Friday, April 2, 2010

Popular Web Servers, Hacking Web Servers Part - 3


The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web Server.
The Apache Web Server is an open-source web server for modern operating systems including UNIX and Windows NT. The server provides HTTP services in sync with the current HTTP standards in an efficient and extensible environment.
The Java Web Server / Sun ONE Web Server is one of the other highly available Web servers on the market. Microsoft's Internet Information Server is another popular server used by a sizable percentage of websites.

Threat
Common Security Risks
Let us take a look at some of the security concerns that arise in the context of web servers. There are inherent security risks that affect web servers, the local area networks that host these web sites, and perhaps even the normal users of web browsers.

Webmaster's Concern

From a webmaster's perspective, the biggest security concern is that the web server can expose the local are network or the corporate intranet to the threats posed by the Internet. This may be in the form of virus, Trojans, hackers or compromise of information itself. It is often considered that software bugs present in large complex programs are the source of imminent security lapses. Web servers, being large complex devices do come with these inherent risks. Apart from this, the open architecture of some Web servers allows arbitrary scripts to be executed on the server's side of the connection in response to remote requests. Any CGI script installed at the site may contain bugs that are potential security holes.

Network Administrator's Concern

From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web site is to provide controlled access to the network, too much of control can make a Web site impossible to use. In an intranet environment, the network administrator has to careful about configuring the web server such that legitimate users are recognized and authenticated and various groups of users assigned distinct access privileges.

End User's Concern

Usually the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, makes it possible for harmful applications such as viruses to invade the user's system. Besides, active content from a web browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.
The threat for the end user stems from the fact that the TCP/IP protocol was not designed with security as its foremost priority. Therefore, data can be compromised in terms of confidentiality, authentication, and integrity as it is transmitted across the Web. In essence the aspects of confidentiality, authentication, and integrity need to be guarded both on the client side and server side to the extent possible.

Risks

There are basically three overlapping types of risk:


  1. Bugs /misconfiguration problems in the Web server that allow unauthorized remote users to:


    • Steal classified information.


    • Execute commands on the server host machine and modifying the system.


    • Retrieve host based information to assist them in compromising the system.


    • Launch denial-of-service attacks, rendering the machine temporarily unusable.


  2. Browser-side risks


    • Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates a disturbance.


    • The misuse of personal information provided by the end-user.


  3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:


    • The network on the browser's side of the connection.


    • The network on the server's side of the connection (including intranets).


    • The end-user's Internet service provider (ISP).


    • The server's ISP or regional access provider.

0 comments:

Post a Comment