S 5.161 Creating dynamic websites

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In order to be able to provide dynamic web content, a program logic is required on the server side. In many cases, this function can be assumed by the web server, e.g. using simple scripts or Server Side Includes (SSI). However, a web application server with a corresponding framework is often used for complex websites. The web application server must not necessarily be separated from the web server, though, since a web application server is already integrated in many commonly used web servers (e.g. Tomcat for Apache). The web application servers and/or the related frameworks allow implementation of comprehensive websites. Furthermore, they provide significantly easier access to backup or legacy systems. Frequently used programming languages and frameworks for dynamic websites are described in the sections below.

CGI

CGI is the acronym for Common Gateway Interface and is a method for designing websites dynamically and interactively. With this, dynamic content is generated using external applications called by the web server. For these calls, CGI provides an interface between web server and system application. Therefore, CGI is not a programming language, but only a functionality for executing programs from the web server. CGI programs can therefore be created using any programming languages, as long as these can be called from the web server. Depending on the technology used, a CGI application is present either as binary file or as script. Typical examples for CGI languages include C, Perl, TCL, Unix-Shell, and many more.

Since the dynamic functions are implemented with the help of CGI programs, these must also guarantee the required level of security. For example, this means that each CGI program is responsible for checking parameters itself.

SSI

Similarly to CGI, Server Side Includes (SSI) also constitute a method for generating dynamic sites. SSI allow integration of any files or the return values of system commands into a website. The possibilities for designing dynamic websites are rather limited when using SSI, though, which is why SSI is only rarely used today.

In analogy to CGI, vulnerabilities may also be exploited with the help of the integrated system commands when using SSI. For example, if the path of an integrated file can be influenced, certain files on the server may be read and/or commands may be executed on the system.

PHP

PHP (acronym for "PHP: Hypertext Preprocessor") is a script language allowing for implementing dynamic websites. Since version 4, PHP has been complemented by aspects of object-oriented programming. Essential features of PHP include the easy familiarisation and the broad support for database connections.

Furthermore, PHP offers a large number of security functions. For example, potentially dangerous characters can be identified and masked automatically when using so-called Magic Quotes. This way, many usual attacks can be made more difficult. Another security function includes the Open Base Dir, which prevents any access to files outside of the defined directory and thus limits the possibilities for an attacker. Moreover, PHP allows restriction of potentially dangerous functions. With the help of the so-called Safe mode, numerous rights can be restricted. This above all makes sense for a multi-domain environment where several websites are operated on the same server.

Despite these security functions, there also are some of problems associated with PHP due to different functions (e.g. register_globals). For example, this function allows for entering any variables when calling a PHP script, thus making it easier for an attacker to compromise the website. In the past, numerous vulnerabilities occurred in PHP.

Along with PHP, additional script languages gained acceptance for the implementation of dynamic websites. The most popular examples include Ruby, Python, and Perl. All of these script languages mainly offer similar functions and are therefore exposed to similar security problems. Experience has shown that the majority of the known vulnerabilities in web applications do not depend on the programming language used.

JSP (Java Server Pages)

Java Server Pages are predominantly used for the presentation layer of Java web applications. The data to be represented is generally stored in so-called JavaBeans (data transmission containers), allowing for easy access. However, it is also possible to implement business logic in JSP sites. This results in an unclear separation between function and representation of the data, though, and also contradicts the model view controller approach. This approach provides for a clear separation between data, function, and presentation.

J2EE

The Java Enterprise Edition, shortly J2EE, specifies a software architecture for transaction-based Java applications. This way, it is possible to generate dynamic content by embedding Java code in HTML and XML documents.

Java offers a host of security functions. For example, Java is type-proof, which implies a verification of the data type regarding variables and parameters during their use. Java prevents vulnerabilities such as buffer overflows and heap overflows in the application via design memory management. This way, an attacker can no longer gain control of a program by filling the memory area of the program with manipulated input. Other vulnerability classes also pose a threat in Java, however. With the help of a so-called sandbox, Java provides the option of executing code in a secure and separate environment without endangering the operating system in so doing. With the help of J2EE Security, system resources may furthermore be managed restrictively.

