Introduction

Introduction

In the beginning, Web technologies were simple, involving use of only the most rudimentary incarnations of the HTTP protocol and the HTML language. But as the need arose for making content over the Web more dynamic, the traditional protocols and languages of the Internet became insufficient for the Web's increasing demands. New technologies began to evolve, incorporating logical extensions to the HTTP and HTML roots of the Internet. The first evolution involved dynamically generated content using the Common Gateway Interface (CGI). As discussed in Chapter 1, CGI programs are mainly written in C, C++, and Perl. They offered the first real glimpse into what was to come.

The evolution of Web applications from these static, mundane portals into dynamic, colorful feasts of information opened a new dimension for both the end-user and hacker. Nearly all the programs at the time were poorly written, lacking even the most basic security procedures for handling data and input from a user. As a result, CGI programs had numerous vulnerabilities, which could be exploited to achieve unauthorized access to file systems and databases sometimes even gaining interactive shell access on the remote machine. The root cause of these vulnerabilities was security-anemic scripts lacking proper input validation, poor authentication, and poor integration with other parts of the system. The evolution of dynamic content is displayed in Table 12-1.

CGI scripts were inefficient, and their scalability proved difficult. Each time a CGI script or program was executed, a new process was created on the system. To overcome this bottleneck and provide better security architecture, different vendors started to develop new technologies. Vendors such as Microsoft, Allaire, and Sun independently came up with new consolidated architectures, covering several aspects of performance and security. However, each phase of the architectural evolution opened new areas of security vulnerabilities.

Microsoft IIS and Active Server Pages (ASP) were found to be vulnerable to buffer overflow, source code disclosure, directory traversal, and remote command execution attacks. Allaire's ColdFusion had architectural flaws that lead to denial-of-service attacks and source code disclosure. Other technologies, such as those from Netscape, used the so-called plug-in to attach additional functionality and integrate it with the Web server. In this particular architecture, Web servers were powered by scripting languages such as ASP, PHP, and CFM. (See Chapter 1 for more information on these technologies.) These server resources had their own extensions, such as .asp, .php, and .cfm. If Web clients called on these resources, they would be processed by the plug-ins and served via HTTP. To make programming easier, plug-ins were written to support special tags that could be integrated into the HTML page itself.

So, to compete with the new technologies such as ASP, ColdFusion, PHP, and others, Sun Microsystems decided to extend its Java technology platform to the Web arena. Thus Java-driven technology was born.