secure: 

Ø      They automatically parse data that is passed to applications and make it available in an easy-to-use manner. This reduces the likelihood of a flaw occurring in the input parsing functions. 

Ø      Their applications have predefined objects at their disposal, which reduce the complexities of maintaining client information, sharing data between clients, and sharing data between applications. By making it easier to perform common server-side functions, ASP and Livewire help you to develop more reliable and error-free code, thereby lowering the likelihood of an exploitable security flaw. 

Ø      Live Wire and ASP applications are written in JavaScript and JScript. This eliminates the potential problems associated with using a second, less familiar, language for writing CGI programs. 

Ø      The less experience a programmer has with a language, the more likely she or he is to make mistakes-potentially exploitable ones. 

The above features significantly reduce the likelihood of security vulnerabilities in Live Wire and ASP applications. However, the potential for some vulnerability still exists. For example, suppose an application is designed in such a way that a Livewire redirect () method takes a client property as a parameter. A penetrator could modify client properties (client cookies or URLs) to cause the redirect () function to return a file of the penetrator's choosing. 


JSP Home | All JSP Tutorials | Latest JSP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by aathishankaran
Web Security Issues
The Web User's Perspective
Server-side plug-Ins
The best way to avoid security vulnerabilities with new server
JavaScript Security
Window Object
Working with Status Bar Messages
Retrieving a Portion of a String
Referencing Windows
Math Object
Frame Object
Document Object
Closing Windows
Built-in Object in Javascript
Textarea Object

More Tutorials in JSP
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: `java.net.BindException: Permission denied <null>:80
JSP Alert Example
JSP CheckBox Example
Uploading an Image to a Database using JSP
Uploading a file to a server using JSP
A JSP page that gets properties from a bean
The page Directive in JSP
The taglib, tag, include, attribute and the variable Directive in JSP
Declarations in JSP
Scriptlets and Expressions in JSP
Tag Libraries in JSP
The Request Object in JSP
The Response Object in JSP
The Out Object in JSP
The Session Object in JSP

More Latest News
Most Viewed Articles (in JSP )
JSP Example to connect to MS SQL database and retrieve records
JSP CheckBox Example
What are the different scopes in JSP?
JSP Alert Example
JSP Program for display Date
Comparison operators in JSP
Sending Email using JSP
Uploading a file to a server using JSP
Embedding java codes in jsp sciptlets
Example Using Initialization Parameters
Querying Data with the JSTL in JSP
Uploading an Image to a Database using JSP
A simple program using EL in JSP
The Request Object in JSP
Debugging Servlets
Most Emailed Articles (in JSP)
Sessions in JSP
Enable/Disable Scripting Elements in JSP
Embedding java codes in jsp sciptlets
A Servlet That Generates HTML
Example Using Initialization Parameters
Debugging Servlets
Servlets
The Advantages of Servlets Over “Traditional” CGI
Textarea Object
The TryCatchFinally Interface in JSP
JSP Tags for SQL to connect to a database
JSP Example to connect to MS SQL database using Tomcat Connection Pool
What are the different scopes in JSP?
Writing your first JSP page
Using a DataSource from WebLogic in a JSP