One primary area of network security involves the use of a public Web server. Web security includes client-side vulnerabilities presented by ActiveX or JavaScript code running within the client's browser, server-side vulnerabilities, such as CGI scripting exploits as well as buffer overflows used to run undesirable code on the server, and other forms of Web- related security vulnerabilities, such as those involving the transfer of cookies or unsigned applets.
Java and JavaScriptMany Web sites utilize a scripting language created originally by the Netscape Corporation known as JavaScript. JavaScript code is transferred to the client's browser, where it is interpreted and used to control and manipulate many browser settings. Java, on the other hand, is a server-side compilation language created by Sun Microsystems. We discuss Java and JavaScript in more detail in the following sections. Java VulnerabilitiesBecause Java is a precompiled language, a Java-based mini-program, called an applet , may present many security risks to the client, including those identified in Table 5.1. Table 5.1. Identified Java Vulnerabilities
JavaScript VulnerabilitiesUnlike precompiled Java applets, JavaScript is interpreted within the client's browser environment. Because it must be compiled and executed within the client's environment, JavaScript vulnerabilities must be addressed based on the operating system and browser version used on each client. Although new JavaScript vulnerabilities are regularly discovered , many of the more common ones are identified in Table 5.2. Table 5.2. Identified JavaScript Vulnerabilities
ActiveX ControlsMicrosoft developed a precompiled application technology that can be embedded in a Web page in the same way as Java applets. This technology is called ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets. ActiveX controls may be digitally signed using an Authenticode signature, which is verified by its issuing Certificate Authority (CA). Unlike Java applets, where browser configuration settings control the possible behavior of the applet, ActiveX controls are restricted based on whether they are signed. ActiveX controls do not have restrictions on what forms of action they may enact. If a user configures her browser to allow the execution of unsigned ActiveX controls, controls from any source performing any action may be enacted by visiting a Web site hosting such a control embedded within an HTML page. Buffer OverflowsA buffer overflow condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service. Poor application design might allow the input of 100 characters into a field linked to a variable only capable of holding 50 characters . Basically what happens is that the application doesn't know how to handle the extra data and becomes unstable. Because the overflow portion of the input data must be discarded or otherwise handled by the application, it could create undesirable results. This can be likened to cramming for an exam: If you give your brain more information than it can process, it will shut down! Buffer overflow attacks are often waged against applications such as Microsoft Outlook and against Internet-accessible services such as ToolTalk, Linuxconf, and many types of Web servers. A buffer overflow could result in the following:
The reason buffer overflows are so prevalent throughout so many types of programming is that programmers often assume that presented data will conform to expectations. It is important for developers to plan for attempted or accidental overflows and set up preprocessing restrictions on data input to block this form of attack. CookiesTo overcome the limitations of a stateful connection when scaled to global Web site deployments, the Netscape Corporation created a technology that uses temporary files stored in the client's browser cache to maintain settings across multiple pages, servers, or sites. These small files are known as cookies , and they may be used to maintain data (such as user settings between visits to the same site on multiple days) or to track user browsing habits (such as those used by sites hosting DoubleClick banner advertisements). Privacy IssuesMany sites require that browsing clients be configured to accept cookies to store information such as configuration settings or shopping cart data for electronic commerce (e-commerce) sites. Cookies can be used to track information such as the name and IP address of the client system as well as the operating system and browser client being used. Additional information includes the name of the target and previous URLs, along with any specific settings specified within the cookie by the host Web site. If cookies are accessed across many sites, they may be used to track the user's browsing habits and present the user with targeted advertising or content. Many users feel this is a violation of their privacy. Session ValuesCookies may also be used to store session settings across multiple, actual connections to a Web server. This is very helpful when connecting to a distributed server farm, where each page access might be handled by a separate physical server, preventing the use of session variables to maintain details from one page to another. This is very useful in e-commerce sites where a shopping cart application might add items from multiple pages to a growing total invoice before transferring it to a billing application. These