Page 285 - StudyBook.pdf
P. 285
Communication Security: Web Based Services • Chapter 5 269
will be displayed on the user’s monitor.This code can be seen by selecting the
View Source option in your browser, such as by right-clicking on a Web page in
IE and selecting View Source on the context menu that appears.
HTML was originally designed as a simple markup language used to format
text size, style, color, and characteristics such as boldface or italic. However, as Web
users demanded more sophisticated Web pages,Web designers developed ways to
create interactive elements in pages.Today’s Web pages include XML, DHTML,
Flash, Java,ActiveX, and scripts that run in the browser and utilize other technolo-
gies that allow for much more dynamic pages. Unfortunately, these new features
brought with them new vulnerabilities. Browsers are open to a number of types of
attack, which are discussed in the following section.
Exploitable Browser Characteristics
Early browser programs were fairly simple, but today’s browsers are complex; they
are capable of not only displaying text and graphics, but also playing sound files,
movies, and running executable code. Support for running code (as “active con-
tent” such as Java, JavaScript,VBScript, and ActiveX) allows Web designers to create
pages that interact with users in sophisticated ways. For example, users can com-
plete and submit forms across the Web, or play complex games online.These char-
acteristics of modern Web browsers serve useful purposes, but they can also be
exploited in a variety of ways. Browser software stores and accesses information
about the computer on which it is installed and about the user, which can be
uploaded to Web servers either deliberately by the user or in response to code on a
Web site (often without the user’s knowledge). Similarly, a hacker can program a
Web site to run code that transfers a virus to the client computer through the
browser, erases key system files, or plants a back door program that then allows the
hacker to take control of the user’s system. Chapter 8,“Implementing System
Security,” discusses active content and other browser security issues and provides
tips on how to disable these features when they are not needed and make popular
browsers more secure.
Cookies
Cookies are another example of a useful tool used with Web browsers that can be
exploited in various ways. Cookies are very small text files that a Web server creates
on your computer to hold data that’s used by the site.This information could be
indicators that you visited the site before, preferred settings, personal information
(such as your first and last name), username, password, or anything else that the Web
www.syngress.com
