Part 1 of 7 of an article on Web Site Security by Steve Avery MSc BA
Unfortunately, there are many ways in which website security can be compromised. For example, security risks exist that affect Web servers and LANs (local area networks) on which Websites are hosted, even by the normal use of a Web browser.
Web Masters are in the front line when dealing with the most serious risks. As soon as a Web server is installed at a site, a window appears in the local area network through which anyone using the Internet can look. Of course, most website visitors see only what they're meant to see, but a few of them try to find elements of the site that are not supposed to be visible to the general public. Malicious visitors want to do more than merely look; they attempt to open the window and slip inside. The damage they can inflict might be mere vandalism, such as replacing the website's home page with one of their own which could say or display absolutely anything, or it might be burglary, such as stealing a contacts or sales database.
It is hard to escape the probability that complex software contains bugs. No matter how thoroughly it is tested, there is usually some combination of events or user actions, although it might be rare, that causes a fault. Software bugs create breaches in system security. A Web server is complex software that can very easily contain a security hole.
It is not only the complexity of a Web server that can cause a problem, but also its open architecture. Consider a CGI script as an example. A CGI script can be run at the server in response to a remote request from a client. This could be a request from an application or even the click of a button in a browser. If the CGI script contains a bug, there is a risk of a security breach.
Network Administrators also face problems from Web servers because of the risk they pose to the security of the local area network. While there must be no unauthorized intrusions, access must be granted to Website visitors. This means that access to the network must be controlled. The Administrator must therefore perform a delicate balancing act. Even the most robust firewall can be breached if the Web server is configured badly. By the same token, normal use of the Website can be impossible if the firewall is configured badly. Finding an ideal solution is even more difficult if an intranet forms part of the system. Typically, the Web server must then be configured to recognize and authenticate domains and user groups, which are likely to have differing permission levels and access rights.
Most people who use a browser to surf the Web believe that they are doing so anonymously and securely. This is not so. Web browsers can run self-contained programs on the client machine that are hosted by a website. Modern browsers display a warning and ask permission to run such programs. Known generally as "active content", e.g., ActiveX controls or Java applets, these programs, if malicious, can easily install a virus or other dangerous software on the browser user's machine. Once it's in the system it can wreak all kinds of havoc and can be very difficult to remove.
This is also a concern for Network Administrators. Web browsers provide a route for potentially malicious software to filter through the local area network's firewall. Once it is in the network, the damage it can cause can range from clandestinely stealing confidential information to wanton destruction.
Apart from the issues surrounding active content, merely surfing the Web records a trail of the user's activities in the browser's history. This can be used by websites and installed programs to establish an accurate profile of the user's behaviour and interests. While this may be considered an invasion of privacy by some, it can be beneficial by displaying relevant content immediately, thus relieving the user of the task of searching for it.
Confidentiality is an issue that concerns not only browser users but also Web Masters and Network Administrators during the actual transmission of data via the Web. TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic language of communication for the Internet. When it was created, security was not the most important factor in its design. Both network and Internet transmissions should therefore not be considered as necessarily private. Whenever the browser on a local machine downloads a confidential document from the remote Web server, or the browser user fills in a form with private information and clicks the 'Submit' button, the transmitted data can be intercepted without authorization.