Lesson 17-Web Components - PowerPoint PPT Presentation

1 / 103
About This Presentation

Lesson 17-Web Components


Lesson 17-Web Components Background The World Wide Web was invented in 1990 by Tim Berners-Lee to give physicists a convenient method of exchanging information. – PowerPoint PPT presentation

Number of Views:208
Avg rating:3.0/5.0
Slides: 104
Provided by: Hur88


Transcript and Presenter's Notes

Title: Lesson 17-Web Components

Lesson 17-Web Components
  • The World Wide Web was invented in 1990 by Tim
    Berners-Lee to give physicists a convenient
    method of exchanging information.
  • What began as a physics tool in the European
    Laboratory for Particle Physics (CERN) has grown
    into a complex system.

  • It is now a complex system used by millions for
    tasks ranging from e-commerce to e-mail,
    chatting, games, and even the original intended
    usefile and information sharing.

  • Before the World Wide Web, the following methods
    were used to perform these tasks
  • File Transfer Protocol (FTP) to move files.
  • Telnet to access other machines.

  • A common architecture was developed by
  • First, a common addressing scheme built around a
    Uniform Resource Locator (URL).
  • Then, linking documents with URLs through the
    Hypertext Markup Language (HTML).

  • Upon completion of this chapter, the students
    will be able to
  • Describe the protocols such as SSL/TLS protocol
    suite, LDAP, and FTP used with Web components.
  • Describe Web applications, such as Web Services
    and plug-ins, and explain their associated
    security issues.
  • Describe and explain secure file transfer options.

  • Upon completion of this chapter, the students
    will be able to
  • Explain how directory services can be used to aid
    in data retrieval.
  • Describe how scripting and other Internet
    functions can cause security concerns.
  • Describe how using cookies maintains parameters
    between Web pages.

Current Web Components and Concerns
  • The World Wide Web is useful due to
  • Browsers
  • Web components

Current Web Components and Concerns
  • There are three main security tasks
  • Securing a server to deliver content to users
    over the Web.
  • Securing the transfer of information between
    users and servers over the Web.
  • Securing the user's computer from attack through
    a Web connection.

  • Encryption
  • SSL and TLS
  • The Web
  • HTTP and HTTPS
  • Web Services
  • Directory Services (DAP and LDAP)
  • File Transfer
  • FTP and SFTP

  • Protocols are agreed-upon rules that allow
    vendors to produce hardware and software that
    interoperate with hardware and software developed
    by other vendors.
  • The specific instantiation of protocols is done
    through hardware and software components.

Encryption (SSL and TLS)
  • Secure Socket Layer
  • SSL is almost ubiquitous in e-commerce.
  • All browsers and Web servers support SSL.
  • Virtually, all sensitive financial traffic uses
    SSL to protect information between Web servers
    and browsers.

Encryption (SSL and TLS)
  • The Internet Engineering Task Force (IETF)
    embraced SSL in 1996 through a series of RFCs and
    named the group Transport Layer Security (TLS).
  • SSL 3.0
  • RFC 2246
  • TLS Protocol Version 1.0
  • RFC 2712
  • Added Kerberos authentication
  • RFCs 2817 and 2818
  • Extended TLS to HTTP version 1.1 (HTTP/1.1)

Encryption (SSL and TLS)
  • Although SSL has been through several versions,
    TLS begins with an equivalency to SSL 3.0.
  • SSL and TLS are essentially the same protocol,
    but not interchangeable.

Encryption (SSL and TLS)
  • SSL/TLS is a series of functions within the OSI
  • They reside between the application layer and the
    TCP/IP implementation in the transport and
    network layers.

Encryption (SSL and TLS)
  • TCP and SSL/TLS
  • TCP sends an unauthenticated error-free stream of
    information between two computers.
  • SSL/TLS adds message integrity and authentication
    functions to TCP through cryptographic methods.

Encryption (SSL and TLS)
  • Session description
  • When two programs initiate an SSL/TLS connection,
    they compare available protocols and agree on an
    appropriate common cryptographic protocol.
  • SSL/TLS can use separate algorithms and methods
  • Encryption
  • Authentication
  • Data integrity
  • Each of these is negotiated and determined before
    the session starts.

SSL/TSL Encryption Options
  • This shows the types of cryptographic protocols
    available in Netscape Communicator.

