Page 153 - Hacker HighShcool eBook
P. 153
LESSON 10 – WEB SECURITY AND PRIVACY
RAV What it means Web Examples
Privacy A way to assure that the way you While it is very rare, it is not unimaginable
contact and communicate with that a web application that contains
the web application cannot be very private information would not even
pre-determined by another person. show you it is there unless you come from
the right place and know the right secret
combination to get the web app to be
accessible. One way is to have to click
a picture in 5 different places in a
specific order to get to the login screen.
Another manner is called port-knocking
and it means that the server requires a
specific sequence of interactions before
it opens a port, such as the HTTP port, to
the user.
Indemnificati These are ways to assure that the Some web sites clearly print on the login
on web application has legal screen that it's for authorized personnel
protection or at the least, can be only. If someone steals a login and
financially protected with password or even brute-forces it open,
insurance. the attacker, if caught, cannot say he
didn't know it was private.
Integrity This is a record of the validity of the Some web apps provide a “HASH” with
communication with the web files to be downloaded. This HASH is a
application to assure that what is number generated from that specifc file.
sent and then received by the When you download the file, you can
other is the same thing and if it check the HASH you generate from the
changed, both the web pplication file against the one they post. This is to
and the user have a record of the assure that some attacker is not trying to
change. trick you with a different file either
replaced or through deception, such as
in Cross Site Scripting.
Safety This is how we protect the web It is very possible to have an application
application from it's own security use a daemon that can re-initialize itself
devices. If security fails, we need or even prevent an attack from crashing
to make sure that it does not affect any part of itself by presenting itself only
the operation of the web virtually. You can also find scenarios
application as a whole. where a web app uses an intrusion
detection mechanism that “stops”
attacks by blocking the attacker by IP
address. In this case, we can't say Safety
exists if the security device is configured
to prevent an attacker from spoofing
the web app's own resources and
causing this defense to block important
traffic. Instead, it is considered either a
misconfiguration of the defense or in
some cases a weakness of design. Don't
confuse a poorly made or “accidental”
defense with a designed loss control.
12
