Re: Web Site Hacks

[Chad Schieken <cschieke () advsys com>]

The question I wrestle with every day is how to protect the webservers from themselves (CGI, NSAPI, server plugins, 
etc). It's been my experience that most of the web applications being developing take very few steps to protect 
themselves. 

My solution has been individual reviews of each app. This is hugely expensive, and not reliable (IMHO). But what 
alternatives are their? 

Even putting the "perfect" firewall in front of the webserver doesn't protect it from the biggest liability, itself. 

I think the webservers need to implement some sort of sanity checking of input to the various server side applications, 
like CGI, or server plugins, etc. 

Has anyone ever seen this even considered in any webserver?


> There's something worse:  CGI scripts.
>
> Firewalls work because of what they don't run.  They don't run most
> protocols, and hence most programs.  But CGI scripts *are* programs,
> and a typical glitzy Web server is running several dozen of these at
> the very least.  And it doesn't take a very long look at the CERT
> advisories and the BUGTRAQ archives to really how many buggy CGI scripts
> have been published and distributed.
>
> Web servers are among the most dangerous critters out there.  You really
> want to protect your major assets from them, because they *will* be
> penetrated.