Web Security Issues
By: aathishankaran Printer Friendly Format
To some, the Internet itself is just one big security
vulnerability. However, for most of us, it is a vulnerability that we have to
live with. The following subsections describe Web-specific security issues from
the point of view of the Webmaster and the user.
The Webmaster's Perspective
Running a secure Web server is not an easy task. Security
vulnerabilities can, potentially, exist anywhere-in CGI programs, in the server
setup, or own the web server itself. These vulnerabilities could lead to
embarrassing modifications to Web content, the theft of sensitive information,
or the complete shutdown of your Web site.
To run a secure Web site, the Webmaster must keep abreast
of the latest Web vulnerabilities and implement security countermeasures as
needed. The World Wide Web Security FAQ, located at
http://www.genome.wi.edu/www/faqs/www-security-faq.html can help you get
started. It discusses many of the known Web vulnerabilities and offers good
advice on how you can protect your Web site.
Server Software
Web site security begins with the Web server.
Unfortunately, not all Web servers are secure. Security holes have been
identified in both commercial and public domain servers. Although these holes
have been patched in later versions of the server software, the potential for
the introduction of new vulnerabilities cannot be dismissed.
Publicly available Web servers, such as the Apache server,
offer a high level of security and reliability. However, if security is of
paramount concern, then you may want to consider a commercial server by a major
vendor, such as Netscape. While commercial servers are not immune to security
flaws, reputable vendors tend to respond quickly to security holes once they
are identified, in order to stay in business. Publicly developed Web servers,
such as Apache, also have quick turnarounds for bug fixes-in some cases, even
faster than commercial developers. However, there is no one to blame if and
when a problem does occur.
Server Capabilities
New server products continue to add features, such as
server-side JavaScript, server plug-ins, and database connectivity that
increase the overall complexity of the server software. While the Webmaster
looks at the capabilities of a Web server and visualizes all of the ways in
which these capabilities could be used to build a better Website, the
penetrator examines each capability in terms of how it could be used to
circumvent, defeat, and disable the security of the server as a whole.
Server-side includes are examples of server features that are also a bonus to the penetrator. A server-slide include is a sequence of commands that is embedded in an HTML document. When a Web server requests the document, the server-scans the document for the embedded commands and executes them. The results of the common execution are used to update the HTML document before it is sent to the browser. One of the commands, exec, allows arbitrary operating system commands to be executed. This capability is very powerful both for you and the penetrator. When server-side in cludes are enabled, a person with minimal Web-publishing capabilities gains the extra privilege of being able to execute operating system commands.
Comment on this tutorial
- Data Science
- Android
- AJAX
- ASP.net
- C
- C++
- C#
- Cocoa
- Cloud Computing
- HTML5
- Java
- Javascript
- JSF
- JSP
- J2ME
- Java Beans
- EJB
- JDBC
- Linux
- Mac OS X
- iPhone
- MySQL
- Office 365
- Perl
- PHP
- Python
- Ruby
- VB.net
- Hibernate
- Struts
- SAP
- Trends
- Tech Reviews
- WebServices
- XML
- Certification
- Interview