Cryptographic protocol options in Netscape
How SSL/TLS Works
  • SSL/TLS uses cryptographic protocols. Effective
    use of these protocols requires that systems must
    agree upon a protocol. The SSL handshake process
    is used to accomplish this task.
  • The client requests for a secure connection and
    the server responds.
  • Both systems agree on a commonly held protocol
    (SSL v1, v2, v3, or TLS v1).
  • Commonly available cryptographic algorithms
    include Diffie-Hellman and RSA.

How SSL/TLS Works
  • The handshake begins with the exchange to agree
    on parameters.
  • The systems exchange certificates and keys to
    enable authentication.
  • Certificate exchange is done via X.509
  • Public key cryptography is used to establish

How SSL/TLS Works
  • The session continues
  • Once authentication is established, the channel
    is secured with symmetric key cryptographic
    methods and hashes, typically RC4 or 3DES for
    symmetric key and MD5 or SHA-1 for hash
  • The authenticity of the server and possibly the
    client has been established.
  • The channel is protected by encryption against

How SSL/TLS Works
  • Session certificates
  • The use of certificates is a way to have a third
    party act as a notary in the electronic world.
  • A certificate is merely a standard set of
    formatted data that represents the authenticity
    of the public key associated with the signer.
  • A certificate can be trusted as a notary to a
  • Certificates provide a method of proving who
    someone is, provided you trust the issuer.

SSL/TSL Certificates
SSl and TLS options in Netscape Communicator
SSL/TSL Certificates
Certificate options in Microsoft Internet Explorer
SSL/TSL Certificates
  • These are the certificate management options.

Certificate management options dialog in
Microsoft Internet Explorer
How SSL/TLS Works
  • SSL/TLS is designed to provide protection from
    man-in-the-middle attacks.
  • By authenticating the server end of the
    connection, SSL/TLS prevents the hijacking of a
  • By encrypting all of the conversations between
    the client and the server, SSL/TLS prevents

The Web (HTTP and HTTPS)
  • The Hypertext Transfer Protocol (HTTP) is the
    protocol for the transfer of hypertext-linked
    data over the Internet.
  • A URL such as http//www.example.com is decoded
    by the browser.
  • The http// portion indicates that the desired
    method of data transfer is via the Hypertext
    Transfer Protocol.

The Web (HTTP and HTTPS)
  • SSL/TLS hides cryptographic complexity from end
  • This can be done by requesting a secure
    connection from a Web server, instead of a
    non-secure connection.
  • With HTTP connections, use https// in place of
  • The entry of an SSL/TLS-based protocol will cause
    an aware browser to negotiate with the server to
    establish the required level of security.

How Do You Know You Are Secure?
HTTPS connection in Microsoft Internet Explorer
The Web (HTTP and HTTPS)
  • Enabling cryptographic methods transparently
    helps end users to use these protocols easily.
  • SSL/TLS is agnostic.
  • Designed to run on top of TCP/IP, it can operate
    over lower-level protocols such as X.25.
  • SSL/TLS requires a reliable lower-level protocol.
  • It cannot properly function over a non-reliable
    protocol such as the IP User Datagram Protocol

Web Services
  • Web Services is an industry term with various
    marketing definitions.
  • It depends upon who is trying to market what and
    to whom.
  • Although the term has been misused often, its
    underlying core is an application program
    accessible using open protocols.

Web Services
  • Web Services are defined through industry
  • There are a series of specifications including
    XML Schema and Web Services Description Language
  • A Web Service may be as simple as a procedure
    invoked on a remote computer via common data
    formats and protocols.

Web Services
  • Web Services can be invoked with a Simple Object
    Access Protocol (SOAP) request over an HTTP
  • This uses open standards such as XML, HTTP and
    Universal Description, and Discovery and
    Integration (UDDI).
  • A Web Service is an application accessed via a
    set of remote procedure calls implemented over

Web Services
  • The deployment of Web Services is in its infancy.
  • The effectiveness of the security mechanisms
    being built into the standards is unknown.
  • Several areas that Web Services are vulnerable
  • HTTP/Web server vulnerabilities
  • SOAP Structure vulnerabilities
  • WSDL vulnerabilities
  • Application layer vulnerabilities

Web Services
  • Web Services communicate over HTTP through Web
  • Any vulnerability of the Web server can manifest
    itself as a vulnerability of the Web Service.

