3

I've recently finished programming my own HTTP server to host a simple static website. As of now its functionality is limited to sending a single response to the first GET request which asks for the html - and nothing more. Due to its simplicity I feel as though forwarding port 80 to a spare laptop running the server on my network won't pose any major security risk.

Am I wrong to assume this? What I am worried about more than the server itself is the fact that I'll draw attention to my network which would lead to other connected devices being targeted. Is there any ways to ensure maximum security in my network if I am to open this server up to the public?

mythril
  • 31
  • 2
  • 2
    The question can not be answered since it is unknown how safely programmed your HTTP server really is, as which user the server runs and how secure the underlying system is. Just a few keywords to think of: buffer overflow, memory exhaustion, privilege escalation. Given the naivety of the question which does not provide any information on how the service is secured I would assume that it is not properly secured and thus would advice against exposing it. But again, there are too few details for a solid answer so I propose to close the question as too broad. – Steffen Ullrich May 04 '17 at 04:35
  • 3
    I, too, voted to close this as too broad because it can basically be read as "How safe is it to expose a service (that I just wrote myself) to the Internet?" – Arminius May 04 '17 at 04:41
  • Anyone on the Internet can connect to your program and send any data they want on that connection. How confident are you that if someone connects to your program and sends whatever data they want, the program won't do anything bad? The answer to that is how safe it is. (For example, if the program formatted your hard drive when the request started with "Boo!" that wouldn't be very safe) – user253751 May 04 '17 at 04:47
  • @SteffenUllrich The second sentence clearly explains the nature of the program - it's extremely simple. If a client sends a GET - regardless of what is actually included in the request - the server responds with HTML. There's no opportunity for Path Traversal or any other kind of similar attack. – mythril May 04 '17 at 05:01
  • 1
    @mythril: That the task you solve with the program is extremely simple does not mean that you solved it in a secure way, but in increases the chance that you do. Still, an inexperienced programmer might introduce security problems even into simple programs without noticing so it is impossible to say without seeing the actual code how secure the program really is. – Steffen Ullrich May 04 '17 at 05:18
  • a program can normally only do what you give it capabilities to do. for example, if there's no command to load or delete files (or dynamically evaluate new code), there's no way for an attacker to hijack that program to load or delete files... – dandavis May 05 '17 at 01:08

0 Answers0