Eliminating Scripting Vulnerabilities
Maintaining a secure Web server means ensuring that all scripts and Web applications deployed on the Web server are free from Trojans, backdoors, or other malicious code. Many scripts are available on the Internet for the use of Web developers. However, scripts downloaded from external sources are more susceptible to coding problems (both intentional and unintentional) than those developed in-house. If it is necessary to use external programming code sources, developers and administrators should employ quality assurance tests to search for out-of-place system calls, extra code, and unnecessary functions.These hidden segments of malevolent code are called logic bombs when they are written to execute in response to a specified trigger or variable (such as a particular date, lapse of time, or something that the user does or does not do).
NOTE: To learn more about secure programming of Web applications, there are numerous resources in print and on the Internet that you can refer to.
Often, it is useful to use sources that focus on the language the application is programmed in, as they will also provide examples and source code that will suit your needs. For example, if you are programming applications in Visual Basic, C#, C++, ASP, ASP.NET, or other languages developed and supported by Microsoft, the Microsoft Developer Network (http://msdn.microsoft.com) is a valuable site with significant information. Similarly, information on Java programming can be found at Sun's Web site (http://java.sun.com), or IBM Developerworks site (www.ibm.com/developerworks), which also provides information on XML.
Using these sites, you can obtain an overview and detailed information on many aspects of secure programming. Some of the sites with articles and items dealing with specific topics that are worth investigating include:
- Understanding Security, http://msdn2.microsoft.com/en-us/security/aa570420.aspx
- Writing Secure Code, http://msdn2.microsoft.com/en-us/security/aa570401.aspx
- Threat Modeling, http://msdn2.microsoft.com/en-us/security/aa570411.aspx
One scripting vulnerability to watch out for occurs within Internet Server Application Programming Interface (ISAPI) scripts.The command RevertToSelf() allows the script to execute any following commands at a system-level security context.The RevertToSelf function is properly used when an application has been running in the context of a client, to end that impersonation.
However, in a properly designed ISAPI script, this command should never be used. If this command is present, the code has been altered or was designed by a malicious or inexperienced coder.The presence of such a command enables attacks on a Web server through the submission of certain Uniform Resource Locator (URL) syntax constructions.
It is important that any scripts used on a Web site are fully understood. Not only does this refer to code that is taken from the Internet, but also those that have been developed by other people within the organization.This is particularly important if there has been a change in personnel who have administrative access to the Web server, such as developers whose employment has been terminated or who are disgruntled for other reasons. Periodic reviews of code can help identify potential problems, as can auditing permissions on the Web server. By checking permissions and scripts, you may find potential backdoors. As mentioned in the previous section, no directories should have any more permissions than are absolutely needed. If access is too high, then it should be lowered to an appropriate level to avoid any issues that could occur at a later time.
In this tutorial:
- Web Based Services Security
- Web Security
- Managing Access Control
- Handling Directory and Data Structures
- Eliminating Scripting Vulnerabilities
- Logging Activity
- Finding Rogue Web Servers
- Stopping Browser Exploits
- Web Spoofing
- Web Server Exploits
- SSL and HTTP/S
- HTTP/S
- Instant Messaging
- Text Messaging and Short Message Service (SMS)
- Web-based Vulnerabilities
- ActiveX
- Dangers Associated with Using ActiveX
- Protection at the Network Level
- JavaScript
- Programming Secure Scripts
- Understanding Code Signing
- Buffer Overflows
- Making Browsers and E-mail Clients More Secure
- Securing Web Browser Software
- CGI
- Resulting from Weak CGI Scripts
- FTP Security
- Secure Copy
- FTP Sharing and Vulnerabilities
- Directory Services and LDAP Security
- LDAP
- Securing LDAP