Web Services
  • A risk is associated with the actual Web Service
    code itself.
  • As Web Services are designed to increase
    distributed code and usage, control over users of
    Web Services lessens.
  • It is not safe to assume every usage will be with
    properly conformed messages for a particular Web
  • The Web Services application programmer must
    develop secure code.

  • Simple Object Access Protocol (SOAP) is a method
    of invoking remote procedures over the Internet.

  • SOAP is a framework for generalized XML messaging
    between applications.

  • Soap is language-neutral and platform-independent.
  • The SOAP framework does no routing or security
    since these are managed in the extensible nature
    of the basic framework.
  • Layered extensions allow adding these services in
    a cohesive and controlled fashion.

  • Extensible Markup Language (XML) formats messages
    used by SOAP to access and return data from Web

  • XML Schemas define communication interfaces and
    carry information between Web Services.
  • They invoke elements that allow a standard method
    that is independent of any firm or platform.
  • It is extensible.
  • It is language-neutral.

Directory Services (DAP and LDAP)
  • A directory is a data storage mechanism like a
  • The directory is designed and optimized for
    reading data, yielding very fast search and
    retrieval operations.
  • The types of information stored in a directory
    tend to be descriptive attribute data.
  • A directory offers a static view of data that can
    be changed without a complex update transaction.
  • The data is hierarchically described in a
    tree-like structure.
  • A network interface for reading is typical.

Directory Services (DAP and LDAP)
  • The X.500 standard was created as a standard for
    directory services. It enables interoperability.
  • An X.500 directory is accessed through the
    Directory Access Protocol (DAP).
  • It is difficult to implement completely on PCs
    and other constrained platforms.
  • This led to the Lightweight Directory Access
    Protocol (LDAP), which contains the most commonly
    used functionality.
  • LDAP can interface with X.500 services.
  • LDAP can be used over TCP with fewer computing
    resources than full X.500 implementation.

  • LDAP is the Internet standard for directory
  • LDAP over TCP is a plaintext protocol.
  • This means data is over the network, which makes
    it susceptible to eavesdropping.
  • To avoid this, data must be encrypted.
  • The application of SSL/TLS service protects
    directory transactions from eavesdroppers.

  • SSL/TLS provides several functions to LDAP
  • SSL/TLS establishes the identity of a data source
    through certificates.
  • SSL/TLS provides integrity and confidentiality of
    the data presented from an LDAP source.
  • LDAP and SSL/TLS are separate independent
  • Interoperability requires correct setup.
  • Establish an SSL/TLS connection.
  • Open an LDAP connection over the protected
  • Both the client and the server should be enabled
    for SSL/TLS.

  • An LDAP server set up to function over an SSL/TLS
    connection operates as it always has.
  • The LDAP server responds to specific queries with
    the data returned from a node in the search.
  • The SSL/TLS functionality operates to secure the
    channel of communication and is transparent to
    the data flow from the user's perspective.
  • SSL/TLS prevents observation of the data request
    and response, ensuring confidentiality.

  • FTP is an application-level protocol.
  • It allows operation over a wide range of
    lower-level protocols.
  • FTP is embedded in most operating systems. It
    provides a method of transferring files between

  • FTP implementations operate both ways sending
    and receiving. They enable remote file operations
    over a TCP/IP connection.
  • FTP clients are used to initiate transactions.
  • FTP servers respond to transaction requests.
  • The request can be either to upload (send data
    from a client to a server) or download (send data
    from a server to a client).

  • When a user enters ftp//url in a browser address
    field, it indicates that the user wishes to see
    the data associated with the URL via an FTP
    sessionthe browser handles the details.
  • File transfers via FTP can be either in binary or
    text mode.
  • In either case, transfers are plaintext across
    the network.

Blind FTP (Anonymous FTP)
  • An account must be used to allow the operating
    system-level authorization function to work.
  • With an FTP server, you may not able to control
    who gets the information.
  • A standard account called anonymous exists.
  • It allows unlimited public access to the files.
  • It is used to have unlimited distribution.
  • On a server, access permissions can be
    established to allow only downloading or only
    uploading or both.

