From the hacker tactics and techniques series that focuses on how hackers can use Internet-facing servers to breach your network or manipulate data.
Your company’s website is one of the first places a malicious hacker will look for misconfigurations, poorly written code and vulnerable services. If you house your own Internet-facing Web server, and it’s connected to your internal network, it’s worth your time to ensure the process of securing your Web sever is a corporate priority, and investigate the security controls in place for Web server protection. This is even more critical if your company has an online store or account management system.
When operating system patches are released and tested in your environment, Web servers should be the first servers patched to prevent a Web server hack. Exploit code is becoming more readily available to anyone within days of a vulnerability discovery. A few days after it’s been in the hands of hackers, a scripted attack is likely to take place that could successfully attack your unpatched Web server. This gives little time to test and install patches for such vulnerabilities, so it’s important to devise a deployment plan prior to patch release.
Looking at Web code itself, there are several ways hackers can manipulate the URL of a website to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines user input to verify that it is not malicious or malformed before allowing it to pass to the backend application. Blue Coat Systems Inc. and Sanctum Inc. are two vendors that offer such products, which may be worth looking into, especially if you don’t think you can retrain your programmers to write secure code.
If you use a website to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the webpage, this can be manipulated easily using free proxy tools running on an attacker’s PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the webpage itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else’s in an effort to transfer funds or show balances of other accounts.
Depending on how you handle information submitted by end users, you’ll likely have some way of validating end-user information. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the back-end instead of putting constraints on a webpage’s input fields, which can be bypassed using the proxy tools mentioned above.
Web servers are the number one way into a company’s network from the outside. By securing Web servers enforcing adequate Web server protection, you’ll be addressing one of the riskiest areas of your network and preventing a potentially extremely harmful attack.