NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
interact more dynamically with <strong>Web</strong> sites. Unfortunately, these interactive elements introduced many<br />
<strong>Web</strong>-related vulnerabilities that remain a c<strong>on</strong>cern today. 42<br />
Active c<strong>on</strong>tent refers to interactive program elements downloaded to the client (i.e., a <strong>Web</strong> browser) and<br />
processed there instead of the server. A variety of active c<strong>on</strong>tent technologies exists; some of the more<br />
popular examples are ActiveX, Java, VBScript, JavaScript, and Asynchr<strong>on</strong>ous JavaScript and XML<br />
(AJAX). The use of active c<strong>on</strong>tent often requires users to reduce the security settings <strong>on</strong> their <strong>Web</strong><br />
browsers for processing to occur. If not implemented correctly, active c<strong>on</strong>tent can present a serious threat<br />
to the end user. For example, active c<strong>on</strong>tent can take acti<strong>on</strong>s independently without the knowledge or<br />
expressed c<strong>on</strong>sent of the user. While active c<strong>on</strong>tent poses risk to the client, it can also pose risk to the<br />
<strong>Web</strong> server. The reas<strong>on</strong> is that informati<strong>on</strong> processed <strong>on</strong> the client is under the c<strong>on</strong>trol of the user, who<br />
can potentially manipulate the results by reverse engineering and tampering with the active c<strong>on</strong>tent. For<br />
example, form validati<strong>on</strong> processing d<strong>on</strong>e with active c<strong>on</strong>tent elements <strong>on</strong> the client side can be changed<br />
to return out-of-range opti<strong>on</strong>s or other unexpected results to the server. Therefore, the results of<br />
processing d<strong>on</strong>e <strong>on</strong> the client by elements of active c<strong>on</strong>tent should not be trusted by the server; instead,<br />
the results should be verified by the server. Organizati<strong>on</strong>s c<strong>on</strong>sidering the deployment of client-side<br />
active c<strong>on</strong>tent should carefully c<strong>on</strong>sider the risks to both their users and their <strong>Web</strong> servers.<br />
C<strong>on</strong>tent generators are programs <strong>on</strong> a <strong>Web</strong> server that dynamically generate HTML pages for users; these<br />
pages may be generated using informati<strong>on</strong> retrieved from a backend server, such as a database or<br />
directory, or possibly user-supplied input. Some of the earliest c<strong>on</strong>tent generators were CGI scripts<br />
executed by the <strong>Web</strong> server when a specific URL was requested. In c<strong>on</strong>trast, some modern c<strong>on</strong>tent<br />
generators are an integral comp<strong>on</strong>ent of the servers <strong>on</strong> which they run, such as Java Enterprise Editi<strong>on</strong><br />
(Java EE) applicati<strong>on</strong> servers. Because c<strong>on</strong>tent generators are implemented <strong>on</strong> the server, they can open<br />
the <strong>Web</strong> server itself to threats. The danger with c<strong>on</strong>tent generators occurs when they blindly accept<br />
input from users and apply it to acti<strong>on</strong>s taken <strong>on</strong> the <strong>Web</strong> server. If the c<strong>on</strong>tent generator has not been<br />
implemented correctly to restrict input, an attacker can enter certain types of informati<strong>on</strong> that may<br />
negatively affect the <strong>Web</strong> server or compromise its security. For example, <strong>on</strong>e comm<strong>on</strong> attack against<br />
c<strong>on</strong>tent generators is Structured Query Language (SQL) injecti<strong>on</strong>. In this type of attack, a malicious<br />
entity sends specially crafted input to the c<strong>on</strong>tent generator. The input includes a specific SQL command<br />
string that, when submitted unfiltered to a SQL database server, potentially returns to the attacker any or<br />
all of the informati<strong>on</strong> stored in the database. SQL injecti<strong>on</strong>s and other attacks are used to execute<br />
commands or gain unauthorized access to the <strong>Web</strong> server or a backend database server.<br />
All <strong>Web</strong> sites that implement active c<strong>on</strong>tent and c<strong>on</strong>tent generators should perform additi<strong>on</strong>al steps to<br />
protect the active c<strong>on</strong>tent from compromise. These steps, which are discussed in the following secti<strong>on</strong>s,<br />
may not apply to all installati<strong>on</strong>s; therefore, they should be used as guidance in c<strong>on</strong>juncti<strong>on</strong> with<br />
appropriate manufacturer’s documentati<strong>on</strong>.<br />
Special cauti<strong>on</strong> is also required for downloading preprogrammed scripts or executables from the Internet.<br />
Many <strong>Web</strong> administrators and <strong>Web</strong>masters are tempted to save time by downloading freely available<br />
code from the Internet. Although this is obviously c<strong>on</strong>venient, it is not risk-free. There are many<br />
examples of malicious code being distributed this way. In general, no third-party scripts should be<br />
installed <strong>on</strong> a <strong>Web</strong> server unless they are first subjected to a thorough code review by a trusted expert.<br />
Security code reviews should also be c<strong>on</strong>sidered for c<strong>on</strong>tent <strong>on</strong> <strong>Web</strong> servers that are critical to the<br />
organizati<strong>on</strong> or are highly threatened.<br />
42<br />
For more extensive guidelines <strong>on</strong> active c<strong>on</strong>tent, please see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-28 <str<strong>on</strong>g>Versi<strong>on</strong></str<strong>on</strong>g> 2, <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> Active C<strong>on</strong>tent and<br />
Mobile Code (http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
6-9