Guidelines on Securing Public Web Servers

Most servers allow per directory CGI restrictions. 

CGI itself provides little security enforcement. 

Perl facilitates secure programming most other languages (e.g., C, C++, sh) do not. 

CGI wrappers available from third parties offer additional protection for CGI. 

Server Side Includes (SSI)

   SSI is a limited server side scripting language supported by 

most Web servers.  SSI provides a set of dynamic features, such as including the current time 

or the last modification date of the HTML file, as an alternative to using a CGI program to 

perform the function.  When the browser requests a document with a special file type, such as 

 .shtml , it triggers the server to treat the document as a template, reading and parsing the 

entire document before sending the results back to the client (Web browser).  SSI commands 

are embedded within HTML comments (e.g., ).  As the 

server reads the template file, it searches for HTML comments containing embedded SSI 

commands.  When it finds one, the server replaces that part of the original HTML text with the 

output of the command.  For example, the SSI command given above (i.e., #include file) 

replaces the entire SSI comment with the contents of another HTML file.  This allows the 

display of a corporate logo or other static information prepared in another file to occur in a 

uniform way across all corporate Web pages.  A subset of the directives available allows the 

server to execute arbitrary system commands and CGI scripts, which may produce unwanted 

side effects [NIST01a].  Some issues to consider when contemplating the deployment of SSIs: 

The security of SSIs is extremely weak if the exec command is enabled on the Web 

server. 

The impact of SSIs can hurt the performance of heavily loaded Web servers.  

The Security of SSIs relies heavily on host operating system and the Web server 

application for security. 

Microsoft Active Server Pages (ASP)

   ASP is a server side scripting technology from 

Microsoft similar to SSI, which can be used to create dynamic and interactive Web 

applications.  An ASP page is essentially an HTML template that contains server side scripts 

that run when a browser requests an  .asp  resource from the Web server.  The Web server 

processes the requested page and executes any script commands encountered before sending 

the composed result to the user's browser.  Both JScript and VBScript are supported scripting 

languages, but other scripting languages can also be accommodated, provided an ASP 

compliant interpreter for that language is installed.  For example, scripting engines are 

available for PERL, REXX, and Python languages from various sources.  Scripting capabilities 

can be extended through the use of ActiveX objects, which can be developed in a variety of 

languages, including Visual Basic, C++, COBOL, and Java.  A script that invokes an ActiveX 

object causes the object to be created and supplied any needed input parameters.  Note that 

ActiveX (see Section 6.3.1) is an optional technology and not required by ASPs [NIST01a]. 

Some issues to consider when contemplating the deployment of ASP [Zir02]: 

ASP relies heavily on host operating system and the Web server application for 

security. 

45