Home > Articles

Mitigating the WASC Web Security Threat Classification with Apache

  • Print
  • + Share This
The main goal of this chapter is to present the different types of threat categories that are present when offering web applications to the public. In addition to presenting the threat definitions and examples, it also provides you with practical mitigation strategies if you are using Apache as the front-end web server for your applications.
This chapter is from the book

This chapter is from the book

In the previous chapter, we discussed the steps necessary to properly secure a standard Apache installation. Although the updated configurations applied to Apache will certainly result in a more secure web server, the resulting web server's functionality is significantly diminished. On today's World Wide Web, most organizations have a requirement to add in some form of dynamic web application. After applying all of the security settings to a default Apache install, you are now choosing to install some form of complex application that very well may open up different vulnerabilities. Once you implement applications that need to track user sessions and allow interaction with databases, then you open up a whole new can of worms.

Do you know what threats exist for web applications? Do you have an accurate definition of the attack scenarios? The Web Application Security Consortium created the Web Security Threat Classification document for exactly this purpose. The goals of this chapter are twofold. The first goal is to arm the reader with practical information regarding the threats that are associated with running web applications and to present the corresponding Apache mitigation strategies. Second is to highlight the limits of control that Apache can inflict on the overall security of web applications. There are limits to what can be accomplished with Apache—a few issues are highlighted in this chapter that are outside the scope of Apache's control.

The most up-to-date document can be found at the WASC web site: http://www.webappsec.org. Please keep in mind that the WASC Threat Classification was a cooperative effort created by the brilliant, dedicated members who generously donated their time and expertise to create this resource. I was merely one of the contributing members for this project. My thanks extend to the individuals listed in the following section.


    Robert Auger—SPI Dynamics

    Ryan Barnett—EDS & The Center for Internet Security (Apache Project Lead)

    Yuval Ben-Itzhak—Individual

    Erik Caso—NT OBJECTives

    Cesar Cerrudo—Application Security Inc.

    Sacha Faust—SPI Dynamics

    JD Glaser—NT OBJECTives

    Jeremiah Grossman—WhiteHat Security

    Sverre H. Huseby—Individual

    Amit Klein—Sanctum

    Mitja Kolsek—Acros Security

    Aaron C. Newman—Application Security Inc.

    Steve Orrin—Sanctum

    Bill Pennington—WhiteHat Security

    Ray Pompon—Conjungi Networks

    Mike Shema—NT OBJECTives

    Ory Segal—Sanctum

    Caleb Sima—SPI Dynamics

  • + Share This
  • 🔖 Save To Your Account