The most prominent components of web applications that attackers will first seek to exploit are vulnerabilities within the web platform. The web platform is comprised of common (not necessarily commercial!) off-the-shelf (COTS) software that sits atop the host operating system but below the custom application logic. The web platform commonly includes:
• Web server software (such as IIS or Apache).
• Extensions to the web server, such as ISAPI filters and extensions, or Apache modules.
• Dynamic execution environments like ASP.NET, PHP, and J2EE (also referred to as application servers).
• Services and daemons, such as user forums or web guest book packages.
Historically, web server software vulnerabilities were one of the easiest ways to exploit a web site, but more recently, many popular web server software development teams have become increasingly security conscious, primarily because their products have taken a tremendous beating from hackers for so many years. Microsoft’s IIS is the poster child for this phenomenon. Although severe vulnerabilities used to be found with startling regularity in the IIS product line circa versions 4 and 5, newer versions have been relatively untouched, thanks largely to an invigorated attentiveness to security in the IIS development process.
None of this should be taken to mean that you can ignore platform issues. We’ve noticed conditions where 6 vulnerable web servers out of a farm of over 10,000 resulted in the total compromise of an entire company network within a few days.
The hacking society continues to develop their toolset to enable ever easier identification and exploitation of such weaknesses.