Web Application Security 101 - 10 Server Tier
0 likes282 views
The document discusses security concerns for the server tier, including ensuring servers and frameworks are fully patched, removing default features with broad access, restricting or removing extra applications, and deleting old code and backup files that could pose security risks if exposed. It provides examples of default features, applications, and files to watch out for, and suggests reviewing servers for potential problems.
Web Application Security 101 - 10 Server Tier
- 1. Server Tier Security of the server, the frameworks and web content.
- 2. Types Of Concerns Server Patching Default Features Extra Applications Old Code And Backups
- 3. Server Patching Front-end and back-end servers must be fully patched.
- 4. Default Features Some web servers may come with default functionalities, which may need to be removed or restricted to authorized personal only. Tomcat - /manager, etc. JBoss - /jmx-console, etc. Apache - /server-status, etc.
- 5. Extra Applications Default server installations may come with built-in applications. PhpMyAdmin, Django Admin, etc.
- 6. Old Code And Backups There could be old code and backups inside the application root folder. File prefixes: ~, ., etc. File suffixes: ~, .bck, .bac, .back, .tar.gz, tar.bz2, etc.
- 7. Lab Let's see if we can find some of these problems.