Programming Tutorials

Server-side plug-Ins

By: aathishankaran  

Netscape and Microsoft Web servers provide other server-side programming features, such as Java and server-side plug-ins. In general, any server-side programming mechanism has the potential to be exploited. 

Server-side plug-ins are compiled and integrated with the Web server software. They allow server-side applications to be developed that perform better than server-side JavaScript applications and CGI programs. This is because they are called directly by the server instead of being run as a separate process. 

The performance gain of server-side plug-ins is offset by the difficulty of developing them. Because server-side plug-ins are closely integrated with the server, any errors in the plug-in could easily result in the complete failure of the server. 

Web Application Access Controls 

Most Web servers provide the capability to control access to certain Web pages and their associated Web applications. These controls may be based on host name, IP address, user name and password, or other identification and authentication mechanisms. Failure to implement restrictions on some applications, such as your server's management software, could lead to serious security holes. 

File Permissions 

Operating-system file permissions are closely related to Web-Application access controls. These permissions determine which Files users and applications are able to read, write and execute. These controls are important to protecting your Web site. In Particular, write permission to the directories containing CGI Programs and server-configuration files should be limited to the most trusted users. Failure to do so weakens the security of your Web server, opening it up to a broader spectrum of attacks. 

If your server stores financial information, such as credit card Data, the permissions of these files should be set to prevent them from being read by other applications. If at all possible, these files should be made write-only. 

In the event that your server is penetrated, the privileges of your server become those of the penetrator. Therefore, the login privileges of the Web server itself should be limited to the minimum needed to perform its function. 

Other Server-Side Security Considerations 

In addition to the vulnerability mentioned in the previous articles, Web servers are vulnerable to a wide range of attacks aimed at their application services and communication protocols. If a Web server supports other Internet services, such as telnet or FTP, then the server inherits all of the vulnerabilities of these services. The good news is that you can eliminate these vulnerabilities by turning off the additional services.

            If a Web server is on the Internet, then it, by definition, must support the Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is notorious for its security vulnerabilities. These vulnerabilities include susceptibility to spoofing, session hijacking, and session monitoring. While these vulnerabilities are common to all systems that are on the Internet, they need to be considered when assessing the risk of setting up a Web server. If the perceived risk is too high, then you may want to implement a firewall or another network security countermeasure. 

As a final consideration, the operating system platform on which the Web server runs is also a potential source of security vulnerabilities. In general, multi-user operating systems, such as UNIX, pose a higher risk than single-user systems, such as the Macintosh and Windows 98. The security of most multi-user systems depends on the reliability and trustworthiness of all system users. If a single user is careless or untrustworthy, then the security of the entire system could be jeopardized. Most multi-user operating systems provide security controls, such as file permissions, that prevent a user from viewing or modifying the files of others. However, to be effective, these controls must be correctly applied. 

Although Web servers exist for the Macintosh, Windows 98, and Windows 95 platforms, most midlevel-to-high-end servers run on Windows NT and UNIX platforms. This is because Windows NT and Unix provide a fuller set of operating system services for implementing more complex and capable server software. 

Both Windows NT and Unix' have advantages and disadvantages as far as security goes. The main advantage of Windows NT is that it does not support (without additional software purchases) many of the services, such as Telnet, Internet mail and the X Windows System, that are provided out of the box with UNIX systems. These services may be used by a penetrator to gain remote access to a UNIX system. The primary advantage of UNIX is its maturity. It has been subjected to hacking for many years, including years before Windows NT was conceived. As a result, most of the UNIX security bugs have been identified and countermeasures have been implemented. Under a security-conscious system administrator, a UNIX Web site can be made as secure as it would be using other operating-System platforms