Web-hacking-and-the- Internet-user培训课件.PPTVIP

,, ,, ,, ,, ,, Web hacking and the Internet user Web hacking Basics Web pilfering: download selectively web sites and search files off-line. Automated scripts: developed by advanced hackers for use by “script kiddies.” See SecurityInnovation for vulnerability scanners. IIS security: see Microsoft Web Application Security guide to setup the IIS and identify threats and create countermeasures. CGI: programming CGI with security in mind by W3org, a compilation and an index for CGI security resources, SSI and CGI security, ASP vulnerabilities: HTML and programming in the same directory, dot bug, samples (showcode and codebrws). See Microsoft ASP Security. Web vulnerability scanners are available for UNIX/Linux: Nikto and Whisker. Buffer Overflows: (i) PHP security, (ii) do not use the wwwcount.cgi, and (iii) IIS iishack vulnerability (use MSBA to find patches). Poor Web design Misuse of hidden tags (price, shipping, etc), e.g. search “type=hidden name=price” SSI: noExecs, pre-processing for hidden code. Hacking the Internet user:Malicious mobile code Microsoft ActiveX (Active X controls have the file extension.ocx) similar to OLE let an object be embedded in a page using the object tag When IE finds a page with a control, it checks the Registry to find out if the control is available, if it is IE displays the page and runs the control If it is not, IE uses Authenticode to check the author (Verisign role) and download the control. Finally IE displays the page and runs the control “Safe for Scripting”: Authenticode is not used with these controls, malicious Web sites may explore as a vulnerability. Easy to mark as such. Countermeasures: apply patches for Scriptlet/Eyedog and OUA (Office 2000 UA). Set macro protection to High in Tool/Macro menu in Office. restrict or disable ActiveX, using security zones Using security zones: IE has five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer. Internet zone: disable ActiveX