How to Prevent Common Web Server Vulnerabilities
When we think of a web servers we most commonly think of them being published to the Internet. It is also common for organizations to have internal web servers presenting internal web apps.
Web servers most commonly fall victim to attacks from malicious users when published on the Internet due to the wider exposure to threats. This is typically due to poor web application development or poor web server configuration.
Many web servers become compromised due to lack of patch management and poor input validation.
For example, consider a buffer overflow attack. This type of attack relies on the backend server code to not properly sanitize or validate the input the user enters. The desired end result for this type of attack is to execute arbitrary lines of code. This can allow the attacker to potentially gain access to otherwise restricted data.
Like buffer overflows, SQL injection relies heavily on poor input validation. Many applications will rely on a database to store and retrieve data. If an attacker is able to craft a specially formed string, they can get the web application to return data stored within the database.
This depends on the rights allowed for the service account used within the application. This is why it is necessary to ensure that your application service accounts only have
the necessary security rights to perform the jobs intended. An example would be a service account that only reads information from a database. It would not be necessary for this account to have access to write or drop data for the
database. This is a great example of using the Principle of Least Privilege.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is a web site vulnerability that allows a hacker to inject client-side scripts into a web page. When a normal user visits a site that displays susceptible content such as dynamic web pages, an attacker may inject malicious code to infect the user.
This type of attack threatens the users of your web page and has high visibility to customers. This can gives your organization a bad reputation.
Would you like to perform a Web Application Penetration Test on your web servers? Let's Talk.
Author: Chad Akileh
Equilibrium IT Solutions, Inc.