NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
The areas of vulnerability menti<strong>on</strong>ed potentially affect all <strong>Web</strong> servers. Although these vulnerabilities<br />
have frequently occurred with CGI applicati<strong>on</strong>s, other related interfaces and techniques for developing<br />
server applicati<strong>on</strong>s have not been immune. CGI, being an early and well-supported standard, has simply<br />
gained more attenti<strong>on</strong> over the years, and the same areas of vulnerability exist when applying similar <strong>Web</strong><br />
development technologies.<br />
CGI scripts were the initial mechanism used to make <strong>Web</strong> sites interact with databases and other<br />
applicati<strong>on</strong>s. However, as the <strong>Web</strong> evolved, server-side processing methods have been developed that are<br />
more efficient and easier to program; for example, Microsoft provides ASP.NET for its IIS servers,<br />
Sun/Netscape supports Java servlets, and the freeware PHP is supported by most major <strong>Web</strong> platforms,<br />
including Apache and IIS [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01]. Some important points to c<strong>on</strong>sider when c<strong>on</strong>templating the<br />
deployment of CGI [Ziri02]:<br />
The host file system (see Secti<strong>on</strong> 4.1) provides security for CGI.<br />
Most servers allow per-directory CGI restricti<strong>on</strong>s.<br />
CGI itself provides little security enforcement.<br />
Perl facilitates secure programming that most other languages (e.g., C, C++, sh) do not.<br />
CGI wrappers available from third parties offer additi<strong>on</strong>al protecti<strong>on</strong> for CGI.<br />
Server Side Includes (SSI) is a limited server-side scripting language supported by most <strong>Web</strong> servers.<br />
SSI provides a set of dynamic features, including the current time or the last modificati<strong>on</strong> date of the<br />
HTML file, as an alternative to using a CGI program to perform the functi<strong>on</strong>. When the browser requests<br />
a document with a special file type, such as “.shtml”, it triggers the server to treat the document as a<br />
template, reading and parsing the entire document before sending the results back to the client (<strong>Web</strong><br />
browser). SSI commands are embedded within HTML comments (e.g., ). As the server reads the template file, it searches for HTML comments c<strong>on</strong>taining embedded SSI<br />
commands. When it finds <strong>on</strong>e, the server replaces that part of the original HTML text with the output of<br />
the command. For example, the SSI command given above (i.e., #include file) replaces the entire SSI<br />
comment with the c<strong>on</strong>tents of another HTML file. This allows the display of a corporate logo or other<br />
static informati<strong>on</strong> prepared in another file to occur in a uniform way across all corporate <strong>Web</strong> pages. A<br />
subset of the directives available allows the server to execute arbitrary system commands and CGI scripts,<br />
which may produce unwanted side effects [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>01]. Some important points to c<strong>on</strong>sider when<br />
c<strong>on</strong>templating the deployment of SSIs:<br />
The security of SSIs is extremely weak if the exec command is enabled <strong>on</strong> the <strong>Web</strong> server.<br />
The impact of SSIs can hurt the performance of heavily loaded <strong>Web</strong> servers.<br />
The security of SSIs relies heavily <strong>on</strong> the host OS and <strong>Web</strong> server applicati<strong>on</strong> for security.<br />
Microsoft ASP.NET is a server-side scripting technology from Microsoft that can be used to create<br />
dynamic and interactive <strong>Web</strong> applicati<strong>on</strong>s. An ASP page c<strong>on</strong>tains server-side scripts that run when a<br />
browser requests an “.asp” resource from the <strong>Web</strong> server. The <strong>Web</strong> server processes the requested page<br />
and executes any script commands encountered before sending a generated HTML page to the user’s<br />
browser. Both C# and VBScript are natively supported as ASP.NET scripting languages, but other<br />
languages can be accommodated, if an ASP.NET-compliant interpreter for the language is installed. For<br />
example, ASP.NET engines are available for the Perl, REXX, and Pyth<strong>on</strong> languages from various<br />
6-13