Page 322 - StudyBook.pdf
P. 322

306    Chapter 5 • Communication Security: Web Based Services

             ment that is returned to a computer on the internal network. Preventing such ele-
             ments from ever being displayed will cause the Web page to appear differently from
             the way its author intended, but any content that is passed through the firewall will
             be more secure.
                 On the client side, many browsers can also be configured to filter content.
             Changing the settings on a Web browser can prevent applets and other programs
             from being loaded into memory on a client computer.The user accessing the
             Internet using the browser is provided with the HTML content, but is not pre-
             sented with any of these programmed features. Remember that although
             JavaScripts are not compiled programs, they can still be used to attack a user’s
             machine. Because JavaScript provides similar functionality to Java, it can be used to
             gather information or perform unwanted actions on a user’s machine. For this
             reason, administrators should take care in the scripts used on their site.



              TEST DAY TIP
                  When studying for this section of the Security+ exam, focus on the basic
                  aspects of scripting exploits. You will not be expected to analyze a script
                  for errors, or to create any type of exploit; they are listed here to
                  enhance your understanding of the exploits. However, make sure that
                  you know the fundamentals of scripting exploits and that languages
                  such as JavaScript are constantly used to exploit systems on the Internet.






             Programming Secure Scripts
             The previous section primarily looked at client-side programs and scripts, which
             run on the user’s machine.This section looks at server-side programs and scripts,
             which run on the Web server rather than on the machine being used to browse a
             site. Server-side programs and scripts provide a variety of functions, including
             working with databases, searching a site for documents based on keywords, and
             providing other methods of exchanging information with users.
                 A benefit of server-side scripts is that the source code is hidden from the user.
             With client-side scripts, all scripts are visible to the user, who only has to view the
             source code through the browser.Although this is not an issue with some scripts,
             server-side scripts should be used when the script contains confidential informa-
             tion. For example, if a Web application retrieves data from a SQL Server or an
             Access database, it is common for code to include the username and password



          www.syngress.com
   317   318   319   320   321   322   323   324   325   326   327