11.8 Conclusions

In this chapter, we overviewed and discussed the security implications of some technologies that can be used to design and build multitier Web-based applications (i.e., CGI, server APIs, FastCGI, SSIs, ASP, and JSP). Since the current trend to build Web-based applications and services is likely to continue, we will see many other server-side technologies being created and aggressively marketed in the future. This is unfortunate, because many server-side technologies do the same or at least very similar things. Note that most things we said for CGI scripts also apply for server APIs, ASP, and JSP. Most importantly, an application developer must never trust any string the user types in.

From a security point of view, the most dangerous thing about technologies that can be used to design and build multitier Web-based applications is that they all provide additional functionalities to Web servers, and that these additional functionalities can be attacked directly or (mis)used to indirectly attack other things. Several examples were given in this chapter. It is possible and very likely that many other examples will be reported in the future. Consequently, it is very important that Web-based applications and services are designed, implemented, and deployed with security in mind and in a way that security requirements are properly met. This is mainly a design issue and the designers of Web-based applications and services should be educated in security or collaborate with security professionals or engineers . There are simply too many things that can go wrong. This is particularly true if Web-based applications and services are provided on the Internet (using, for example, reverse proxy mechanisms). Last but not least, it is important to note that software engineering principles are becoming more and more important for Web-based applications and services.