Databases Reference
In-Depth Information
Just a few of these types of code or design issues that could impact a
sites web security include initial issues with the Sun JAVA language and
Netscapes JavaScript (which is an extension library of their HyperText
Markup Language, HTML).
The Sun Java language was actually designed with some aspects of secu-
rity in mind, though upon its initial release there were several functions
that were found to be a security risk. One of the most impacting bugs in an
early release was the ability to execute arbitrary machine instructions by
loading a malicious Java applet. By utilizing Netscape's caching mechanism
a malicious machine instruction can be downloaded into a user's machine
and Java can be tricked into executing it. This doesn't present a risk to the
enterprise server, but the user community within one's enterprise is of
course at risk.
Other Sun Java language bugs include the ability to make network con-
nections with arbitrary hosts (though this has since been patched with the
following release) and Java's ability to launch denial of service attacks
through the use of corrupt applets.
These types of security holes are more prevalent than the security pro-
fession would like to believe, as the JavaScript environment also was found
to contain capabilities that allowed malicious functions to take place. The
following three are among the most current and prevalent risks:
• JavaScripts ability to trick the user into uploading a file on his local
hard disk to an arbitrary machine on the Internet.
• The ability to hand out the user's directory listing from the internal
hard disk.
• The ability to monitor all pages the user visits during a session.
The following are among the possible protection mechanisms:
• Maintain monitoring through CERT or CIAC, or other industry organi-
zations that highlight such security risks.
• Utilize a strong software distribution and control capability, so that
early releases aren't immediately distributed, and that new patched
code known to fix a previous bug is released when deemed safe.
• In sensitive environments it may become necessary to disable the
browsers capability to even utilize or execute Java or JavaScript — a
selectable function now available in many browsers.
In the last point, it can be disturbing to some in the user community to dis-
allow the use of such powerful tools, because they can be utilized against
trusted Web pages, or those that require authentication through the use of
SSL or S-HTTP. This approach can be coupled with the connection to S-HTTP
pages where the target page has to prove its identity to the client user. In
Search WWH ::
Custom Search