Web Server Security and Database Server Security

Various high-profile hacking attacks have proven that web security remains the most critical issue to any business that conducts its operations online.

If your servers and/or web applications are compromised, hackers will have complete access to your backend data even though your firewall is configured correctly and your operating system and applications are patched repeatedly.

Hackers will attempt at gaining access to your sensitive data through several possible vulnerable web assets on your network. Any regular security audit of these web assets must also answer the fundamental question - “Which elements of our network infrastructure we thought are secure are open to hack attacks?”

Logical Components and Related Web Security Issues
The logical components for maintaining a successful web presence (excluding hardware and web applications) include:

  • Operating System
  • Web Server Engine
  • Server-side Scripting Engine
  • Database Engine

One of the more mundane exploits used by hackers is checking whether the server operating system was installed leaving pre-defined default parameters intact. If not changed by administrators, the operating system is open to attack even if no real flaw or vulnerability exists. Bugs in operating system may be exploited by, for example, deploying programs to transmit confidential data to third parties or perform actions that otherwise compromise the normal functionality or security of the server itself and the data it stores.

A web server engine, or program, must run a service which listens for, and responds to, web requests made by users via their browser. The most widely used web server engines are Apache and Microsoft’s IIS. Web server programs may exhibit security flaws or vulnerabilities, which, for example, allow a remote user access to the operating system with privileges which are more wide-ranging than those normally provided to a web browser request.

The web server requires a server-side scripting engine (e.g., PHP, ASP, ASP.NET, JSP) if the website is dynamic or if, for example, certain pages require the user to post personal information (name, surname, telephone number, email address, credit card details etc.) for future reference. Web security best practice requires regular auditing to check for scripting engine vulnerabilities as well as ensuring that users cannot input character combinations that could exploit these or other weaknesses to eventually gain access to sensitive data.

Pulling down individualized content, subscribing to a newsletter, or signing into an account to get personalized purchase recommendations and carry out transactions would entail storing data within a database (e.g., Microsoft SQL Server, MySQL, Oracle). Database engines can be targeted on several levels. All modern database systems may be accessed through specific ports and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability. Other weaknesses relate to the actual database application itself and the use of weak or default passwords by administrators.

Keeping track of the various vulnerabilities, exploits and fixes is time-consuming and requires specialist expertise.

Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Take a product tour or download the evaluation version today!

Scanning for XSS vulnerabilities with Acunetix WVS Free Edition!
 To check whether your website has cross site scripting vulnerabilities, download the Free Edition from http://www.acunetix.com/cross-site-scripting/scanner.htm. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site).

Články o bezpečnosti

Keeping Web Hacking at bay with Acunetix - How to avoid a Hacker Attack on your website
Cross Site Scripting - XSS - The Underestimated Exploit
Microsoft UK Events Website Hacked
The JavaScript Engine of Acunetix WVS
PCI Compliance (Payment Card Industry Data Security Standard)
Web Applications: What are they? What of them?
The True Nature of Web Application Security: The Role and Function of Black Box Scanners
Web hacking: An underestimated threat
Ajax security: Are AJAX applications vulnerable to hack attacks?
PHP / SQL Security - Part 6

Více článků

Dokumenty White Paper

Hledání správného skeneru webových aplikací; proč black-box nestačí
The Payment Card Industry Compliance - Securing both Merchant and Customer data.
Web Services - The Technology and its Security Concerns
Are AJAX Applications Vulnerable to Hack Attacks? The importance of Securing AJAX Web Applications
Auditing Your Web Site Security with Acunetix Web Vulnerability Scanner
The Importance of Web Application Scanning
SQL & PHP Security by Andrew J. Bennieston

Další dokumenty White Paper...