Virginia Finance

Oct 1 2017

SP-008: Public Web Server Pattern #web #server #costs, #public #web #server #security #pattern #risk #compliance


#

SP-008: Public Web Server Pattern

  • RIA web application can built with any front end technology like AJAX, Java, Silverlight or FLEX/FLASH
  • End user authentication can be strong (with physical token based OTP, SMS based OTP, or iTAN list) or just UID/PW (enhanced with SRP, or Digest)
  • Web application state should not be stored on the client but only a pointer to the server side stored storage should be passed (encrypted) out to the client, for example as a cookie or as POST parameter
  • All input validation that is done on the client needs to be redone on the server
  • Malicious entities try to exploit software bugs in the Web server
  • Denial of service (DoS) attacks may be directed to the Web server
  • Compromises through command injection attacks
  • The server may be used as a distribution point for attack tools, pornography, or illegally copied software.
  • Man in the browser attacks
  • Phising attacks
  • Misconfigurations

Resistance against threats:

  • Compromises through command injection attacks
  • Compromises through XSS attacks
  • Compromises through buffer overflow attacks
  • Compromises through access control violations
Control details

OSA is a not for profit organization, supported by volunteers for the benefit of the security community. If you find our materials are useful, or we have saved you significant time or effort, please consider a small donation to help offset the costs of developing and hosting.

Alternatively we would welcome donations via BTC: 1QEGvgZryigUoCSdfQk1nojzKDLMrtQrrb


Written by admin


Leave a Reply

Your email address will not be published. Required fields are marked *