Method For Improving Security Of Dynamic Program-Driven Web Sites
Original Publication Date: 2005-Jan-24
Included in the Prior Art Database: 2005-Jan-24
Described is a method for hiding the implementation details of a dynamically generated Web site. The method consists of Web server configuration command files which result in all site pages and URLs appearing to be flat HTML coded content.
Method For Improving Security Of Dynamic Program -Driven Web Sites
Complex Web sites are often dynamically created and driven by underlying programming. This is especially true of Web sites which use an underlying database to store complete or partial pages and / or information. Nearly all complex commercial sites on the Web today are dynamic. These Web sites may rely on SQL (Structured Query Language) to extract the information from a database and are usually written to access the information via CGI (Common Gateway Interface) programs or scripting language methods. Among the scripting languages most commonly used are PHP, ASP, PERL, PYTHON, and a host of others.
Recognizing such dynamic sites is usually quite easy. The URL (Uniform Resource Locator) for a dynamic site nearly always consists of the site domain name followed by a template page name followed by one or more parameters which identify the information the program needs to dynamically build the page. The URL may appear to the user as http://www.my-dynamic-site.com/home.php?id=PageOne&part=MyFavoriteProduct
In this case, the user can immediately know that the site is using PHP as a programming language and that an SQL query is probably being made to a database to extract the data for "PageOne" and is qualified by a second parameter of "part=MyFavoriteProduct". It is just as easy to deduce that a site is using ASP, PERL, or a custom CGI program to process the URLs.
Knowing the language a Web site uses can make it more vulnerable to security (hacking) attacks specific to that language. SQL Insertion attacks (also known as SQL Injection attacks) are well known in the industry but not always guarded against by Web site builders. Buffer overrun attacks and the like are constantly being sought out by hackers and spammers looking for "zombie" machines to take over.
One solution to this problem is to hide all traces of a database and programming language through careful construction of the Web site. If a hacker doesn't know the language or database a site is using -- or more importantly, doesn't even know that the site is dynamically generated -- hacking becomes much more difficult or nearly impossible.
The method described here to hide the construction of the dynamic Web site from the user is the combination of three techniques, each already known. They are:
Alias any programmable language used on the site to ".HTML".
This is done with a Server Configuration command on the Web server itself. In Apache, if we are using PHP, this is done with a statement similar to
"AddType application/x-httpd-php4 .html"
We then use a "faked" URL to pass the data to the dynamic generation program. The specific page URL need not exist. In fact, the whole site will be generated from a script running from the default page -- usua...