S 5.159 Overview of protocols and communication standards for web servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In the field of IT, (communication) protocols are used to control the exchange of information between processes and/or IT components (see also S 5.39 Secure use of protocols and services). In order to allow communication between processes of applications created by different developers, the information must be transmitted in accordance with previously specified rules. This specification is referred to as protocol. For example, these processes may include server services or client applications. Protocols may also be used to control the exchange of information between local processes.

In the web server context, numerous different protocols are used, which are described below:

Hypertext Transfer Protocol (HTTP)

HTTP is the most commonly used protocol for data transmission. This is a protocol of the application layer of the TCP/IP reference model. Version 1.1 is defined in RFC 2616 and is based on the client-server principle. This means that a client always provides a request that is responded to (response) by the web server. The protocol works in a stateless manner, meaning that the connection to the server is closed and not maintained upon successful data transmission (e.g. of a webpage).

HTTP is a plain text protocol, which is why all transmitted data may be read by a potential attacker. HTTPS provides a corresponding enhancement allowing for an encrypted connection between the web server and the browser based on TLS or SSL.

HTTPS

HTTPS (HTTP over SSL and/or HTTP over TLS) is a version of HTTP where the authentication procedure and transmission of data can be protected using encryption and certificates. HTTPS is specified in RFC 2818.

A web server supporting HTTPS usually uses TCP port 443. When using HTTPS, it must be noted that TLS also has an operating mode that does not use encryption. If this contradicts the security requirements, the HTTPS proxy should be set up to prevent such connections from being established.

WebDAV

WebDAV is the abbreviation of "Web-based Distributed Authoring and Versioning" and is an open standard for providing and administrating files on a web server. WebDAV expands the version 1.1 of the HTTP standard by additional functions. The WebDAV communication between client and server is performed exclusively using the HTTP port 80. This is an essential advantage when compared to other protocols with comparable functions, e.g. FTP. These protocols use different connections for exchanging commands and data, often resulting in configuration issues regarding the packet filters.

In addition to simple file operations such as uploading, renaming, and deleting files, WebDAV also offers version control allowing for editing files with several users. In order to be able to use all of these functions, previous authentication of the individual users using the authentication methods available in HTTP is required, however. Different authorisations may be granted for every user. In this case, only certain file types may be permitted or prohibited, for example. For example, the file extensions of executable files (such as .exe) can be blocked in order to prevent any accidental distribution of malware.

XML-RPC

XML-RPC (Extensible Markup Language Remote Procedure Call) is a protocol for retrieving functions on remote systems, with the transmitted data being displayed in an XML structure. The actual transmission of the XML-RPC messages is performed with the help of HTTP. Remote Procedure Calls (RPCs), as implemented by XML-RPC for example, form the essential basis for distributed systems. They allow retrieving of functions on remote systems using a network.

Since function calls and return values are displayed in XML, abstraction from the underlying programming languages and operating systems takes place. This means that calls may be performed regardless of the specific programming language and/or operating system used. In this, function calls consist of the name of the function that is to be retrieved and the related parameters. Function return values are returned to the client from the sender in a similar structure.

In XML-RPC, no dedicated security safeguards are provided. Therefore, it is necessary to implement these in the program logic of the system using XML-RPC for remote function calls.

SOAP

Initially, SOAP was the abbreviation for "Simple Object Access Protocol". However, this acronym is no longer used since version 1.2, because it describes the functionality of the protocol in a falsifying manner. This is a framework governing the exchange of data between systems using a network. With SOAP it is possible to retrieve functions from remote systems. Therefore, it can be understood as the successor of XML-RPC. SOAP messages are also based on an XML structure and can be transmitted with the help of different protocols. Examples include both the SMTP known for email transmissions and the already discussed HTTP. Using HTTPS is also possible in order to be able to use an encrypted connection. One of the most important fields of application of SOAP is the provision and use of web services.

Database connectors

Database connectors provide a standardised interface to databases and the related database management systems (DBMSs). They allow for accessing or changing the data stored in the database regardless of the DBMS used. Additionally, a database connector is responsible for establishing and disconnecting, as well as managing a database connection. This makes the implementation of database accesses in the course of software development far easier. Database connectors allow for a very easy access to database tables or functions of the DBMS. In order to manage the databases and their content, database connectors use known database languages such as SQL. Amongst others, known database connectors include ODBC (Open Database Connectivity) and JDBC (Java Database Connectivity).

SQL

SQL is the acronym for "Structured Query Language" and serves as database language. With the help of SQL commands, databases can be defined, retrieved, and changed. This way, the elements of data processing language, data description language, and data control language are united in SQL. Although there are also other database languages, SQL prevailed for all commonly used databases and is standardised by ANSI and ISO.

Some security safeguards must be implemented for applications and web offers using SQL commands for database queries. For example, any susceptibility for SQL Injections must be avoided. SQL Injections are vulnerabilities in websites allowing for inadvertent access to database content. These vulnerabilities are caused if web sites filter user input insufficiently and attackers are able to influence the SQL query. If it is possible to manipulate SQL queries, it is possible to completely read, change, or delete databases.

A commonly used safeguard for protection against SQL Injections is the use of stored procedures. This is a function of the DBMS, storing related commands and procedures as finished procedures. Thus, an attacker is deprived of the option of changing an SQL query with the help of SQL Injection. A similar level of protection against SQL Injections can be attained with the help of frameworks. Frameworks, e.g. Hibernate, form an additional abstraction layer between database and the implementation of the database access. The framework offers an interface for programmers independent of the database actually used and suitable for storing any objects.

If no stored procedures or frameworks are being used, all data coming from users and used as database input must be subjected to an input validation process. Here, the characters are filtered that may be used to influence the SQL command and therefore the implementation of the database query. Applications using SQL commands for database queries are always susceptible to SQL Injection attacks.

Techniques for retrieving remote procedures

CORBA (Common Object Request Broker Architecture) is a well-known and commonly used technique for retrieving remote procedures. This is a new standard for distributed systems allowing for establishing communication connections between processes on different systems and for exchanging data. An interface definition independent of programming languages (Interface Definition Language, IDL) can be used by programs implemented in different programming languages in order to communicate with each other. In order to be able to establish a communication connection between two processes, so-called Object Request Brokers (ORB) are required on both sides. These are implemented in the programming language used by the respective side and are intended to receive and/or send data. Communication between individual ORBs may be performed either using manufacturer-specific products or the manufacturer-independent Internet Inter-ORB Protocol (IIOP).

Similar concepts such as CORBA are also available in different programming languages. Two of the most commonly used options in this context include RMI (Remote Method Invocation) and DCOM (Distributed Component Object Model). RMI comes from the Java environment and allows retrieval of remote Java methods. DCOM provides an object-oriented RPC system on the DCE standard. DCE (Distributed Computing Environment) is an industrial standard for distributed applications that is based on the client-server model.

Since open architectures offer numerous interfaces with function calls across system borders, particular emphasis must be placed on who may access these interfaces and transmit which data. Security aspects, particularly the authentication of subscribers, are addressed in the CORBA Security Specification.