Blind FTP (Anonymous FTP)
  • An FTP can be used to allow access to upload
    files to a server.
  • It is a security risk usually implemented on
    specialized servers isolated from other critical
  • FTP should not be permitted on workstations.
  • They should be disabled on servers.

  • FTP operates in plaintext mode.
  • An eavesdropper can observe the data being
  • If confidential transfer is required, Secure FTP
    (SFTP) should be used.
  • SFTP utilizes both Secure Shell (SSH) protocol
    and FTP to accomplish this task.

  • SFTP is an application program that encodes both
    the commands and the data passed.

  • SFTP must be on both the client and the server.
  • SFTP is not interoperable with standard FTP.
  • The encrypted commands cannot be read by an FTP
    server program.
  • To establish SFTP data transfers, the server must
    be enabled with the SFTP program.
  • Clients access the server provided they have the
    correct credentials.

  • SFTP operates in a similar way as FTP
  • An identification function uses a username.
  • An authorization function uses a password.
  • There is no anonymous SFTP account by definition.
  • Access is established and controlled from the
    server using standard access control lists, IDs,
    and passwords.

  • Protocols such as SSL/TLS provide methods for end
    users to use cryptography without understanding
    the method.
  • This yields complacencythe impression that once
    SSL/TLS is enabled, the user is safe, which is
    not necessarily the case.
  • If a Trojan program records keystrokes and sends
    the information to an unauthorized user, SSL/TLS
    cannot prevent this security breach.
  • If the user connects to an untrustworthy site, a
    secure connection does not prevent the other site
    from running a scam.
  • Using SSL/TLS and other encryption methods does
    not guard against credit card information being
    lost by the receiving company.

  • What and where data is protected requires
    understanding of what these protocols can and
    cannot do.
  • The SSL/TLS suite can protect data in transit,
    not in storage.
  • It can authenticate users and servers.
  • Certificate mechanisms are established and used
    by both parties.
  • SSL/TLS provides a secure method of
    authentication, followed by confidentiality in
    data transfers and data integrity checking.
  • All of this occurs during transit, the protection
    ends once the data is stored.

  • Vulnerabilities
  • Buffer Overflows
  • Java and JavaScript
  • ActiveX
  • CGI
  • Server-Side Scripts
  • Cookies
  • Signed Applets
  • Browser Plug-Ins

Code-Based Vulnerabilities
  • Browsers perform many types of data transfer.
  • Helper programs or plug-ins increase usability
    for some data transfers.
  • Separate application programs may be called by a
    browser to handle the data being transferred.

Code-Based Vulnerabilities
  • Applications or plug-ins may include malicious
    codes that perform actions not desired by users.

Buffer Overflows
  • The most common exploit to hack into software is
    the buffer overflow.
  • It is the result of poor programming practices.
  • When any program places data into a buffer and
    does not validate the input for correct length,
    the potential for a buffer overflow exists.

Buffer Overflows
  • The concept is simple.
  • A hacker writes an executable that performs an
    action on the target machine and appends his code
    fragment to a legitimate response to a program on
    the target machine.
  • When the target machine reads through the
    too-long response, a buffer overflow condition
    causes the original program to fail.
  • The extra malicious code fragment is now in the
    machine's memory, awaiting execution.
  • If the hacker executed it correctly, the program
    will skip into the hacker's code, running it
    before failing.

Buffer Overflows
  • Buffer overflows are exploitable in a wide range
    of programs.
  • Fifty percent of the security incidents are from
    buffer overflow exploits.
  • Users have to keep their machines up-to-date with
    patches from manufacturers.

Java and JavaScript
  • Java is based on the C language.
  • It was designed to be platform-independent.
  • It offers a low learning curve and a
    platform-independent way of implementing programs
    across an enterprise.

Java and JavaScript
  • Java and JavaScript operate through an
    interpreter called a Java Virtual Machine (JVM)
    on each platform that interprets the Java code.

Java and JavaScript
  • The JVM enables the program functionality for the
    specific platform.
  • Reliance on an interpretive step leads to
    performance issues.
  • Java is plagued by poor performance when compared
    to most other languages.
  • Security was one of the advantages of Java.

Java and JavaScript
  • Java was designed to be used in trusted
  • When it moved to the Internet for general use,
    safety became an advertised benefit.

