Chapter 6. Internet Information Services – Web Service Attacks
Information in this Chapter
Early in 2009, the Ball State University of Muncie, Indiana was the target of an attack using a vulnerability found in the Internet Information Services (IIS) Web-based Distributed Authoring and Versioning (WebDAV) component as described in Microsoft Security Advisory (971492)[A] and as reported by ZDNet Asia.[B] This discovery markets yet another vulnerability in the Microsoft IIS product and once again turned its focus back to how even products that have been around for many years can still contain vulnerabilities that are yet to be identified.
Awww.microsoft.com/technet/security/advisory/971492.mspx
Bwww.zdnetasia.com/news/security/0,39044215,62054238,00.htm
Web servers provide a valuable medium embraced by organizations who wish to conduct business with partners, customers, vendors, and almost with any other aspect or transaction you can think of. Whether Web servers are implemented to provide customers the opportunity to purchase products or used as a solution for distributing information to employees, they are an important part of supporting business operations. Microsoft's IIS has been a key player in providing Web content for many different types of services and applications and its use will likely continue to be a viable option for quite some time.
Although Web servers play an important part of delivering content, there are many more risks that can be identified when analyzing Web applications, authorization, authentication, session management, and serving content; this chapter will review some of the attacks that can be used against IIS directly.