Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Web Components Chapter 17 © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Objectives • Describe the functioning of the SSL/TLS protocol suite. • Explain web applications, plug-ins, and associated security issues. • Describe secure file transfer options. • Explain directory usage for data retrieval. • Explain scripting and other Internet functions that present security concerns. • Use cookies to maintain parameters between web pages. • Examine web-based application security issues. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Key Terms • • • • • • • © 2012 Active Server Pages (ASP) ActiveX ASP.NET Buffer overflow Code signing Common Gateway Interface (CGI) JAVA vulnerabilities Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Key Terms (continued) • • • • • • © 2012 Cookies File Transfer Protocol (FTP) Hypertext Markup Language (HTML) Internet Engineering Task Force (IETF) Java JavaScript Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Key Terms for Security+ Exam • 4.1 Application Security – Fuzzing – Cross-site scripting – Input and field validation • 3.5 Application attacks – – – – © 2012 SQL injection Buffer overflow Zero day Cookies a security risk? (ever cookie) Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Current Web Components and Concerns • Security concerns can be grouped into three main tasks: • Securing a server that delivers content to users over the Web. • Securing the transport of information between users and servers over the Web. • Securing the user’s computer from attack over a web connection. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Encryption (SSL and TLS) • Secure Sockets Layer (SSL) is a general-purpose protocol developed by Netscape for managing the encryption of information being transmitted over the Internet. • Transport Layer Security (TLS) SSL and TLS are essentially the same, although not interchangeable. • Cryptographic methods are an ever-evolving field, and because both parties must agree on an implementation method, SSL/TLS has embraced an open, extensible, and adaptable method to allow flexibility and strength. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Encryption (SSL and TLS) Firefox SSL Cipher Options © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition SSL/TLS Handshake © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Firefox Certificate Options © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Firefox Certificate Store © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition The Web (HTTP and HTTPS) • HTTP is used for the transfer of hyperlinked data over the Internet, from web servers to browsers. • When a secure connection is needed, SSL/TLS is used and appears in the address as https://. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition The Web (HTTP and HTTPS) (continued) • High-assurance notification in IE 7 • High-assurance notification in Firefox © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition File Transfer (FTP and SFTP) • FTP is a standard network protocol used to exchange and manipulate files over a TCP/IP based network. • Secure FTP (SFTP) is used when confidential transfer is required and combines both the Secure Shell (SSH) protocol and FTP. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Buffer Overflows • The buffer overflow vulnerability is a result of poor coding practices on the part of software programmers. • This occurs when an application can accept more input than it has assigned storage space, and the input data overwrites other program areas. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Java • Java is a computer language invented by Sun Microsystems as an alternative to Microsoft’s development languages (owned by Oracle now). • Designed to be platform-independent • Java offered a low learning curve and a way of implementing programs across an enterprise. • Although platform independence never fully materialized, Java has found itself to be a leader in object-oriented programming languages. • Java can still perform malicious activities, and the fact that many users falsely believe it is safe increases its usefulness for attackers. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition JavaScript • JavaScript is a scripting language developed to be operated within a browser instance. • The primary purpose is to enable features such as validation of forms. • Enterprising programmers found many other uses for JavaScript, such as manipulating the browser history files, now prohibited by design. • JavaScript actually runs within the browser, and the code is executed by the browser itself. • This has led to compatibility problems. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition CGI & Server-Side Scripts • Common Gateway Interface (CGI) is a method for having a web server execute a program outside the web server process, yet on the same server. • Server-side scripting allows programs to be run outside the web server and to return data to the web server to be served to end users via a web page. This is replacing CGI. © 2012 Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Cookies • Cookies are small chunks of ASCII text passed within an HTTP stream to store data temporarily in a web browser instance. • It a series of name-value pairs that is stored in memory during a browser instance. – – – – © 2012 Expires Domain Path Secure Principles of Computer Security: CompTIA Security+ Security+® and Beyond, Third Edition Chapter Summary • Describe the functioning of the SSL/TLS protocol suite. • Explain web applications, plug-ins, and associated security issues. • Describe secure file transfer options. • Explain directory usage for data retrieval. • Explain scripting and other Internet functions that present security concerns. • Use cookies to maintain parameters between web pages. • Examine web-based application security issues. © 2012