Software technologies
32

Security in web applications Part 3: Secure operation of web applications

Autorenbild Benjamin Pomrenke Benjamin Pomrenke
2 MIN READING TIME
0 COMMENTS
SAVE IN POCKET
07.02.2014 -

In this blog series, we have already covered the topics of designingand programming secure web applications. The last part describes how the secure operation of web applications can be guaranteed.

Reduce server information

Of course, you want to give a hacker as little information about a system as possible. Simply displaying the version number of the servers used can be used to search for information about security gaps in the specific versions. This makes it less difficult for an attacker to penetrate the system.

The usual security-sensitive system uses a proxy server to terminate the SSL encryption of the connection so that the actual application server is protected from direct access by users. The data transfer between the proxy server and the application server is then often unencrypted. This means that there are already two servers for a web application for which the version number must be hidden. Hiding the server and version information has an impact on two levels. One level is the HTTP protocol, the second level is the display of exceptions in the web application. No or only reduced information is displayed at both levels. In general, however, no exceptions or stack traces should be displayed to the user anyway.

The following example architecture shows how the version numbers can be switched off. An Apache web server in version 2.2 is used as a TLS proxy, which terminates the SSL connection, and an Apache Tomcat in version 7, which serves as an application server.

In the Apache web server, the server information can be adjusted via the following entry in the "httpd.conf" file:

ServerTokens Prod

With this specification, only the name of the server is displayed; in its original state, the Apache web server would output the following information:

  • Name of the server
  • Version number
  • Name of the operating system used
  • Name and version number of the modules used

This information would be very useful for a hacker, because he can buy specific tools on the black market to help him compromise the server.

Reducing the server information for Apache Tomcat 7 is somewhat more difficult. To reduce the server information here, you have to unpack the file "ServerInfo.properties" from the JAVA package "catalina.jar". To unpack, open the console of the operating system and change to the "lib" directory within Apache Tomcat. Then execute the following command:

jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

The directory path "org/apache/catalina/util", in which the file "ServerInfo.properties" exists, is now located within the library directory. In the following example, the content of the file has already been adapted and the version number removed from the "server.info" entry:

server.info=Apache Tomcat
server.number=7.0.50.0
server.built=Dec 19 2013 10:18:12

Apache Tomcat now also no longer displays version numbers in the HTTP protocol and for exceptions.

Security in web applications can therefore be optimized at several points. A higher standard is already ensured in the design by observing security mechanisms. Measures taken during programming, such as escaping meta characters or using a security token, also ensure greater security in web applications. By reducing server information, the risk of a hacker attack can also be reduced when operating web applications.

Back to overview

Write a comment

Your e-mail address will not be published. Required fields are marked with *

*Mandatory fields

*