Organizations should test their Web servers to ensure that they are not vulnerable to encoded syntax attacks. To do so, I recommend tools like Nikto. The server-assessment tool utilizes a variety of different encoding techniques, and can even use multiple types of evasion tactics together. Nikto will request pages in a various ways that your server will understand but may be difficult for us to read. Many servers, for example, can process requests in Unicode and Base64, which are languages not easily deciphered by many people.
Also, look at ModSecurity, an open source Web application firewall and UrlScan, a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. These tools have the ability to detect and/or stop some of the most common encoded attacks like SQL injection, cross-site scripting and requests for pages on your site that may have vulnerabilities like buffer overflows. There are also a number of commercial products that can help defend against encoded syntax attacks, including those from F5 Networks Inc., Breach Security Inc., and Barracuda Networks Inc.
For more information:
Dig Deeper on Web application and API security best practices
Related Q&A from John Strand
Expert John Strand explains how to shore up security as you plan a large-scale advertising campaign. Continue Reading
Expert John Strand reveals an interesting way of addressing man-in-the-middle attacks. Continue Reading
Expert John Strand reveals two exciting trends in antivirus software. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.