Chapter 17: WEB COMPONENTS By Chuong Vu

Chapter Contents Current Web Components and Concerns Web protocols SSL/TLS, HTTP/HTTPS, DAP/LDAP, FTP/SFTP Code-Based Vulnerabilities Buffer Overflows, Java/Javascript, ActiveX, Securing the Browser, CGI, Server-Side Scritps, Cookies, Signed Applets, Browser Plug-ins. Application-Base Weaknesses OVAL, Web 2.0

Current Web Components and Concerns Web is not just to browsers, but also to web components that enable services for end users through their browser interfaces. They offers users an easy-to-use, secure method of conducting data transfer over the Internet. They have three main tasks: Securing a server provide a webserver. Securing the data transport between servers and users via web. Securing the user’s computer from attack.

Web Protocols When two computer communicate, several things must happen for the communication to be effective: They must use the same and correctly language that both the parties can understand. Protocols are very important and from basic by which all the separate parts can work together.

Encryption (SSL and TLS) Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.

How SSL/TLS Works? TLS/SSL authenticates and secures data transfers by using certificate-based authentication and symmetric encryption keys. One authentication is established, the channel is secured with symmetric key cryptographic methods and hashes: RC4 or 3DES is use for symmetric key. MD5 or SHA-1 is use for hash functions.

SSL/TLS Attacks Even SSL/TLS is specifically designed to provide protection from man-in-the-middle attacks, it is not completely security solution and can be defeated. A Trojan/Keylogger program can copies keystrokes and echoes them to another TCP/IP address with the intended communication can defeat SSL/TLS.

The Web (HTTP/HTTPS) The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. It is used for transfer hyperlinked data over Internet. Hypertext Transfer Protocol Secure (HTTPS) is used to secure the connection with SSL/TLS.

Directory Service (DAP/LDAP) Directory Access Protocol (DAP) is a computer networking standard promulgated use for accessing an X.500 directory service. The Lightweight Directory Access Protocol (LDAP) is an application protocol describing interaction with directory services. SSL/TLS LDAP LDAP required SSL/TLS to achieve over for connection between client and server.

File Transfer (FTP/SFTP) File Transfer Protocol (FTP) is an application-level protocol that operates over a wide range of lower-level protocols. SSH File Transfer Protocol (SFTP) combines the file transfer application with Secure Shell (SSH) application to provide for a means of confidential FTP operations. Blind FTP (Anonymous FTP) allows unlimited public access to the files and commonly use when you want to have unlimited distribution.

Code-Based Vulnerabilities The ability to connect many machines together to transfer data is what makes the Internet so functional for so many users. Web Browsers have become powerful programming environments that perform many actions behind the scenes for a user. Example: DDOS (botnet)

Buffer Overflows The buffer overflow vulnerability is a product of poorly constructed software programs. When code in the stack-buffer overflows into another application’s process. It can cause applications to crash or execute malicious code.

Java and JavaScript Java is computer language invented by Sun Microsystems. It is a software package installed separately from the browser. JavaScript is a scripting language developed by Netscape. JavaScript is generally built in to the browser.

Different between Java and JavaScript Java and JavaScript are completely different. Java is designed for safety, reducing the opportunity for system crashes. JavaScript is used to control the look, feel and function of web pages displayed inside the browser.

ActiveX ActiveX is a software framework developed by Microsoft. It is a tool for the Windows environment and can be extremely powerful. ActiveX can be used to create complex application then embedded into other container objects such as a web browser.

CGI/Server-Side Script The Common Gateway Interface (CGI) is a standard method for web server software to delegate the generation of web content to executable files. They are usually written in a scripting language. Allows programs to be run outside the web server and to return data to the web server to be served to end users via a web page.

Cookies Cookies are small chunks of ASCII text passed within an HTTP stream to store data temporarily in a Web Browser instance. Cookies can be set for persistent (last for a defined time period) or session (Expire when the session is closed).

Signed Applets/Browser Plug-ins Code signing is the process of digitally signing executable and scripts to bring the security of shrink-wrapped software to software downloaded from the Internet. Browser Plugins are small application programs that increase a browser’s ability to handle new data types and add new functionality. (Example: Adobe PDF, NoScript, etc..)

Application-Based Weaknesses Beside the Web Browser, the application software written to run on servers and serve up the content for users is also abused by crackers. Open Vulnerability and Assessment Language (OVAL) are an XML-based languages that provides a standard for how to check for the presence of vulnerabilities and configuration issues on computer systems.

Web 2.0 Web 2.0 websites allow users to do more than just retrieve information. They provide the users with more user-interface, software and storage facilities, all through their browser.

Questions?