web server web site security

Web Server and Web Site Security


Web Server Security


Demilitarised Zones


• A DMZ is a network area that sits between an internal network and an external network (generally the Internet).

• The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network – hosts in the DMZ may not connect to the internal network.


DMZ and Web Servers• Web servers may need to communicate with an

internal database to provide some specialised services.

• Since the database server is not publically accessible and may contain sensitive information, it should not be in the DMZ.


DMZ and Web Servers• Generally, it is not a good idea to allow the web

server to communicate directly with the internal database server.

• Instead, an application server can be used to act as a medium for communication between the web server and the database server.


Firewalls


• A firewall is a piece of hardware/software which functions in a networked environment to protect against communications forbidden by security policies.

• Firewalls filter information coming from the Internet into your private network or computer system. If incoming packets of information is flagged by the firewall’ filters, it’s not allowed through.

• Firewalls use one or more of three methods to control traffic flowing in and out of a network.


Packet filtering• A type of service filtering to permit or deny network

traffic based on the data source, destination, service or protocol of the data packets.


Proxy Service• Information from the Internet is retrieved by the

firewall and then sent to the requesting system and vice versa.


Stateful Inspection• Compares certain key parts of the packet to a

database of trusted information.• Information travelling from inside the firewall to the

outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics.

• If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.


What a firewall protects you from?• Remote Login• Application Backdoors• Operating System Bugs• Denial of Service• E-mail Bombs• Viruses• Spam• Redirect Bombs• Source Routing


Intrusion Detection System


• An Intrusion Detection Systems monitors any network traffic and logs/notifies against any possibly malicious activity.

• An IDS is composed of several components:• Sensors which generate security events,• A console to monitor events and alerts and control the

sensors• A central engine that records events logged by the

sensors in a database and uses a system of rules to generate alerts from security events received.


Web Security Protocols


Secure Sockets Layer• Secure Sockets Layer (SSL) preserves user and

content integrity as well as confidentiality so that communications from a client and the Web server, containing sensitive data such as passwords or credit card information, are protected.

• SSL is based on the public key security protocol that protects communications by encrypting data before being transmitted.


Secure HTTP• If you have used the Web, you have probably noticed

that URLS for most Web pages begin with the HTTP prefix, which indicates that the request will be handled by TCP/IP port 80 using the HTTP protocol.

• When Web page URLs begin with the prefix HTTPS they are requiring that their data be transferred from server to client and vice versa using SSL encryption.


Secure HTTP• HTTPS uses the TCP port number 443, rather than

port 80.• Once an SSL connection has been established

between a Web server and client, the client's browser indicates this by showing a padlock in the lower-right corner of the screen.


Web Site Security


Common Gateway Interface


What is a Common Gateway Interface?• The Common Gateway Interface (CGI) is a standard

protocol for interfacing external application software with an information server, commonly a Web Server.


"CGI Scripts are essential software programs. SCGI scripts link servers and software and servers and other resources such as databases. These scripts are themselves small servers and this can create problems in making information too available. The problem with CGI scripts is that each one creates opportunities for exploitable bugs. Therefore, it is essential that business organisations ensure the security of not only servers but also the CGI scripts that link their servers to other resources used in the business.“

(2003, Lawrence, E., et al.)


Web Form Validation


Why we need to validate?


• When working with web forms, often you will have the data being placed into a database of some form.

• You want to ensure that the correct data is going into the fields set in the tables.

• You don't want alphanumeric characters going into fields that require numeric characters only.

• Some fields might require specific information to be entered in a specific format, for example email addresses.

• You will want your email addresses to be validated correctly and that is based on the [email protected].

mailto:[email protected]


• Web Form Validation can take place on two fronts. Client Side and Server Side.

• Client Side Validation will often be done with JavaScript whilst Server Side validation would be performed with a server side language such as PHP or ASP.

• There are other reasons you would validate your web forms and that is due to vulnerabilities.

• One such vulnerability which can leave you open to attack is with the method of SQL Injection.


SQL Injection


What is SQL Injection?


• SQL Injection is a technique that exploits a security vulnerability occurring in the database layer of an application.

• The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

• It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.


Cross-Site Scripting


What is Cross-Site Scripting?


Preventing Cross-Site Scripting


• You have to be careful when you display data entered by a user on a web page because malicious users an include HTML tags and JavaScript in their input in an attempt to trick other users who might view that information into doing something they might not want to do, such as entering their password to your site and submitting it to another site.


• In order to prevent malicious users from doing that sort of thing, PHP includes the htmlspecialchars() function, which automatically encodes any special characters in a string so that they are displayed on a page rather than letting the browser treat them as markup.

• Or, if you prefer, you can use htmlentities(), which encodes all of the characters that are encoded by thmlspecialchars() plus any other characters that can be represented as entities.


• In the preceeding example, you’d really want to write the script that displays the user’s name like this:

<p>Hello <?= htmlspecialchars($_POST[‘yourname’]) ?> Thanks for visiting.</p>

• That prevents the person who submitted the data from launching a successful cross-site scripting attack.


• If you prefer, you can also use the strip_tags() function, which just removes all the HTML tags from a string.

• Finally, if your form is submitted using the POST method, you should refer to the parameters using a $_POST rather than $_REQUEST, which also helps to avoid certain types of attacks by ignoring information appended to the URL via the query string.

web server web site security

Technology