The Originator - Article, Security and Web Development

Feature Article: Posted 09/15/02

Security and Web Development

by Cory Williams
Information Security Analyst

Security is a popular topic of discussion these days, not only in the world in general, but here at UTHSC-H as well. As many of you know, we are in the midst of a firewall implementation that will go a long way in securing the University's information technology infrastructure. Once this firewall becomes fully-implemented, the security of our web servers and the applications running on them will become extremely important because these web servers will become the main "door ways" into our campus networks. Most of the computers that will remain accessible from the Internet will be web servers - thus, if they are not already a favorite hacking target, they will become even more popular to outsiders wanting to get in to our internal systems.

Another issue that the University has to deal with in the face of the Health Insurance Portability and Accountability Act (HIPAA), as well as state and other federal regulations, is the treatment of data that is captured via web applications. If this data is considered to be "personally identifiable" then it needs to be securely transmitted and stored.

Hopefully, this article and the follow-up brown bag luncheon in October will help you understand some of the security issues that web developers and server administrators face and some of the hacker techniques that are used in breaching web applications. Due to time and space constraints, I will briefly discuss several security topics in this article, and then hopefully be able to actually demonstrate some of these at the brown-bag luncheon in October.

Passwords

Hacking passwords is probably the most popular way for intruders to access computer systems. Most users do not like to try to remember difficult passwords - so we choose things such as names of spouses or children, favorite foods or colors, cars we drive, names of popular athletes, or names of religious deities. As a web developer, you have passwords that have certain authority on web servers - you are able to FTP or SSH to web servers and read, modify, or delete files on that web server. You may also be the administrator of the web server, in which case your authority is even greater - you can probably access the underlying operating system and perform OS and server administrative duties. Thus, the protection of your account is crucial to the security of not only the web site, but the server as well and any connected systems.

Although passwords are one of the easiest ways to breach information systems' security, they are also one of the simplest weaknesses to fix. The University's Information Technology Security Department (ITS) has developed a password policy which is located at http://www.uth.tmc.edu/itsecurity/frame_Passwords.htm. This document not only is a University policy, it also provides some common sense in choosing strong passwords.

FTP vs. SSH

FTP is the usual way to transfer or copy files from a web developer's desk PC to the web server. Many FTP clients exist, such as WS-FTP, that make this process very easy. Also, FTP is built-in to most web development applications such as Microsoft FrontPage and Macromedia Dreamweaver. However, FTP is considered an insecure protocol because anything that is sent via FTP is sent in clear-text. What this means is that the traffic or files going between the desk PC to the server via a FTP session can be intercepted and viewed - this includes login information. A more secure method of transferring files is SSH (secure shell) and SFTP (secure file transfer protocol). This method uses public and private "keys" to encrypt the data flowing between the desk PC and server. Thus, if the traffic is intercepted, the data cannot be read. SSH and SFTP clients are becoming more popular and similar to WS-FTP. Also, the latest version of Dreamweaver provides the ability to transfer files via SFTP. The University's ITS Department has also developed a policy that requires SSH and SFTP to be used on servers that store personally identifiable data or that transmit personally identifiable data (see Host Configuration Procedures).

HTTP vs. HTTPS

HTTP is the HyperText Transport Protocol which is the protocol that is used on the web. Like FTP, this protocol sends everything in clear text, so if a hacker were to intercept the traffic, it would be viewable. HTTPS is the "secure" version of HTTP, similar to how SFTP is the "secure" version of FTP. HTTPS utilizes Secure Sockets Layer (SSL) to encrypt data that is flowing between a web server and web browser, so if it is intercepted, it would not be viewable. The ability to use HTTPS only requires that a digital certificate be installed on the web server - this accomplishes two things. One, it verifies the identity of the web server to the web browser so that users of that web site will be assured that it is the site they meant to go to. Second, the digital certificate provides the ability for the server and browser to encrypt data going between each other. Like SSH and SFTP, the University's ITS Department is requiring that HTTPS be used in all situations where personally identifiable data may be gathered from web clients (see Host Configuration Procedures).

Trusting Client Submitted Data

Many web sites are created to not only give out information, but also take in information. This may be done via web forms, web applications, or e-mail. Many hacker tools are now available which try to find weaknesses in this information gathering process, and it has now become necessary for web developers to not trust any data submitted by web users. These tools intercept data being sent from the web browser back to the server via the web forms POST or GET methods. The importance of this comes into play when you are actually performing some function based on this information being submitted by the client. For instance, if you have a web form that allows the user to submit a query to a backend database or if you have a web form that is performing some login/authentication functionality. Also, client-side data type/length restrictions (such as text fields being limited to a certain number of characters or character types) are easy to bypass. If your website is going to take any client-supplied data, process it and then perform some further functions, you should always perform some data verification and checks on the server side. During the brown-bag luncheon, I will demo one of these tools and show you how it can be used to compromise web sites.

SQL Manipulation

SQL manipulation or injection is becoming a very popular hacker technique. As more and more web sites are becoming front-ends to database applications, hackers are finding ways to penetrate the database via the web front-end. SQL manipulation is a technique of crafting special queries via web page front-ends to databases in the hopes of gaining further access or retrieving more data than authorized. This is somewhat related to the previous topics and the same hacker tools can be used. Again, the solution is to verify any queries that come back to the database application and assume that client-side query statements can be manipulated. I will touch briefly on this subject during the brown-bag luncheon.

Summary

Hopefully, this article has raised your awareness of security issues that web developers face. As mentioned at the beginning of this article, web development and application security is becoming a very important issue as more and more applications are web-enabled and these applications are becoming "doorways" into our internal network. Again, I hope to demonstrate some of these issues and discuss them in some further details at the brown bag luncheon in October, so I hope that you will be able to attend.

If you have a specific question or concern regarding security here at UTHSC-H.

Please feel free to contact me at Cory.L.Williams@uth.tmc.edu or call me at 713-500-2238.