[Nikronius]

Hi there guys.

well I have been with too much free time lately and I have been learning in the meantime about web server security.

I just arrived to a Question:

lets say you have a MS IIS 5.0 based on Windows 2000, very well patched and secured with a very nice cisco 12.x that only allows port 80.

Still you have problems with XSS in the page and have some services active like IPP (very well known for its vulnerability back in time ;)

Is it possible for a hacker compromise your webserver just with XSS?? as far as I've heard that can only inject html and js in to the page but cant do more than that...

And then i ask the other question is it any kind of security that is "unbreakable"?? wich means that no matter how hard an attacker tries he will never be able to compromise your webserver??

if you were an attaker what would you try to do? keeping in mind that there is only 1 port open and only 1 vulnerability at sight (XSS, cause IPP is already patched)

is it possible to exploit the cisco router or a firewall??, I have read a little bit about that but i dont think is that easy no?

I would like to know cause it is my duty to harden the security of my webserver and I can only do that by knowing little bit more right?? :)

thanks in advance.

[Mike0001]

Personally, I would convert to the industry standard Apache server and not touch IIS with a bargepole.

I guess we may never be secure against DDOS attacks.