Page 319 - StudyBook.pdf
P. 319
Communication Security: Web Based Services • Chapter 5 303
Preventing Problems with Java, JavaScript, and ActiveX
Preventing problems with scripts, applets, and other components that are included
on a site is not impossible if precautions are taken beforehand. First, network
administrators should not include components that they do not fully understand or
trust. If they are not certain what a particular script is doing in a line of code, they
should not add it to a page. Similarly, they should use applets and ActiveX compo-
nents that make their source code available. If an administrator has a particular
applet or component that they want to use but do not have the code available, they
must ensure that it was created by a trusted source. For example, a number of com-
panies such as Microsoft provide code samples on their site, which can be used
safely and successfully on a site.
NOTE
The code for a Java applet resides in a separate file, whereas the script
for a JavaScript is embedded in the HMTL document, and anyone can
see it (or copy it) by using the View Source function in the browser.
Code should be checked for any flaws, because administrators do not want end
users to be the first to identify them.A common method for testing code is to
upload the Web page and component to the site, but do not link the page to any
other pages.This will keep users who are not aware of the page from accessing it.
Then you can test it live on the Web, with minimal risk that end users will access it
before you’re sure the code is good. However, when using this method, you should
be aware that there are tools such as Sam Spade (www.samspade.org) that can be
used to crawl your Web site to look for unlinked pages. In addition to this, spiders
may make the orphan Web page containing your test code available in a search
engine.A spider (also known as a crawler) is a program that searches sites for Web
pages, adding the URL and other information on pages to a database used by
search engines like Google.Without ever knowing it, an orphan Web page used to
test code could be returned in the results of a search engine, allowing anyone to
access it. If you test a Web page in this manner, you should remove it from the site
as soon as you’ve finished testing.
The best (and significantly more expensive) method is to use a test server,
which is a computer that is configured the same as the Web server but separated
from the rest of the network.With a test server, if damage is done to a site, the real
www.syngress.com
