« Web Services Security - the missing link? | Main | Web Services Security - Web Application Threats »

To examine web services security today, let's take a little survey of the security issues related to the first generation web application model. This model was typified by thin-client/server HTTP communication with a tightly coupled server side is comprising of a web server, scrpted business logic and database. This first gen web application model is in many ways, still the most prevalent today.

Inital attacks against this model were primarily denial-of-service exploiits that exposed web server processing vulnerabilities. Other attacks included buffer overflow exploits such as the highly publicized Code Red which took advantage of a vulnerability in the Microsoft Index Server.

In those early days of web application security, installation defaults were often a source of vulnerabilities. Unsecured critical directories or elevated privileges were sometimes left exposed after installation. Diirectory traversal attacks where an attacker would look for open, available directories with execute privileges were often an effective way to compromise a system. With the attention given to security these days, it is unlikely to have installation defaults exposed in this way but it used to be far too prevalent.

As web applications became more sophisticated, the attacks likewise became more complex as well but I'll tackle that in my next post.

Posted by andreyee in web services security |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/336