Download Computer Security and Penetration Testing Chapter 13

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts
no text concepts found
Transcript 
Computer Security and Penetration
Testing
Chapter 13
Programming Exploits
Objectives
• Describe the evolution of programming exploits
• Recognize vulnerabilities in ActiveX controls
• Identify steps to counter vulnerabilities in ActiveX
controls
• Recognize vulnerabilities in VBScript
• Identify steps to counter vulnerabilities in VBScript
Computer Security and Penetration Testing
2
Objectives (continued)
•
•
•
•
Recognize vulnerabilities in HTML
Identify steps to counter vulnerabilities in HTML
Recognize vulnerabilities in Java and JavaScript
Identify steps to counter vulnerabilities in Java and
JavaScript
Computer Security and Penetration Testing
3
C and C++
• Vulnerabilities in the C and C++ Programming
Languages.
- Buffer over-runs
- Failure to handle errors
- Improper file access
• C and C++ Security Measures
Computer Security and Penetration Testing
4
C and C++
Computer Security and Penetration Testing
5
.NET Framework
• Vulnerabilities in the .NET Framework
- Cross-site scripting
- Integer overflow
• Countering .NET Framework Vulnerabilities
Computer Security and Penetration Testing
6
HTML5
• Hypertext Markup Language (HTML)
– Most basic script used to develop Web pages
– Uses a set of markup tags to define the structure of
Web pages
• Browsers represent pages by interpreting these tags
• HTML is not a dynamic language
– Cannot be executed successfully except within a Web
browser
Computer Security and Penetration Testing
7
HTML5 (continued)
• HTML is essentially bulletproof and benign as long
as it is used to display static text
• Arbitrary requirements for more finished and
sophisticated pages
– Have required the development of many more tags
and formatting conventions
• With increased complexity came increased
opportunities for hackers to discover vulnerabilities
Computer Security and Penetration Testing
8
Countering HTML5 Vulnerabilities
• Make sure patches are up to date
– Pay attention when new exploits are reported
• Activate the automated patch management software
• Turn off services and features that you
– Know to be vulnerable to attack
– Do not understand
– Do not use
• Avoid known dangerous sites by installing and
updating security software
Computer Security and Penetration Testing
9
Countering HTML5 Vulnerabilities
(continued)
• Secure transfer of data has been made available by
protocols such as Secure Sockets Layer (SSL)
– The way Internet Explorer handled SSL was
discovered to be susceptible to a man-in-the-middle
exploit
• Generating random encryption keys of 40 or 128
bits in length has solved this problem
Computer Security and Penetration Testing
10
Java and JavaScript
• Java is a programming language that is compiled
into applications or applets
• Java applications are stand-alone applications
– Run on the server or are downloaded to the client
• JavaScript is a scripting language that runs between
<script> tags in a Web page
• A JavaScript cannot operate on its own, and is not
compiled to run
Computer Security and Penetration Testing
11
Java
• Object-oriented programming language (OOP)
developed by Sun Microsystems
• Designed to run in a platform-independent manner
using Java Runtime Environment (JRE)
– Installed on the client computer as its sandbox
• In Java, each function is modularized
• With this low-level modularization
– There is less of a chance that updating one piece of
the application will break other parts
Computer Security and Penetration Testing
12
Java (continued)
• Java was intended to be developed quickly with
pretested parts
• Java applets provide functionality on the Internet
– Require Java-enabled browsers
• Java is machine-safe
– Can only act upon other objects within the JRE
• Java has no access to write, modify, or delete files
on the hard drive or to modify the operating system
Computer Security and Penetration Testing
13
JavaScript
• Scripting language developed by Netscape
Communications Corporation
• Similar to VBScript in terms of implementation
• Almost every browser on almost every platform is
JavaScript-enabled
• Like Java, requires a runtime environment
• As a script, the network bandwidth and client-side
memory resource use is less than that required for
the larger and more robust Java
Computer Security and Penetration Testing
14
Security Vulnerabilities in Java
• Vulnerabilities of Java:
– Client-side malevolent applets
– Server-side cross-scripting
– Server-side address spoofing
• A substantial percentage of vulnerabilities are
related to vulnerabilities in the JRE
– Which can result in applets arbitrarily giving
themselves elevated privileges
Computer Security and Penetration Testing
15
Security Vulnerabilities in Java
(continued)
Computer Security and Penetration Testing
16
Security Vulnerabilities in Java
(continued)
• Because Java is a platform-independent technology
