No announcement yet.

Web Servers - Scripting Errors

  • Filter
  • Time
  • Show
Clear All
new posts

  • Web Servers - Scripting Errors

    Web applications, programs and server side code such as Common Gateway Interfaces (CGI), ASP.NET, PHP, and Java Server Pages (JSP) are commonly used in web applications and present their own class of issues. Vulnerabilities such as lack of input validation can be a liability on the server side and is the method of choice over client side validation. Client side validation is in the control of the user and not the web application developer and should never be trusted.

    Some attacks on the server or web application may include...

    Upload Bombing
    The goal of this attack is to upload masses of files to the web server with the goal of filling up the hard drive of the serve. Once the hard drive of the server is full, the application may stop functioning or crash all together. The web server will be unable to create new sessions, write to log files and other services running on the server such as a database may be impacted also.

    Poison Null Byte Attack
    A poison null byte attack passes special characters that the server side scripts may not be designed to handle. This can result in the application not functioning properly, Local File Inclusion (LFI), granting access where it should not otherwise be given etc.

    Default Scripts
    Developers new to web application development sometimes upload default scripts to the web server that they do not need. In such cases, an attacker can analyze or exploit configuration issues with the scripts and gain unauthorized access to the target system.

    Sample Scripts
    Web Application software may include sample content and sample scripts that are regularly left in place on the web server. In such cases, these scripts may enable an attacker to execute code that can lead to a compromise or other malicious activity.

    Poorly Written or Questionable Scripts
    Some scripts have appeared that include information such as usernames and passwords, potentially letting an attacker view the contents of the script and read these credentials. There are a lot of downloadable scripts on the Internet that can add features and functions to a web application while saving development cost by not having to develop this functionality in-house. A number of these scripts are poorly written and may potentially include vulnerabilities, backdoors or worse.
    Certified Security Geek