Programming Tutorials

Web Security Issues

By: aathishankaran Printer Friendly Format    

To some, the Internet itself is just one big security vulnerability. However, for most of us, it is a vulnerability that we have to live with. The following subsections describe Web-specific security issues from the point of view of the Webmaster and the user. 

The Webmaster's Perspective 

Running a secure Web server is not an easy task. Security vulnerabilities can, potentially, exist anywhere-in CGI programs, in the server setup, or own the web server itself. These vulnerabilities could lead to embarrassing modifications to Web content, the theft of sensitive information, or the complete shutdown of your Web site. 

To run a secure Web site, the Webmaster must keep abreast of the latest Web vulnerabilities and implement security countermeasures as needed. The World Wide Web Security FAQ, located at http://www.genome.wi.edu/www/faqs/www-security-faq.html can help you get started. It discusses many of the known Web vulnerabilities and offers good advice on how you can protect your Web site. 

Server Software 

Web site security begins with the Web server. Unfortunately, not all Web servers are secure. Security holes have been identified in both commercial and public domain servers. Although these holes have been patched in later versions of the server software, the potential for the introduction of new vulnerabilities cannot be dismissed. 

Publicly available Web servers, such as the Apache server, offer a high level of security and reliability. However, if security is of paramount concern, then you may want to consider a commercial server by a major vendor, such as Netscape. While commercial servers are not immune to security flaws, reputable vendors tend to respond quickly to security holes once they are identified, in order to stay in business. Publicly developed Web servers, such as Apache, also have quick turnarounds for bug fixes-in some cases, even faster than commercial developers. However, there is no one to blame if and when a problem does occur. 

Server Capabilities 

New server products continue to add features, such as server-side JavaScript, server plug-ins, and database connectivity that increase the overall complexity of the server software. While the Webmaster looks at the capabilities of a Web server and visualizes all of the ways in which these capabilities could be used to build a better Website, the penetrator examines each capability in terms of how it could be used to circumvent, defeat, and disable the security of the server as a whole. 

Server-side includes are examples of server features that are also a bonus to the penetrator. A server-slide include is a sequence of commands that is embedded in an HTML document. When a Web server requests the document, the server-scans the document for the embedded commands and executes them. The results of the common execution are used to update the HTML document before it is sent to the browser. One of the commands, exec, allows arbitrary operating system commands to be executed. This capability is very powerful both for you and the penetrator. When server-side in cludes are enabled, a person with minimal Web-publishing capabilities gains the extra privilege of being able to execute operating system commands.