cookies are also useful to provide custom user configuration settings on subsequent entries to Web portals whose content is presented in a dynamic manner. The danger in maintaining session information is that sites may access cookies stored in the browser's cache that may contain details on the user's e-commerce shopping habits. In addition, these cookies may include many user details that could possibly contain sensitive information identifying the user or allowing access to secured sites. Signed AppletsJava applets are popular for presenting textual, formatting, and graphical elements within Web pages. These small programs operate within the Java Virtual Machine (JVM), encapsulating their operation and limiting access to system resources. Applets may be digitally signed so that the client system can verify their origin and ensure that the applets have not been modified since being signed. If the local security policy allows it, a signed applet may then access resources such as the local file system and system variables. To digitally sign an applet, a public/private key pair is obtained from a Certificate Authority (CA) such as VeriSign or Thawte. The private key is used to encrypt the hashed value of the applet's code, and the resulting digital signature is included with the applet along with the public key. When a client attempts to execute the signed applet, it uses the public key to decrypt the hashed value and compare this to a calculated hash of the applet to ensure that the code has not been modified. The client can also contact the CA to verify that the key and signature come from the proper origin and remain unchanged. If the signature is validated and the local security policy allows it, the applet can then access additional resources. It is also possible for a user to configure his browser client to allow the execution of unsigned applets, which can result in the execution of many types of undesired code capable of accessing system resources. System administrators should prevent users from allowing the execution of unsigned applets by default. Common Gateway Interface (CGI) VulnerabilitiesA server-side interpretation option includes the use of Common Gateway Interface (CGI) script, often written in the Perl language. Because these scripts are interpreted on the server system, generally utilizing user input values, they are highly subject to exploitation in many ways. Most exploits can be grouped into two general categories:
Because CGI scripts are executed on the server, they are particularly susceptible to exploit through user input. These exploits may allow the identification of server-configuration details that might be helpful to later unauthorized access attemptsa process often referred to as profiling . Because any process that can execute functionality on the server has inherent access rights, improperly formed CGI scripts could be used to execute arbitrary commands on the server, change server-configuration settings, and even create unauthorized user accounts on the server that could later be used to gain greater control over the server. It is vital that an exposed service such as a Web server not run under a privileged account.
CGI script creation requires many considerations for security, including the following:
Simple Mail Transport Protocol (SMTP) RelayAlthough not specifically a Web-related problem, the possible exploitation of Simple Mail Transport Protocol (SMTP) Relay agents to send large numbers of spam email messages is included in our list of vulnerabilities. This is because many Web servers include a local SMTP service utilized by server-side processes to perform mailto functions needed in the Web site. The purpose of SMTP Relay is for a SMTP server to accept user connections to deliver email. The email, once received, is then sent or relayed until it reaches the intended recipient. The issue with this is that user connections are not authenticated with the SMTP server. This allows spammers to connect and send thousands of emails using someone else's server, thereby concealing their identity. Most servers can block connections that are not warranted. SMTP servers that are not configured to check addresses within their domain are called open relays . Having an open-relay SMTP server can present huge consequences. Besides the fact that spammers can send thousands of unsolicited emails through your server, many companies maintain a list of servers from which spam originates. Those companies then refuse to accept mail from these servers. When this occurs, your capability to send mail becomes severely affected. As if this isn't bad enough, you also end up on a spammers' list. To be removed from the list, you have to prove that the open relay has been remedied. After this is done, the repair is tested . If it's satisfactory, you are removed from the list, and only then will your email be able to be sent to its final destination. Sometimes, by the time this occurs, the damage done to the company has become extremely costly. Many companies post addresses on their spammers' lists. The following links are worth looking at to get an idea of the scope of spam-related sites:
Because spammers search for unprotected SMTP Relay services running on public serversthese services can be used to resend SMTP messages to obscure their true sourceit is extremely important that the SMTP server is properly secured. |