ASP/ASP.NET/Mono

Active Server Pages (ASP) is first and foremost used in Microsoft environments, since this technology is predominantly executable on the Microsoft Internet Information Server. However, ASP is not a separate programming language, but a framework allowing generation of the program logic in different programming languages. ASP is no longer further developed, but was superseded by its successor ASP.NET, though. In addition to the implementation of Microsoft, Mono additionally provides a variant that can be executed in Unix.

There is a host of security functions for ASP.NET. An example includes the gatekeeper mechanism consisting of different modules and offering different security functions (e.g. filter, authentication, etc.). Moreover, a separate anti-cross site scripting framework is available. With the help of an additional framework, a role-based access control can be implemented.

Web service

A web service can be compared to a web application. The difference is that the output of results is not processed for a browser, but made available in a differently structured form (e.g. SOAP). It is possible to design a service-oriented architecture (SOA) by networking web services. Here, individual parts of an application are implemented as web service. These parts can then be used continuously by several applications. This way, the reusability of functions is increased and the maintenance of the individual application parts is facilitated.

Since web servers use the same protocols as web applications, they must be put on a level with web applications with regard to their security requirements. There is a separate standard for web service security (WS security). Due to the openness of a service-oriented architecture, access control must be taken into particular consideration in comparison to closed architectures. As a consequence, the requirements regarding authenticity, integrity, and confidentiality are particularly high for the communication with web services. Requests and the related responses need to be prevented from being intercepted in plain text, as does the falsification or modification of messages.

The required security requirements can be attained by using corresponding cryptographic procedures. In terms of a service-oriented architecture, it is also possible to implement individual security safeguards as separate services.

WSDL (web service description language) is an important term in the context of web services. WSDL can be used to provide functional information on a web service that is required in order to be able to use such a service. A WSDL file describes the interface of a web service. It shows which functions are provided by the web service, how these are called, and which parameters are required for calling the functions. As a consequence, a WSDL file contains the essential information (e.g. access point and protocol) required to allow the use of web services.

Security aspects in the context of WDSL primarily refer to the required XML parsers. These are necessary in order to process the data transmitted to the web service. Since in-house developments are often used as parsers, these are susceptible to numerous attacks. Here, XML messages which are deliberately designed incorrectly are generally used, which may cause the parser or the entire web service to crash. An example includes an XML bomb. This is an XML document the sub-elements of which reference to themselves several times, which may cause problems when the parser reads in the document.

Another basic threat for web services includes the spying on and restoration of insufficiently protected SOAP messages (a so-called replay attack). Here, previously transmitted SOAP messages recorded by an attacker are transmitted any additional number of times and the instructions of a legitimate user are re-executed on the server. This procedure may be used to change or delete databases on part of the service provider without authorisation.

AJAX/Atlas

Atlas is a framework for AJAX (Asynchronous JavaScript and XML) running as web service. With the help of this technology attempts are made to emulate programs that have been used on PCs only up to now as a web application. This means that parts of websites can be reloaded without having to re-design the rest of the website. As opposed to traditional applications, the performance achieved by the this is significantly better.

However, it is not recommendable to use AJAX, since the users have to permit active content on the clients for this. The use of active content is predominantly related to threats associated with session riding and cross-site scripting.

Streaming services

Streaming services are predominantly used to transmit audio and video data to clients. However, this requires the use of specific programs or plug-ins for the browser on the client side. In order to be able to enforce authorisation concepts for the represented content, so-called digital rights management systems (DRMSs) are often used. For example, these systems ensure that a client is only allowed to display or copy data if it was granted the corresponding rights in the form of a licence.

Streaming services use a host of protocols in order to send data to the clients. The most commonly used protocols for this include the Real Time Streaming Protocol (RTSP) and the Resource Reservation Protocol (RSVP).