Abstract
Organizational web servers reflect the public image of an organization and serve web pages/information to organizational clients via web browsers using HTTP protocol. Some of the web server software may contain web applications that enable users to perform high-level tasks, such as querying a database and delivering the output through the web server to the client browser as an HTML file. Hackers always try to exploit the different vulnerabilities or flaws existing in web servers and web applications, which can pose a big threat for an organization. This chapter provides the importance of protecting web servers and applications along with the different tools used for analyzing the security of web servers and web applications. The chapter also introduces different web attacks that are carried out by an attacker either to gain illegal access to the web server data or reduce the availability of web services. The web server attacks includes denial of service (DOS) attacks, buffer overflow exploits, website defacement with sql injection (SQLi) attacks, cross site scripting (XSS) attacks, remote file inclusion (RFI) attacks, directory traversal attacks, phishing attacks, brute force attacks, source code disclosure attacks, session hijacking, parameter form tampering, man-in-the-middle (MITM) attacks, HTTP response splitting attacks, cross-site request forgery (XSRF), lightweight directory access protocol (LDAP) attacks, and hidden field manipulation attacks. The chapter explains different web server and web application testing tools and vulnerability scanners including Nikto, BurpSuite, Paros, IBM AppScan, Fortify, Accunetix, and ZAP. Finally, the chapter also discusses countermeasures to be implemented while designing any web application for any organization in order to reduce the risk.
TopWeb Server Attacks
Any web application/web site is hosted on web servers consisting client and server side structural components. A client side component is usually is developed in HTML, JavaScript and CSS and exist within the user’s web browser (Rafique, Humayun, Hamid, Abbas, Akhtar & Iqbal, 2015). It represents user-friendly web app functionality with which user interacts. Server side components are developed using PHP, Python, Java, Ruby on Rails, Active Server Pages (ASP), or .NET which may consists of at least app logic and database component. Apache or Microsoft IIS can be used to host web server components. Applications can be open source or commercial. Database stores data in persistent manner and implemented using oracle, MySQL or DB2. The primary function of web server is to store, process and deliver web pages to clients. The communication between client and server takes place using the Hypertext Transfer Protocol (HTTP) protocol. Pages delivered are mostly HTML documents, with images, style sheets and scripts in addition to the text content. Multiple web servers may be used for a high traffic website. A user agent/web browser initiates communication by sending a request to server using HTTP protocol and the server responds with the required content or an error message.
Any vulnerability in the applications, database, web server operating system or in the network will lead to an attack on the web server (Bryan, & Vincent, 2011). Hackers always try to exploit the different vulnerabilities or flaws existing in web servers and web applications to gain unauthorized access to sensitive information or theft of banking credentials from banking web applications, which pose a huge threat for an organization including reputation damage (Daud Bakar & Hasan, 2014). If unnecessary services are enabled or default configuration files are used, verbose/error information is not masked; an attacker can compromise the web server through various attacks like password cracking, Error-based SQL injection, Command Injection, etc. Following kinds of attacks are possible on any web server (Eric, & Brian, 2000).