ASP and LiveWire Applications

 ASP and LiveWire Applications

 

Although ASP and Livewire applications provide the same capabilities as CGI programs , they are far less prone to security vulnerabilities. There are a number of reasons why these applications are inherently more secure:

 

]They  automatically parse data that is passed to applications and make it available in an easy to use manner. This reduces the likelihood of a flaw occuring in the input parsing functions.

]Their applications have predefined objects at their disposal, which reduce the complexities of maintaining client information, sharing data between clients and sharing data between applications. By making it easier to perform common server side functions , ASP and Livewire help you to develop more reliable and error free code, thereby lowering the likelihood of an exploitable security flaw.

]LiveWire and Asp applications are written in Javascript and Jscript. This eliminates the potential problems associated with using a second, less familiar , language for writing CGI programs.

]The less experience  a programmer has with a language, the more likely she or he is to make mistakes potentially exploitable ones.

 

The above features significantly reduce the likelihood of security vulnerabilities in LiveWire and ASP applications. However , the potential for some vulnerability still exists . For example, suppose an application is designed in such that a Livewire redirect() method takes a client property as a parameter. A penetrator could modify client properties (client cookies or URLs) to cause the redirect() function to return a file of the penetrator's choosing.

 

Server-side plug Ins

 

Netscape and Microsoft Web servers provide other server-side programming features, such as Java and server side plug-ins. In general , any server side programming mechanism has the potential to be exploited.

 

Server side plugins are compiled and integrated with the web server software. They allow server side applications to be developed that performs better than server side Javascript applications and CGI programs. This is because they are called directly by the server instead of being run as a separate process.

 

The performance gain of server side plug-ins is offset by the difficulty of developing them. Because server side plug-ins are closely integrated with the server , any errors in the plug-in could easily result in the complete failure of the server.

 

Web Application Access Controls

 

Most Web server provide the capability to control access to certain web pages and their associated Web applications. These controls may be based on host name, IP address , user name and password, or other identification and authentication mechanisms. Failure to implement restrictions on some applications , such as your server's management software, could lead to serious security holes.

 

File Permissions

 

Operating system file permissions are closely related to Web Application access controls. These permission determine which Files users and applications are able to read , write and execute. These controls are important to protecting your Web site. In particular , write permission to the directories containing CGI programs and server configuration files should be limited to the Most trusted users. Failure to do so weakens the security of your Web server, opening it up to a broader spectrum of attacks.

 

If your server stores financial information , such as credit card Data, the permission of these files should be set to prevent them from being read by other applications. If at all possible , These files should be made write only.

 

In the event that your server is penetrated , the privileges of your server become those of the penetrator. Therefore, the login privileges of the web server itself should be limited to the minimum needed to perform its function.

 

 

Other Server Side Security Considerations

 

In addition to the vulnerability mentioned in the previous sections, Web servers are vulnerable to a wide range of attacks aimed at their application services and communication protocols.

 

If a web server supports other Internet services, such as telnet or FTP, then the server inherits all of the vulnerabilities by turning off the additional services.

If a web server is on the Internet , then it, by definition, must support the Transmission control protocol/Internet Protocol(TCP/IP). TCP/IP is notorious for its security vulnerabilities. These vulnerabilities include susceptibility to spoofing ,session hijacking, and session monitoring. While these vulnerabilities are common to all systems that are on the Internet, they need to be considered when accessing the risk of setting up a web server. If the perceived risk is too high , then you may want to implement a firewall or another network security counter measure.

 

As a final consideration , the operating system platform on which the web server runs is also a potential source of security vulnerabilities. In general , multi-user operating systems, such as UNIX, pose a higher risk than single user systems, such as the Macintosh and Windows 98.

The security of most multi user systems depends on the reliability and trustworthiness of all system users. If a single user is careless or untrustworthy , then the security of the entire system could be jeopardized. Most multiuser operating systems provide security controls, such as file permissions, that prevent a user from viewing or modifying the files of others. However, to be effective , these controls must be correctly applied.

 

Although Web servers exist for the Macintosh, windows 98 , and windows 95 platforms, most midlevel to high end servers run on windows NT and UNIX platforms. This is because Windows NT and Unix provide a fuller set of operating system services for implementing more complex and capable server software.