Republic of Iraq

Ministry of Higher Education and

Scientific Research
University of Babylon
College of Information Technology
Department of Software

‫التقرير النهائي‬
)‫ الثاني‬/ ‫ الفصل الدراسي (األول‬2019-2020 ‫للعام الدراسي‬

Security of Active Page Server

‫أعداد الطالب‬
‫أحمد زهير هادي محمد الياسين‬

‫بأشراف األستاذ‬
‫نوفل الجميلي‬.‫د‬
 Reference

1. Introduction ....................................................................................................................................................................... 4
2- Web and Application Server Security.................................................................................................................................... 5
2.1 Web Server Security ........................................................................................................................................................ 5
2.2 Secure Coding practices............................................................................................................................................. 7
3- Common security issues to be considered ......................................................................................................................... 7
3.1 Cross site scripting..................................................................................................................................................... 8
3.2 Information Leakage .................................................................................................................................................. 8
3.3 Database Security ...................................................................................................................................................... 8
4- Security Policy ...................................................................................................................................................................... 9
4.1 Incident Handling and Recovery.................................................................................................................................... 9
4.2 Incident reporting .......................................................................................................................................................... 10
5- Third party hosting .......................................................................................................................................................... 11
6- Web server security Thumb rules .................................................................................................................................... 12
7- Reference ........................................................................................................................................................................ 12
 1. Introduction

A Web Server is a computer host configured and connected to Internet, for

serving web pages on request. Information on Public web servers can be
accessed by people anywhere on the Internet. Since web servers are open to
public access they can be subjected to attempts by hackers to compromise
the server.
Hackers can deface websites and steal valuable data from systems. This can
translate into a significant loss of revenue if it is a financial institution or an
e-commerce site. In the case of corporate and government systems, loss of
important data may actually mean the launch of information espionage or
information warfare on their sites. Apart from data loss or data theft a web
defacement incident can cause significant damage to the image of an
organization. Common security threats to a public web server can be
classified as the following-

 Unauthorized access Defacement Content theft Data manipulation

 Improper usage

-Launch pad for external attacks

-Hosting improper/malicious contents (e.g phising)

 Denial of Service

 Physical Threats
-Hackers take advantage of different security flaws in a web hosting

infrastructure and exploit the vulnerability to compromise the system.

Common security flaws that can lead to a compromise can be categorized
as
 Insufficient network boundary security controls

 Flaws or bugs in web hosting software (OS, application etc)

 Insecure design and coding of hosted application

 Weak password

 Social engineering

 Lack of operational control

An attacker can adopt various hacking techniques or tools to exploit or take

advantage of the above mentioned security flaws. A discussion on common
hacking/attack methods can be referenced from the following document[1].

2- Web and Application Server Security

2.1 Web Server Security

Web Server is a program that serves Web pages to Web browsers using the
Hyper Text Transfer Protocol (HTTP). Some of the Web Server software
contain middle-tier software that act as an application server. This enables
users to perform high-level tasks, such as querying a database and delivering
the output through the Web Server to the client browser as an HTML file.

In securing a Web Server, administrators should take care of the following

 Based on security needs, check for presence of specific security-
related features on the chosen web server. It may include types of
authentication, levels of access control, support for remote
administration, and logging features.
 Install only the required features of the Application Servers and
remove default features not being used.
 Install the latest version of the web server software along with the latest
patches.
 Install web server software in a CHROOT cage.
 Remove all sample files, scripts, manuals and executable code from
the web server application root directory.
 Remove all files that are not part of the Web site
 Reconfigure the HTTP Service banner so that Web server and
Operating System type & version are not reported.
 Create a new custom least-privileged user and group for the Web
Server process, unique from all other users and groups.
 Although the server may have to run as root or administrator initially
to bind to port 80, the server should not run in this mode.
 The configuration files of the Web Server should be readable by Web
Server process but not writable.
 The server should be configured in a manner so that web content files
can be read but not written by Web service processes.
 Consider security implications before selecting programs, scripts, and
plug-ins for the web server.
 Various Server Side Active Content Technologies are available viz.
Java Servlets, ASP, ColdFusion, etc.. Each has its own strengths and
weaknesses alongwith an associated risk. Thus the technology to be
implemented on the Web server has to be chosen after due
consideration.
 Third-party free modules available should not be used without proper
checking and verification of their functionality and security.
 Configure the Web server to use authentication and encryption
technologies (SSL), where required, along with a mechanism to check
the latest CRL (certificate revocation list).
2.2 Secure Coding practices

Server side applications are written in various programming languages.

However, flaws in the scripts may allow attackers to penetrate a Web server.
Thus, the scripts need to be written with due consideration to security.

The following are some of the common secure coding practices.

