The most prominent components of web applications that intruders will first seek to exploit are vulnerabilities within the web platform. The web platform is comprised of common (not necessarily commercial!) off-the-shelf (COTS) software that sits atop the host operating system but below the custom application logic. The web platform commonly includes:
• Web server software (such as IIS or Apache)
• Extensions to the web server, such as ISAPI filters and extensions, or Apache modules
• Dynamic execution environments like ASP.NET, PHP, and J2EE (also referred to as application servers)
• Services and daemons, such as user forums or web guestbook packages
In contrast to our definition of the web platform, we consider ...