– Issues such as malevolent applets can be used
against any platform that has the JRE installed
• Client-side attacks include:
–
–
–
–
–
–
Attacks on file integrity
Buffer overflow
Storm attacks
Denial-of-service attacks
Disclosure attacks
Annoyance attacks
Computer Security and Penetration Testing
17
Vulnerabilities in JavaScript
• Vulnerabilities are similar to those in VBScript
• JavaScript vulnerabilities allow:
– Sending e-mail messages with information about the
target computer to a client
– Opening and closing applications on the target
computer
– Modifying files on the victim’s computer
• Main threat posed by JavaScript
– May be used to download components on a user’s
computer without his or her knowledge
Computer Security and Penetration Testing
18
Countering Java and JavaScript
Vulnerabilities
• Best preventative measure for an end user
– Perform all updates as soon as they are available
– Keep virus definitions in their antivirus or security
program updated
• Set the Internet Options Control Panel
– To ask for permission before running JavaScripts or
downloading Java applets
• Check the authenticity of the validation signatures
attached to applets and scripts
Computer Security and Penetration Testing
19
Countering Java and JavaScript
Vulnerabilities (continued)
• Check for security of links available on the signed
scripts
• Programmers should develop and adhere to secure
programming guidelines
– And sign their scripts
Computer Security and Penetration Testing
20
Summary
• Programming exploits are the defects in various
programming languages that are used to develop
server-side and client-side applications
• ActiveX controls are stand-alone compiled
applications that make it possible to link and allow
interactions between various applications
• The design flaw in ActiveX is that it can do anything
the user can do
• Attackers can use ActiveX to modify resources on an
implementation of Windows
Computer Security and Penetration Testing
21
Summary (continued)
• To safeguard against attacks, end users should install
the most recent and stable version of Internet
Explorer available
• VBScript can be used within HTML tags to produce a
dynamic HTML page
• One of the most common exploits used on the
Internet is a buffer overflow
• If you are administering a network, do not allow use of
IE or Outlook
Computer Security and Penetration Testing
22
Summary (continued)
• If you are the administrator of a Web site, run an
antivirus application on your Web server to search for
known bad ActiveX controls
• Hypertext Markup Language (HTML) is the most
basic script used to develop Web pages
• The most effective way to counter HTML-related
exploits is to keep up with the latest patches
• Java and JavaScript languages
• The best preventive measure for end users is to
perform all updates as soon as they are available
Computer Security and Penetration Testing
23
Related documents
Careless Delegation of Trust
Careless Delegation of Trust
Looking to hire a full-time permanent Java Software Engineer for... Salary $120K-$150K, excellent benefits. They can sponsor H1B visas and...
Looking to hire a full-time permanent Java Software Engineer for... Salary $120K-$150K, excellent benefits. They can sponsor H1B visas and...
Liability Regimes
Liability Regimes
Chapter 1 questions
Chapter 1 questions
Role of Web Application Vulnerabilities in Information
Role of Web Application Vulnerabilities in Information
COMS S1007 Object-Oriented Programming and Design in Java August 12, 2008
COMS S1007 Object-Oriented Programming and Design in Java August 12, 2008
&lt;cit597&gt; About This Course 26-Jul-16
&lt;cit597&gt; About This Course 26-Jul-16
Boston University College of Arts and Sciences Computer Science Department
Boston University College of Arts and Sciences Computer Science Department
Assets, Threats and Vulnerabilities: Discovery and
Assets, Threats and Vulnerabilities: Discovery and
Pointers and References
Pointers and References
Advanced Visualisation &amp; Implementation Techniques with Java 1.6, OpenGL &amp; GLSL
Advanced Visualisation &amp; Implementation Techniques with Java 1.6, OpenGL &amp; GLSL
Java Objective Questions and Answers 1 . Java was first developed
Java Objective Questions and Answers 1 . Java was first developed
Introduction to Java 2 Programming
Introduction to Java 2 Programming
White Space
White Space
slides - Electrical and Information Technology
slides - Electrical and Information Technology
CS210 Intermediate Computing with Data Structures (Java) Bob Wilson
CS210 Intermediate Computing with Data Structures (Java) Bob Wilson
Computer Security and Penetration Testing Chapter 17 Linux
Computer Security and Penetration Testing Chapter 17 Linux
Automatic Detection and Correction of Web Application
Automatic Detection and Correction of Web Application
PowerPoint-Präsentation - African Insurance Organisation
PowerPoint-Präsentation - African Insurance Organisation