Java and JavaScript
  • Safety is not security and a Java program can
    still cause significant damage to a system.
  • The ability to read data from a hard drive and
    display it on the screen is essential for many
  • When the program is downloaded and run from the
    Internet, without the knowledge of the user, data
    may be sent across the Internet to an
    unauthorized user. This enables the program to
    spy on the user.
  • Writing data to the hard drive may cause
    deletions if the program does not write the data
    where the user expects it to.

Java and JavaScript
  • JavaScript is a form of Java designed to be
    operated within a browser instance.
  • JavaScript enables features such as validation of
    forms before they are submitted.
  • JavaScript runs within the browser the code is
    executed by the browser itself.

Java and JavaScript
  • JavaScript was designed not to access files or
    network resources directly, except through the
    browser functions.
  • Enterprising programmers found many other uses
    for JavaScript, such as manipulating the browser
    history files, now prohibited by design.

Java and JavaScript Security
  • Each browser manufacturer has implemented
    configuration settings differently.

The Certificate management options dialog box in
Netscape Communicator
Java and JavaScript
  • Java Script has not proven to be as secure as
  • This traces back to a similar fault in the Java
  • Security was added later without a comprehensive
    security model.
  • Most browsers do not have a mechanism to halt a
    running script short of aborting the browser
  • This may not be possible if the browser has
    stopped responding to commands.

Java and JavaScript Security
Java configuration options in Microsoft Internet
Java and JavaScript
  • The number of ways JavaScript can interact with a
    system is high.
  • With so many opportunities for malicious code,
    the best advice is not to run JavaScripts or Java
    applets unless the source is trusted.

  • ActiveX is a collection of APIs, protocols, and
    programs developed by Microsoft to download and
    execute code over an Internet-based channel.
  • The code is bundled together into an ActiveX
    control with an .ocx extension.
  • These controls are referenced in HTML using the
    ltobjectgt tag.

  • Microsoft developed Authenticode that uses
    digital signatures.
  • At the right are examples of Authenticode options.

Some of the ActiveX control options in Microsoft
Internet Explorer
  • Windows users may determine who produced a
    specific piece of code and whether or not the
    code has been altered.
  • Safety and security are different things.
  • Authenticode promotes neither in reality.
  • Authenticode provides limited accountability at
    the time of download and guarantees that the code
    has not been changed since the time of signing.
  • Authenticode does not identify whether a piece of
    code will damage a system, nor does it regulate
    how the code is used.

  • The Common Gateway Interface (CGI) was a method
    of having a Web server execute a program outside
    the Web server process, but yet on the same
  • It passes information via environment variables
    to an independent program.
  • It executes the program.
  • It returns the results to the Web server.

  • CGI offers many advantages to Web-based programs.
  • The programs can be written in a number of
    languages, although Perl is preferred.
  • These scripted programs embrace the full
    functionality of a server, allowing access to
    databases, UNIX commands, and other programs.
  • If properly coded, CGI offers no more and no less
    risk than any other solution.

Server-Side Scripts
  • CGI has been replaced with newer server-side
    scripting technologies such as Java, Active
    Server Pages (ASP), and PHP.
  • They are similar to CGI they allow programs to
    be run outside the Web server and return data to
    the Web server for end users via a Web page.
  • Each of these technologies has advantages and
    disadvantages. All have stronger security models
    than CGI.

  • Cookies are blocks of ASCII text passed within an
    HTML stream to store data temporarily in a Web
    browser instance.

  • Cookies pass back and forth between the Web
    server and the browser and act as a mechanism to
    maintain state in a stateless world.
  • State is a term that describes the dependence on
    previous actions.

  • An HTTP session served by a Web server is
  • Each request is independent of all previous
  • The server has no memory of previous requests.
  • Cookies were developed to bridge this gap.

  • Cookies are passed along with HTML data through a
    Set-Cookie message in the header portion of an
    HTML transaction, or via a script in the HTML

  • A cookie is a series of name-value pairs that is
    stored in the memory during a browser instance.
  • The specification for cookies establishes several
    specific name-value pairs for defined purposes.
  • Additional name-value pairs may be defined at
    will by a developer.

