Securing your Web server to ensure protection from a hack attack

Vernon Haberstetzer, Contributing Writer
When operating system patches are released and tested in your environment, Web servers should be the first servers patched to prevent a Web server hack. Exploit code is becoming more readily available to anyone within days of a vulnerability discovery. A few days after it's been in the hands of hackers, a scripted attack is likely to take place that could successfully attack your unpatched Web server. This gives little time to test and install patches for such vulnerabilities, so it's important to devise a deployment plan prior to patch release.

Looking at Web code itself, there are several ways hackers can manipulate the URL of a website to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines user input to verify

    Requires Free Membership to View

that it is not malicious or malformed before allowing it to pass to the backend application. Blue Coat Systems Inc. and Sanctum Inc. are two vendors that offer such products, which may be worth looking into, especially if you don't think you can retrain your programmers to write secure code.

If you use a website to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the webpage, this can be manipulated easily using free proxy tools running on an attacker's PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the webpage itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else's in an effort to transfer funds or show balances of other accounts.

Depending on how you handle information submitted by end users, you'll likely have some way of validating end-user information. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the back-end instead of putting constraints on a webpage's input fields, which can be bypassed using the proxy tools mentioned above.

Web servers are the number one way into a company's network from the outside. By securing Web servers enforcing adequate Web server protection, you'll be addressing one of the riskiest areas of your network and preventing a potentially extremely harmful attack.

About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.


  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
  Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.