286    Chapter 5 • Communication Security: Web Based Services

             Web-based Vulnerabilities


             Java,ActiveX components, and scripts written in languages like VBScript and
             JavaScript are often overlooked as potential threats to a Web site.These are client-
             side scripts and components, which run on the computer of a visitor to your site.
             Because they are downloaded to and run on the user’s computer, any problems will
             generally affect the user rather than the Web site itself. However, the effect of an
             erroneous or malicious script, applet, or component can be just as devastating to a
             site. If a client’s computer locks up when one of these loads on their computer—
             every time they visit a site—it ultimately will have the same effect as the Web
             server going down: no one will be able to use the site.
                 As shown in the sections that follow, a number of problems may result from
             Java applets,ActiveX components, or client-side scripts such as JavaScript. Not all of
             these problems affect the client, and they may provide a means of attacking a site.
             Ultimately, however, the way to avoid such problems involves controlling which
             programs are made available on a site and being careful about what is included in
             the content.

             Understanding Java-,

             JavaScript-, and ActiveX-based Problems
             Some Web designers use public domain applets and scripts for their Web pages,
             even though they do not fully understand what the applet or script does. Java
             applets are generally digitally signed or of a standalone format, but when they are
             embedded in a Web page, it is possible to get around this requirement. Hackers can
             program an applet to execute code on a machine, so that information is retrieved
             or files are destroyed or modified. Remember that an applet is an executable pro-
             gram and has the capability of performing malicious activities on a system.

             Java

             Java is a programming language, developed by Sun Microsystems, which is used to
             make small applications (applets) for the Internet as well as standalone programs.
             Applets are embedded into the Web page and are run when the user’s browser
             loads the HTML document into memory. In programming such applets, Java pro-
             vides a number of features related to security.At the time the applet is compiled,
             the compiler provides type and byte-code verification to check whether any errors
             exist in the code. In this way, Java keeps certain areas of memory from being
             accessed by the code.When the code is loaded, the Java Virtual Machine (JVM) is




          www.syngress.com