What are the types of threats to a web server?

S

Sandwich212020-05-24 03:02:03

Information Security

Sandwich21, 2020-05-24 03:02:03

I'm a bit confused about the intricacies of attacking web servers.
As I understand it, the types of web server security threats can be divided into two groups - firstly, related to administration errors, and secondly, related to server software implementation errors.
But I don't understand a little, for example SQL-injection - in the textbooks they write that this is due to poor administration, such as there is not enough filtering of incoming data. BUT
When I implement an application, I write injection protection in the code itself - such as using parameterization

$stmt = $pdo->prepare('SELECT * FROM table WHERE column = :value');
$stmt->execute(array('value' => $parameter));

The administrator here seems to be completely useless in my opinion.
Or they write that the administration error is the permission to use the PUT and DELETE methods, which allow a remote user to edit and delete pages from the server. But these methods are implemented during the development of the application, in the code, even before implementation.
And I'm generally confused - whether I correctly identified the types of security threats to the web server.
Could you help with this?

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

I

Ivan Shumov, 2020-05-24
@Sandwich21

Worth getting to know OWASP )

X

xmoonlight, 2020-05-24
@xmoonlight

1. Network
2. Server
3. Web server
4. Web server application (php,etc.)
5. DB queries (mysql, etc.)

S

shurshur, 2020-05-24
@shurshur

Perhaps the author of the book just lives in the old realities, where few people used PDO, it was fashionable to wrap parameters in mysql_real_escape_string, and they also tried to invent layers that caught SQL injections in parameters between the application and the client.
With proper use of SQL by the programmer, nothing special needs to be administered.
I would not begin to bury the book ahead of schedule on the basis of just one mistake, but all this situation should remind you of how important it is not to blindly trust authorities.

M

Mummers, 2020-05-25
@Mummers

https://www.youtube.com/watch?v=7f8-WKvtl04&t=3s

K

Karpion, 2020-05-27
@Karpion

As I understand it, the types of web server security threats can be divided into two groups - firstly, related to administration errors, and secondly, related to server software implementation errors.

I would single out at least three types of errors:

administration errors;
scripting errors (this is where SQL injections are located);
errors in "standard" programs - Apache, Nginx, SQL-DBMS (they are very rare, but they affect many).

But I don't understand a little, for example SQL-injection - in the textbooks they write that this is due to poor administration, such as there is not enough filtering of incoming data.

The input must be filtered by a CGI script. If it is a bug, no administration will help (except "do not install bug scripts on the server").

Or they write that the administration error is the permission to use the PUT and DELETE methods, which allow a remote user to edit and delete pages from the server.

As a rule, the server runs as a user with minimal rights; and in the directory accessible to the server all files become inaccessible to record from this user. Although unnecessary methods should be banned.