NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
falls in these categories: letters a-z, A-Z, and 0-9. Care should be taken when accepting special<br />
characters such as &, ′, ″, @, and !. These symbols may have special meanings within the c<strong>on</strong>tent<br />
generati<strong>on</strong> language or other comp<strong>on</strong>ents of the <strong>Web</strong> applicati<strong>on</strong>.<br />
Ensure that the dynamically generated pages do not c<strong>on</strong>tain dangerous metacharacters. It is possible<br />
for a malicious user to place these tags in a database or a file. When a dynamic page is generated<br />
using the altered data, the malicious code embedded in the tags may be passed to the client browser.<br />
Then the user’s browser can be tricked into running a program of the attacker’s choice. This program<br />
will execute in the browser’s security c<strong>on</strong>text for communicating with the legitimate <strong>Web</strong> server, not<br />
the browser’s security c<strong>on</strong>text for communicating with the attacker. Thus, the program will execute<br />
in an inappropriate security c<strong>on</strong>text with inappropriate privileges.<br />
Character set encoding should be explicitly set in each page. Then the user data should be scanned<br />
for byte sequences that represent special characters for the given encoding scheme.<br />
Each character in a specified character set can be encoded using its numeric value. Encoding the<br />
output can be used as an alternate for filtering the data. Encoding becomes especially important when<br />
special characters, such as copyright symbols, can be part of the dynamic data. However, encoding<br />
data can be resource intensive, and a balance must be struck between encoding and other methods for<br />
filtering the data.<br />
Cookies should be examined for any special characters. Any special characters should be filtered out.<br />
An encrypti<strong>on</strong> mechanism should be used to encrypt passwords entered through script forms (see<br />
Secti<strong>on</strong> 7.5).<br />
For <strong>Web</strong> applicati<strong>on</strong>s that are restricted by username and password, n<strong>on</strong>e of the <strong>Web</strong> pages in the<br />
applicati<strong>on</strong> should be accessible without executing the appropriate login process.<br />
Many <strong>Web</strong> servers and some other <strong>Web</strong> server software install sample scripts or executables during<br />
the installati<strong>on</strong> process. Many of these have known vulnerabilities and should be removed<br />
immediately. See appropriate manufacturer’s documentati<strong>on</strong> or <strong>Web</strong> sites for more informati<strong>on</strong>.<br />
When c<strong>on</strong>sidering a server-side c<strong>on</strong>tent generator, it is important to review public vulnerability and<br />
security databases (such as NVD, http://nvd.nist.gov/) to determine the relative risk of the various<br />
technologies under c<strong>on</strong>siderati<strong>on</strong>. Although the historical record will not be a perfect indicator of future<br />
risk, it does indicate which technologies appear to be more vulnerable.<br />
Various organizati<strong>on</strong>s research network and system security topics and periodically publish informati<strong>on</strong><br />
c<strong>on</strong>cerning recently discovered vulnerabilities in software. This includes <strong>Web</strong> server software and<br />
supporting technologies, such as scripting languages and external programs. External programs that are<br />
in wide use are regularly analyzed by researchers, users, and security incident resp<strong>on</strong>se teams and by<br />
attackers. Attackers will often publish exploit scripts that take advantage of known vulnerabilities in <strong>Web</strong><br />
service software and external programs comm<strong>on</strong>ly used by public <strong>Web</strong> servers. <strong>Web</strong> administrators<br />
should review public informati<strong>on</strong> sources frequently and be aware of all security-relevant informati<strong>on</strong><br />
about any external programs that they are c<strong>on</strong>sidering.<br />
6-16