How is your web security? With your vulnerability and penetration testing underway, do you feel that your critical business systems can hold up and remain resistant to attackers? Unless you look at your web environment the right way, your web security posture might not be as strong as you think.
I have found that web security places a lot of emphasis on the application layer itself. That’s not a bad thing considering the ubiquity of cross-site scripting, SQL injection, and other damaging application flaws. However, you must look at the underlying server, also.
Web server vulnerabilities
Just ask the security team, the CTOs, and the CEO of Equifax: A misconfiguration at the web server level – in their case, a missing Apache Struts update – is all it takes. it takes to bring a massive business to its knees. Remote exploits, denial of service attacks, etc. – everything is possible beyond the application layer at the web server level.
Common web server vulnerabilities that I find in my assessments include:
- Fixes for web servers, such as Internet Information Server and Apache, and operating systems, such as Windows and Linux.
- Open ports that facilitate unencrypted connections, open proxies, or vulnerable services, such as File Transfer Protocol and simple network management protocol services.
- Misconfigured permissions that allow unauthorized public access to directories and files.
- Domain name system cache monitoring and traffic amplification.
- Internal server IP address revealed by hardcoding or misconfigured web server headers.
- Missing protection against inter-image scripts.
These are not just specific web server vulnerabilities; associated weaknesses can also be caused by a lack of network security controls, such as intrusion prevention systems, web application firewall blocking, and proper event monitoring and alerting. Even simple firewall configuration errors can lead to a successful attack on an organization.
Protection of web environments
One thing I often see in terms of web security testing is people who just focus on penetration. They are able to capture the flag, so to speak, and then they stop looking for other security issues. This is extremely short-sighted, and this is most likely the reason why many organizations that have a formal security testing program always end up being breached.
Instead of a simple penetration test, what is needed is a comprehensive safety assessment that examines the entire system, from soup to nuts, rather than trying to prove that one feat can be accomplished and one exercise can be stopped. This is all other security vulnerabilities that are overlooked in weak web security testing procedures that can come back to haunt you.
Another thing to keep in mind is, if you’re just testing your production environment, what are your staging and development systems like? Likewise, if you are unable to test production, do your staging and development systems accurately reflect what is happening in the real world?
Eventually, you’ll have to look at everything and fix everything. This applies not only to external web systems, but also to internal systems.
When it comes to web security, application scans are not enough, as are manual scanning or penetration testing. Traditional network vulnerability scanners will find weaknesses, but I increasingly see dedicated web application vulnerability scanners finding vulnerabilities at the server level; you have to watch the server itself.
In many cases, it takes two, and sometimes three, different scanners to find all that matters. A scan with a single tool is simply not sufficient to consistently find web server vulnerabilities. If true web security is to exist then you have to look in the right places. Otherwise, you just don’t know where it stands.