Module Objectives

The Internet is probably where security or the lack of it is seen the most. Often, a breach in security causes more damage in terms of goodwill than the actual quantifiable loss. This makes the security of web servers assume critical importance. Most organizations consider their Internet presence as an extension of themselves . In this module, we will explore:

• The basic function of a web server

• Popular web servers and common vulnerabilities

• Apache Web Server and known vulnerabilities

• IIS Server vulnerabilities

• Attacks against web servers

• Tools used in Attack against web servers

• Countermeasures that can be adopted

This module attempts to highlight the various security concerns in the context of a web server. It must be remembered that this is a vast domain and to delve into the finer details of the discussion is beyond the scope of the module. Readers are encouraged to supplement this module by following vulnerability discussions on various mailing lists such as bugtraq and security bulletins issued by third party vendors for various integrated components .

How Web Servers Work

1. The browser breaks the URL into three parts :

   1. The protocol ("http")

   2. The server name ("www.website.com")

   3. The file name ("webpage.html")

2. The browser communicates with a name server, which translates the server name, www.website.com , into an IP address

3. The browser then forms a connection to the Web server at that IP address on port 80.

4. Following the HTTP protocol, the browser sends a GET request to the server, asking for the file http://webpage.html .

5. The server sends the HTML text for the Web page to the browser.

6. The browser reads the HTML tags and formats the page onto the screen.

Let us take a look at the basic working of a web server. What happens when you type http://www.eccouncil.org/Certification.htm in your browser?

• The browser differentiates the URL into three parts:

  1. The protocol ("http")

  2. The server name ( www.eccouncil.com )

  3. The file name ("Certification.htm")

• The browser initiates the connection by communicating with a name server to translate the server name www.eccouncil.com into a valid IP Address.

• It then uses this IP address to connect to the target web server machine.

• The browser then establishes a connection to the web server at the specific IP address on port 80. This is the default port. (It can be any other port as well)

• According to the HTTP protocol, the browser sends a GET request to the server, to retrieve the file "http://www.eccouncil.org/certification.htm"

• The web server then sends the HTML text for the particular Web page to the browser.

• The browser reads the HTML tags and formats the page on the user 's screen.

Other HTTP methods like POST, PUT, are used in subsequent communications if needed. The response from the server includes the HTTP response code suitable for the result of the request. In the case of successful data retrieval, an HTTP 200 OK response is generated. Other HTTP response codes exist: common ones include 404 Not Found, 403 Access Denied, and 302 Object Moved (often used to redirect requests to a login page to authenticate a user).

Popular Web Servers and Common Security Threats

• Apache Web Server

• IIS Web Server

• Sun ONE Web Server

• Nature of Security Threats in a Web Server Environment.

  • Bugs or Web Server Misconfiguration.

  • Browser-Side or Client Side Risks.

  • Sniffing

  • Denial of Service Attack.