Cookies Name-Value Pairs
  • Set of name-value pairs includes
  • Expires specifies when the cookie expires.
  • If no value exists, the cookie is only good
    during the current browser session and will not
    remain on the hard drive.
  • If a value is given, the cookie will be written
    to the user's machine and remain until it
  • Domain specifies the domain where the cookie is
  • Cookies are memory-resident objects.
  • Since the user or data can cause a browser to
    move between domains (for example, from
    comedy.net to jokes.org) some mechanism needs to
    tell the browser which cookies belong to which

Cookies Name-Value Pairs
  • Set of name-value pairs includes (continued)
  • Path resolves the applicability of the cookie
    into a specific path within a domain.
  • If path /directory, the cookie will only be sent
    for requests within the /directory on the given
    domain allowing a level of granular control over
    the information being passed between the browser
    and the server and limiting unnecessary data
  • Secure The keyword secure in a cookie
    indicates that it is to be used only in an
    SSL/TLS session.
  • This does not indicate any other form of
  • Cookies are stored in plaintext on the client

  • Cookie management is an invisible process.
  • Internet Explorer and Netscape Communicator have
    methods for users to examine and manipulate
    cookies on the client side.

  • Netscape Communicator stores the cookies in a
    long text file.
  • Note the file location in the browser address

  • Cookie Management in Microsoft Explorer.
  • Note the separate files.

Netscape Communicator cookie file
  • If users disable cookies in a browser, this
    information will not be available for the Web
    server to use.

Cookie management in Microsoft Internet Explorer
Disabling Cookies
  • IETF RFC 2109 describes the HTTP state-management
    system (cookies) and the several cookie functions
    to be enabled in browsers, specifically
  • The ability to turn cookie usage on and off.
  • An indicator as to whether cookies are in use.
  • A means of specifying cookie domain values and

Cookie Management
  • This is the Netscape browser tool to manage

Netscape Communicator cookie Management via
Disabling Cookies
  • To surf cookie-free requires more than a simple
  • Instructing a browser to stop accepting cookies
    is a setup option available through an options
  • It has no effect on cookies already received and
    stored on the system.
  • To prevent the browser from responding to cookies
    already received, the user must delete the
    cookies from the system.

Deleting Cookies
  • This is the tool to delete cookies in Internet

The Microsoft Internet Explorer delete cookies
Signed Applets
  • Code signing brings the security of
    shrink-wrapped software to software downloaded
    from the Internet.

Signed Applets
  • Code signing adds a digital signature and
    certificate to a program file to demonstrate file
    integrity and authenticity.
  • The certificate identifies the author.
  • The digital signature contains a hash value that
    covers code, certificate, and signature to prove
  • This establishes the integrity of the code and
    publisher via a standard browser certificate

Signed Applets
  • Use of a certificate to sign an applet or a
    control allows the identity of the author to be
  • The signing of code identifies the code's
    manufacturer and guarantees that the code has not
    been modified since it was signed.

Signed Applets
  • A signed applet can be hijacked as easily as a
    graphic or any other file.
  • An attacker can hijack a signed control by
    in-line access or copying the file in its
    entirety and republishing it.
  • In-lining is using an embedded control from
    another site with or without the other site's
  • Republishing a signed control is done much like
    stealing a GIF or JPEG image.
  • A copy of the file is maintained on the
    unauthorized site and served from there instead
    of from the original location.

Signed Applets
  • The security concern of signed controls comes
    from how the control is used.
  • A hacker may be able to use a control in an
    unintended fashion.
  • Creating a file loss or buffer overflow.
  • Conditions that weaken a system and may allow
    exploitation of other vulnerabilities.
  • The control will still function as designed, but
    the issue becomes who it is used by and how.
  • These are concerns not addressed simply by
    signing a control or an applet.

Browser Plug-Ins
  • Plug-ins are small application programs that
    increase a browser's ability to handle new data
    types and add new functionality.

Browser Plug-Ins
  • To date, plug-ins have had a good safety record.
  • Although a plug-in changes a browser, and how it
    manipulates data, security holes have not been
    the norm in this area.

Browser Plug-Ins
  • Not all plug-ins are safe.
  • There are many plug-ins, most from small
    single-programmer shops, designed for specific
    purposes that may or may not be needed by most
  • Your trust in plug-ins should be based on knowing
    whom you are trusting.
Write a Comment
User Comments (0)
About PowerShow.com