2.2.1 -Consider security implications before selecting the scripting

technology.
2.2.2 -Various client-side Active Content Technologies are available
viz. Java applets, javascripts, vbscript, etc.. Each has its own
strengths and weaknesses alongwith an associated risk. The
technology to be implemented should be chosen after careful
consideration.
2.2.3 -On Linux/Unix hosts, the code should not run with suid.
2.2.4 -The code should use explicit path names when invoking external
programs and not rely on the PATH environment value
2.2.5 -Input data received through a web page form should be filtered for
malicious input.
2.2.6 -Encryption mechanism should be deployed to encrypt passwords.
3- Common security issues to be considered

SQL Injection

Many web pages accept parameters from web user, and generate SQL
queries to the database. SQL Injection is a trick to inject SQL script/command
as an input through the web front-end
To avoid SQL Injection, filter out characters like single quote, double quote,
slash, back-slash, semi colon, extended characters like NULL, carry return,
new line, etc, and reserved SQL keywords like ‘Select’, ‘Delete’, ‘Union’ etc
in all strings from:
2.2.6.1 Input from users
2.2.6.2 Parameters from URL
2.2.6.3 Values from cookie
3.1 Cross site scripting

Cross-site Scripting (commonly referred as XSS) is an attack

technique that forces a web site to echo attacker-supplied executable
code, which loads in a user’s browser.

When an attacker gets a user’s browser to execute his code, the

browser will run the code and the attacker gets the ability to read,
modify and transmit any sensitive data accessible by the browser.
Cross-site Scripting attacks essentially compromise the trust
relationship between a user and the web site.

3.2 Information Leakage

Information Leakage occurs when a web site reveals sensitive data,

such as developer comments or error messages, which may aid an
attacker in exploiting the system. Sensitive information may be
present within HTML comments, error messages, or source code left
on the server.

Details regarding the above mentioned issues, related threats and

countermeasures can be found at:
 3.3 Database Security

A database is installed as a back-end server component to serve a web

application through the use of query language, typically SQL. Database
security should be in place to ensure data access only to authorized users and
protect the data. The following should be considered for securing a database
system.

• Stay updated with latest Service Packs and Patches.

• Remove unnecessary services and protocols.
• Depending on importance of data, consider encryption.
• Secure the database server behind a firewall and use IDS to detect any
intrusion attempts.
• The database server process should run as a user with minimum
privileges and never as administrator.

• Enforce a strict access control policy.

• Enforce secure coding practices for application developers.
• Audit trail logs on the database servers should be enabled.
• Some Database Servers include Web Applications servers by default.
It is recommended that they be removed, if not required.
• Database users not required should be removed.
• The database server should not be assigned publicly accessible IP, and
access to the database should be allowed only from the Web Server on
a particular port only.
• Depending upon importance of data, fine grained record/row level
auditing should be considered.
4- Security Policy

A security policy defines the rules that regulate how an organization manages
and protects computing resources to achieve security objectives.

The security policy of an organization should specifically incorporate

security requirements of web servers. The web server security policy should
incorporate -

-Network and host security policy

-Web Server backup and logging policy.
-Web server administration and Updation policy
-Classification of documents to be published on
Web Server Password management policy
- Encryption
-policy
-Physical
-security
4.1 -Incident Handling and Recovery

A computer security incident is any real or suspected adverse event in relation

to the security of computer systems or networks. It is an act of
violating explicit or implied security policy resulting in, unauthorized access,
denial of service/disruption, and unauthorized use of a system for processing or
storage of data or changes to system software, hardware, firmware characteristics
without the owner’s knowledge.

Create a formal policy for Incident handling. A Computer Security Incident

Response Team (CSIRT) should be created within the organization to handle
incidents through the following six stages of Incident handling Preparation
Identification Contain Eradication n Recovery Follow-up
4.1 Incident reporting

Follow your site-specific policies related to detecting signs of intrusion and

attack. In case of web defacement unplug the system immediately from the
network. Report the incident to the organization’s designated point of
contact and to CERT-In HelpDesk.
5- Third party hosting

An organization may not have the required infrastructure and expertise and
therefore can use a third party organization to host the Web site. The
organization can use co-locate their own servers in the service provider’s
network or directly host on the servers of the service provider itself.

The advantages of third party hosting are

 The service provider may have greater knowledge in securing and
protecting Web servers.
 The network can be optimized solely for the support and protection of
Webservers.
 DoS attacks aimed at the Web server shall have no effect on the
organization’s production network.
 Compromise of the Web server does not directly threaten the
organization’s network.

Disadvantages of third party hosting are

 It requires trusting a third-party with Web server content.

 It is difficult to remotely administer/update Web server.
 There is little control on the security of the Web server.
  The Web server may be affected by attacks aimed at other Web
servers hosted by the service provider on the same network.

In selecting a third party hosting organization, a user should keep the

following in view.

 Hosting servers should be located in India.

 Hosting organization should have a security policy and should
implement the best practices for the websites as per this document
 Hosting organization should have its infrastructure and Web servers
audited by auditors empanelled by CERT-In. Hosting organization
should also have their web servers tested by A&P testing experts
periodically and should take immediate steps to plug the security
weakness unearthed.

6- Web server security Thumb rules

 Web administrators should be adequately skilled.

 Use software only from trusted source.
 Keep all software updated.
 IS Security audit and A&P test should be carried out regularly.
 A dedicated machine should be used as a Web server.
 Changes to configuration should be documented (revision control
program)
 Central syslog server should be used.
 Encryption should be used.

7- Reference

[1] http://www.cert-in.org.in/advisory/CIAD200303.pdf. (n.d.).

Microsoft: SQL Server Security Center. (n.d.).

[2] http://www.microsoft.com/technet/security/prodtech/dbsql/default.mspx.