Web server

Why it’s important to fix flaws related to the web server and not just the application itself

Web vulnerability testing largely focuses on the application itself, and rightly so. Vulnerabilities such as SQL injection, cross-site scripting, and user session management flaws can be very damaging when exploited by those seeking ill-gotten gains. One thing to keep in mind with web security, however, is that you need to look at it holistically. Application-specific vulnerabilities are one thing, but they don’t paint the whole picture. It is essential to look at the web servers themselves.

Reflecting on my web vulnerability and penetration testing projects over the past few years, easily half and sometimes two-thirds of my reports contain vulnerabilities caused by the web server itself. Web server vulnerabilities that I generally consider critical or high priority include:

  • Missing patches and unsupported software running (thinklog4jand the myriad of other web server vulnerabilities discovered all the time)
  • Improper encryption configurations such as weak encryption protocols and ciphers, expired certificates, and most importantly, no encryption at all, exposing login pages and other web forms that process sensitive information
  • Directory and file exposures (sometimes these are worthless benign files, but sometimes they are not)
  • Open services such as FTP, telnet, and web proxy (imagine hosting a web server that facilitates further attacks)

There are other web server-centric vulnerabilities that I would consider more moderate, rated as best practices. These include vulnerabilities such as:

  • ASP.NET (or similar) debugging enabled

Still, such vulnerabilities can be cumulative and facilitate larger exploits, so it’s good to find them and do something long-term.

Aside from scanning and testing for these web server vulnerabilities, the next step is to determine which of these issues is important. There are many variables to consider and every situation is different. The best way to do this is to perform detailed analysis and testing and subsequent analysis to determine what the specific risk is in the context of your environment. Obviously, you’ll want to focus on the critical, high-priority items that have the greatest impact on the business. I often see moderate web server related vulnerabilities fall on deaf ears and never get addressed. The smartest approach is to look at everything and figure out the best place to spend your time, money, and effort. In the end, only you will know the answer to this question.

The important thing is that you do something to watchallaspect of your web environment – not just the application. The web server also needs attention.

By Kevin Beaver