วันอาทิตย์ที่ 24 มิถุนายน พ.ศ. 2555

Browser Standards and safety

Introduction

When designing a Web site it is leading to reconsider how the users will see the Web page. There are many browsers ready that a user could be using to view your Web site. Consideration of the standards between each browser is important. There are so many browsers ready on the market that the Web page that has been created could, and, most probably will look different on every browser. Some browsers deal with safe bet scripting languages best than others e.g. Mozilla Firefox has no problems handling intelligent gifts as rollovers on buttons, whereas Internet Explorer 5 cannot deal with them and will not display them correctly or may not display them at all. In section 2 of this description will discuss the standards between browsers, browsers ready and how the browsers deal with the Html language in different ways. This section will also show the usage between the most favorite browsers and will display the statistics as a pie chart with each chunk representing a different browser. In section 3 of this report, will discuss the protection risks from both the client side and server side and will list the top ten vulnerabilities that a Web site must overcome to stay protected. This section will also display the statistics of protection risks in a bar chart. Section 4 discusses how the data that is in this description will be used in the main project.

Server Rails

Section 5 is the end of all the data that has been gathered to make this description and how it can be used to generate a best compatible and secure Web site.

Browsers
As the internet was created to unite the world into one inter connecting community, the use of so many different browsers that view Web pages in different ways makes it harder for a Web designer to generate a Web site and it can stop users finding a Web page in the same way. When designing a Web site, the designer must test their pages in different browsers to check the outcome of that page. With so many browsers available, it is leading to reconsider which browsers to test for and how many past browser versions need to be catered for within the designs.

As technology has advanced, the situation has improved to that of a few years ago but the qoute has not been thoroughly resolved. You can now be safe bet that at least 99% of users have browsers that reserve nearly all of Html 4. However, there are still inconsistencies in the way Cascading Style Sheets are implemented and older browser versions pre-dating the current standards take a long time to fade away entirely. A Web site designer must now also reconsider the movable user; phones, Pdas and other handheld media devices that have entrance to the internet. The browser that these devices use will be a variant of a acceptable browser but the user will view the pages on a much smaller screen. A movable browser, also called a micro browser, mini browser or wireless internet browser (Wib) are optimised so as to display Web content most effectively for small screens on movable devices. movable browser software must also be small and sufficient to accommodate the low memory capacity and low-bandwidth of wireless handheld devices. Typically, they were stripped-down Web browsers but as of 2006 some movable browsers can deal with newest technologies such as Css 2.1, JavaScript and Ajax. Jennifer Niederst Robbins (2006) says;

"1996 to 1999: The Browser Wars begin.
For years, the Web improvement world watched as Netscape and Microsoft battled it out for browser market dominance. The supervene was a variety of rights Html tags and incompatible implementations of new technologies, such as JavaScript, Cascading Style Sheets, and Dynamic Html. On the safe bet side, the competition between Netscape and Microsoft also led to the rapid advancement of the medium as a whole."

The World Wide Web consortium establishes the basic rules on how to translate a Html document and the lawful Html standards.

The Html standards say that the Table tag should reserve a Cellspacing attribute to define the space between parts of the table. Html standards don't define the default value for that attribute, so unless you explicitly define Cellspacing when construction your page, two browsers may use different amounts of white space in your table. Html standards are commonly ahead of what browsers support. Over the past few years Internet Explorer has done a much best job of this than Netscape Navigator, though Opera has done arguably the best job.

If you build a Web page and the user's browser does not understand part of the language, then they will ignore that part and continue creating the rest of the page. This will cause some browsers not to display the page the way it was designed to be seen.

The best way to minimize these problems is to pay attention to browser compatibility when construction your Web page. Avoid using Html extensions and be specific about using cutting-edge features of the language that may not yet be supported by all the major browsers.

The major discrepancy between two versions of the same browser is their reserve for newer portions of the Html language. A new browser is commonly best at displaying Web pages than an old one.

Web Application Security
When creating any Web application such as an e-commerce Web site, protection must be on the designers mind at all times. A create flaw in the application could cause a hacker to verily entrance the Web server straight through cross site scripting on the Web site. The Web server is a common target for hackers as it is a very powerful motor with a large amount of bandwidth and also allows anonymous users to entrance it. The Web wasn't designed to be secure, nor was it designed to run applications or for businesses selling over a network. It was designed to be static and for users to secure information. As the Web applications become more powerful with what they are able to do, the protection risks become greater for a potential attacker. As code is intermitted with data such as Javascript embedded in Html, hackers use a malicious piece of code that gets mistaken for part of the Web site code which then gives a hacker more permission than they should be allowed, enabling them to alter securely protected data.

Taking benefit of unexpected or unplanned errors within the Web application to gain unauthorised entrance is known a protection bug. There are three elements required in order for a protection bug to take place; an Asset, a Vulnerability and a hacker, if all three things exist in the Web application then there will be risk of a protection bug.

There are ten main protection vulnerabilities:

1. Cross Site Scripting (Xss)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site invite Forgery (Csrf)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict Url Access

Any kind of charge that happens on to a Web application will fall under one of the above categories. data on the above vulnerabilities can be found at http://www.owasp.org/index.php/Top_10_2007.

