Public Web servers often support a range of technologies for identifying and authenticating users with differing privileges for accessing information. Some of these technologies are based on cryptographic functions that can provide an encrypted channel between a Web browser client and a Web server that supports encryption. Without user authentication, organizations will not be able to restrict access to specific information to authorized users. All information that resides on a public Web server will then be accessible by anyone with access to the server.
Securing the Web Server Operating System Protecting a Web server from compromise involves hardening the underlying Operating System (OS), the Web server application, and the network to prevent malicious entities from directly attacking the Web server. The first step in securing a Web server is hardening the underlying OS. All commonly available Web servers operate on a general-purpose OS. Many security issues can be avoided if the OSs underlying the Web servers are configured appropriately.
Every community organization, corporation, business, or government agency relies on an outward-facing website to provide information about themselves, announce an event,or sell a product or service. Consequently, public facing websites are often the most targeted attack vectors for malicious activity. Web server attacks include: Exploitation of software bugs in the web server Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks Compromising “backend” data through command injection attacks, such as Structured Query Language (SQL) injection; Lightweight Directory Access Protocol (LDAP) injection; and cross-site scripting (XSS) Website defacement for malicious purposes Using compromised web server capabilities to attack external entities Using a compromised web server to distribute malware.
The World Wide Web is one of the most important ways for an organization to publish information, interact with Internet users, and establish an e-commerce/e-government presence. However, if an organization is not rigorous in configuring and operating its public Web site, it may be vulnerable to a variety of security threats. Although the threats in cyberspace remain largely the same as in the physical world (e.g., fraud, theft, vandalism, and terrorism), they are far more dangerous as a result of three important developments: increased efficiency, action at a distance, and rapid technique propagation.
The class of vulnerabilities known as SQL injection continues to present an extremely high risk in the current network threat landscape. SQL injection has been ranked as one of the top risks on the MITRE Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Software Errors list. https://www.sans.org/top25-software-errors Exploitation of these vulnerabilities has been implicated in many recent high-profile intrusions. Although there is an abundance of good literature in the community about how to prevent SQL injection vulnerabilities, much of this documentation is geared toward web application developers.