Page 614 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 614

In the early days of the Web, all web pages were static, or unchanging.
               Webmasters created web pages containing information and placed

               them on a web server, where users could retrieve them using their web
               browsers. The web quickly outgrew this model because users wanted
               the ability to access customized information based on their individual
               needs. For example, visitors to a bank website aren’t interested only in
               static pages containing information about the bank’s locations, hours,
               and services. They also want to retrieve dynamic content containing
               information about their personal accounts. Obviously, the webmaster

               can’t possibly create pages on the web server for each individual user
               with that user’s personal account information. At a large bank, that
               would require maintaining millions of pages with up-to-the-minute
               information. That’s where dynamic web applications come into play.

               Web applications take advantage of a database to create content on
               demand when the user makes a request. In the banking example, the
               user logs in to the web application, providing an account number and

               password. The web application then retrieves current account
               information from the bank’s database and uses it to instantly create a
               web page containing the user’s current account information. If that
               user returns an hour later, the web server repeats the process,
               obtaining updated account information from the database.

               What does this mean to you as a security professional? Web

               applications add complexity to the traditional security model. The web
               server, as a publicly accessible server, belongs in a separate network
               zone from other servers, commonly referred to as a demilitarized zone
               (DMZ). The database server, on the other hand, isn’t meant for public
               access, so it belongs on the internal network or at least a secured
               subnet separated from the DMZ. The web application needs access to

               the database, so the firewall administrator must create a rule allowing
               access from the web server to the database server. This rule creates a
               potential path for internet users to gain access to the database server.

               If the web application functions properly, it allows only authorized
               requests to the database. However, if there is a flaw in the web
               application, it may let individuals tamper with the database in an
               unexpected and unauthorized fashion through the use of SQL injection

               attacks. These attacks allow a malicious individual to perform SQL
   609   610   611   612   613   614   615   616   617   618   619