NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
6.4.1 Vulnerabilities with Client-Side Active C<strong>on</strong>tent Technologies<br />
Each active c<strong>on</strong>tent technology has its own strengths and weaknesses; n<strong>on</strong>e is perfectly secure. Some of<br />
the more popular active c<strong>on</strong>tent technologies and their associated risks are discussed below. New<br />
technologies are emerging all the time and older technologies are c<strong>on</strong>tinually enhanced. Any <strong>Web</strong><br />
administrator or <strong>Web</strong>master who is c<strong>on</strong>sidering deploying a <strong>Web</strong> site with features that require active<br />
c<strong>on</strong>tent technology <strong>on</strong> the client side should carefully weigh the risks and benefits of the technology<br />
before implementati<strong>on</strong>. The relative risk of active c<strong>on</strong>tent technologies changes over time, complicating<br />
this task. Nevertheless, comm<strong>on</strong> risks to the <strong>Web</strong> server prevail with all active c<strong>on</strong>tent technologies.<br />
Because these technologies involve placing applicati<strong>on</strong> code <strong>on</strong> the client, an attacker may attempt to<br />
reverse engineer the code to gain an understanding of how it functi<strong>on</strong>s with an organizati<strong>on</strong>’s <strong>Web</strong> site<br />
and exploit that relati<strong>on</strong>ship. For example, relying <strong>on</strong>ly <strong>on</strong> input validati<strong>on</strong> checks performed at the client<br />
by the active c<strong>on</strong>tent and not validating the input again at the <strong>Web</strong> server would allow an attacker to use<br />
an HTTP proxy tool or editor to modify the active c<strong>on</strong>tent elements and bypass any or all checks<br />
performed.<br />
Java is a full-featured, object-oriented programming language compiled into platform-independent byte<br />
code executed by an interpreter called the Java Virtual Machine (JVM). The resulting byte code can be<br />
executed where compiled or transferred to another Java-enabled platform (e.g., c<strong>on</strong>veyed via an HTML<br />
<strong>Web</strong> page as an applet). Java is useful for adding functi<strong>on</strong>ality to <strong>Web</strong> sites. Many services offered by<br />
various popular <strong>Web</strong> sites require the user to have a Java-enabled browser. When the <strong>Web</strong> browser sees<br />
references to Java code, the browser loads the code and processes it using the built-in JVM or a userinstalled<br />
<strong>on</strong>e.<br />
The Java programming language and runtime envir<strong>on</strong>ment enforce security primarily through str<strong>on</strong>g type<br />
safety, by which a program can perform certain operati<strong>on</strong>s <strong>on</strong>ly <strong>on</strong> certain kinds of objects. Java follows<br />
a so-called sandbox security model, used to isolate memory and method access and to maintain mutually<br />
exclusive executi<strong>on</strong> domains. Java code, such as a <strong>Web</strong> applet, is c<strong>on</strong>fined to a “sandbox,” which is<br />
designed to prevent it from performing unauthorized operati<strong>on</strong>s, such as inspecting or changing files <strong>on</strong> a<br />
client file system and using network c<strong>on</strong>necti<strong>on</strong>s to circumvent file protecti<strong>on</strong>s or users’ expectati<strong>on</strong>s of<br />
privacy. Java byte code downloaded to the client can be decompiled into a more readable form by the<br />
user, making it susceptible to reverse engineering and possible modificati<strong>on</strong>, which poses a threat to the<br />
<strong>Web</strong> server.<br />
Hostile applets can also pose security threats to the client, even while executing within the sandbox. A<br />
hostile applet can c<strong>on</strong>sume or exploit system resources inappropriately, or can cause a user to perform an<br />
undesired or unwanted acti<strong>on</strong>. Examples of hostile applet exploits include DoS, mail forging, invasi<strong>on</strong> of<br />
privacy (e.g., exporting of identity, e-mail address, and platform informati<strong>on</strong>), and installing backdoors to<br />
the system. Because the Java security model is rather complex, it can be difficult for a user to understand<br />
and manage. This situati<strong>on</strong> can increase risk. Moreover, many implementati<strong>on</strong> bugs have also been<br />
found, enabling security mechanisms to be bypassed [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01].<br />
JavaScript is a general purpose, cross-platform scripting language, whose code can be embedded within<br />
standard <strong>Web</strong> pages to create interactive documents. The name JavaScript is a misnomer because the<br />
language has little relati<strong>on</strong>ship to Java technology and was developed independently from it. Within the<br />
c<strong>on</strong>text of the <strong>Web</strong> browser, JavaScript is extremely powerful, allowing prepared scripts to perform<br />
essentially the same acti<strong>on</strong>s as those a user could take. Within that c<strong>on</strong>text, JavaScript lacks methods for<br />
directly accessing a client file system or for directly opening c<strong>on</strong>necti<strong>on</strong>s to computers other than the host<br />
that provided the c<strong>on</strong>tent source. The browser also normally c<strong>on</strong>fines a script’s executi<strong>on</strong> to the page<br />
from which it was downloaded [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01].<br />
6-10