An Introduction To Web Application Exposed Surface
Understanding an web applications exposed surface
In the context of security pertaining to a software application, many of the flaws result from design flaws and gaps in the functionality. By a rule of thumb, the more lines of code the application employs, the greater is the number of weaknesses. A web applications exposed surface comprises such aspects as all the addresses (URLs), methods (e.g. POST, GET, HEAD) and parameters (form, query strings, URL paths, cookies and other headers) which it responds to. It is important to remember that things like search engine friendly URLs, dynamic URLs and URL rewriting may cause difficulties, but these are such that can easily be overcome, especially if a sites path naming convention is analyzed and defined early in the development process.
Typical problems encountered
Just by reducing the exposed surface or limiting it to only the necessary entry points, the security aspect of your application can be substantially enhanced. A web application will always combine necessary functionality for your business processes with the ability to handle other types of requests seamlessly (e.g. site icon, robots.txt file, missing page tests).
The types of things which are commonly exposed, but should not be are:
Templates that are used by other scripts
Incorporated code, such as modules and libraries, that are never meant to be an entry point
Entry points meant for users with a different role or permissions (e.g. system initiated web services, customer-only content)
Unused, but included, functionality.
The exposed surface might also include the following things, but should really never exist in web-accessible locations:
Administrative interfaces
Logs
Backups
Temporary files
Configuration files such as encryption keys and database connection strings
Default installation files, including help documentation
Old and archived scripts, test versions of a site, and other unused content.
More about the exposed surface
Some entry points may only be meant for different groups of authenticated users, although there may be some overlapping with unauthenticated public users. There are choices where you enforce limitations on the inbound exposed surface. Some typical places are:
Network firewall
Traffic management device
Web application firewall (WAF)
HTTP proxy server
Web server
Application code.
So whats the verdict?
In many cases, it is better to use a combination of more of the above than just one. You might even enforce the same restriction in more than one place. For example, you may only open port 443 through a network firewall, as well as having the web server listening solely on port 443, and also the application checking TLS is in use and setting the Secure flag on the session cookie. Another approach is to fingerprint the page content and monitor for changes such as defacement and cross-site scripting injection.
by: Holly Maxted
Many Things To Look For Practical E-commerce Web Design How To Hire The Best Web Designing Company Cms Web Design Tips To Be A Fantastic Web Designer? Common Misconceptions About Pay Per Click Advertising How To Avoid Any Misconduct Due To Loneliness Designed The Firefox Parameters To Enhance The Web Browsing Speed Facts About Post Miscarriage Bleeding M Star Hosting - Domain Registration & Web Hosting Dedicated Server Solution India. Enhance Your Web Presence Through White Hat Seo Techniques How To Select A Right Seo Friendly Web Design Company A Misconception About Gu10 Led Select Virtual Switchboard To Manage Your Calls By Means Of Web Network Edge!