When construction an e-commerce Web site the Asset would be the data stored in the database and the personal data of a buyer e.g. Reputation card details. The Vulnerabilities that a hacker will try to use are the ten protection flaws above. The Web site designer must thought about schedule the code to eliminate all attacks. If an charge happens then it must be rectified as fast as potential to stop any further problems. An e-commerce Web site must be monitored and patched for any protection or functionality bugs.

Figure 2's broad statistics includes analysis results of 32,717 sites and 69,476 vulnerabilities of different degrees of severity. The detailed data can be found at http://www.Webappsec.org/projects/statistics/.

Attacks happen on a Web application whether from the client side, server side or on the network communicating between the client and server.

Client side attacks
Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. To help to prevent attacks it helps to keep up to date with current application patches and keep antivirus software updated.

A cookie is a piece of data that is sent by the server and stored on the client to track the user across multiple request/response cycles. Cookies, agreeing to the same origin protection policy, can only be retrieved by the server that sets them. Servers can only read from cookies that they have created, cookies can only be read from the original server origin and cannot be read by other domains. Attacks are able to hijack a session and impersonate a client by using a stored cookie on a client-side computer. Web mail clients, for instance, utilise cookies to identify a user at a later time so the user does not have to supply their credentials each time they would like to entrance their mail. If an attacker can entrance the cookie, unauthorised entrance to the mail catalogue could also be obtained.

The browser history and the browser cache are other confidential pieces of data that attackers are able to gain entrance to. When a user visits Web site, the browser will description these Web pages in its cache and browser history. If an attacker is able to gain entrance to the cache or browser history, information, such as what email service or bank a user has browsed can be used in subsequent attacks, such as phishing and cookie stealing attacks. Cache and browser history can be obtained via browser vulnerabilities, JavaScript, Css, inspection of visited link colour and timing attack.

Server side attacks
All Web frameworks (Php,.Net, J2Ee, Ruby on Rails, ColdFusion, etc.) and all types of Web applications are at risk from Web application protection defects, ranging from insufficient validation straight through to application logic errors. The most exploited types of vulnerabilities are:

• Php Remote File Include: Php is the most common Web application language and framework in use today. By default, Php allows file functions to entrance resources on the Internet using a feature called "allow_url_fopen". When Php scripts allow user input to influence file names, remote file inclusion can be the result. This charge allows (but is not little to):
• Remote code performance
• Remote root kit installation
• On Windows, unblemished ideas compromise may be potential straight through the use of Php's Smb file wrappers
• Sql Injection: Injections, particularly Sql injections, are common in Web applications. Injections are potential due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. Sql injections allow attackers:
• To create, read, update, or delete any arbitrary data ready to the application
• In the worst case scenario, to thoroughly compromise the database ideas and systems around it
• Cross-Site Scripting (Xss): Cross site scripting, best known as Xss, is the most malicious and verily found Web application protection issue. Xss allows attackers to deface Web sites, insert hostile content, conduct phishing attacks, take over the user's browser using JavaScript malware, and force users to conduct commands not of their own selecting - an charge known as cross-site invite forgeries, best known as Csrf.
• Cross-site invite forgeries (Csrf): Csrf troops legitimate users to execute commands without their consent. This type of charge is extremely hard to prevent unless the application is free of cross-site scripting vectors, including Dom injections. With the rise of Ajax techniques, and best knowledge of how to properly exploit Xss attacks, Csrf attacks are becoming extremely sophisticated, both as an active personel charge and as automatic worms.

Conclusion
The internet is great for commercial businesses to sell their products online, it allows a user to shop from home and when is favorable to them. This luxury comes at a price, and the price is security. There are tradeoffs that every Web designer must go through. protection is not one of them. Protecting personal data must be at the top of these priorities. The Web designer and the whoever maintains the Web site must keep up to date with current protection threats and be able to patch up any protection holes that may occur on the site.

As shown in figure 1 Internet Explorer has the majority of the browser market and yet has the most problems with security. Internet Explorer is so favorite due to the fact that it is shipped and installed with windows, which is installed on most pc's that are sold. It would be advisable to any Web designer to build the Web site and test to make sure it is compatible with Internet Explorer as much as potential due to large amount of the market that it covers, followed by Mozilla Firefox and Safari. When designing the Web site you may want to show off your skills and add as many complex and impressive Web applications as you can to the site. However, this would cause the site to be less compatible across browsers; the trade off the Web designer must select is how many browsers they want the site to be compatible with compared to how impressive they want the site to look.

Security must be designed for from the start of the task and must constantly be tested for and improved as more new protection bugs are created. Overall, when it comes to security, it is a never ending battle against attackers and therefore retention up to date with research on protection issues is extremely important.

It seems that hackers have started to couple more on attacks from the client side rather than the server side. It is likely that his shift from server side attacks to client side attacks will soon be substituted by a different coming once clients become more secure.

References

Niederst Robbins, J. (2006) Web create in a Nutshell, Third edition, 1005 Gravenstein Highway North, Sebastopol, O'Reilly Media Inc.

owasp.org/index.php/Top_10_2007 (accessed on 15/08/2009)
Webappsec.org/projects/statistics/ (accessed on 15/08/2009)

Browser Standards and safety

Recommend : Material Handing

ไม่มีความคิดเห็น:

แสดงความคิดเห็น