Lecture 12: Web Security

Web-Page Threats
• SPAM
• Phishing
• Eavesdropping
• SQL Injection
• Hacking
• DoS
• Cross-Site Scripting
• Cookie Poisoning
 1. SPAM
• Irrelevant or unsolicited messages sent over
the Internet, typically to a large number of
users, for the purposes of advertising,
phishing, spreading malware, etc.
 2. Phishing
• Phishing is the attempt to obtain sensitive information such as usernames,
passwords, and credit card details (and sometimes, indirectly, money),
often for malicious reasons, by masquerading as a trustworthy entity in an
electronic communication.
• Communications purporting to be from popular social web sites, auction
sites, banks, online payment processors or IT administrators are commonly
used to lure unsuspecting victims.
• Phishing emails may contain links to websites that are infected with
malware.
• It often directs users to enter details at a fake website whose look and feel
are almost identical to the legitimate one.
 3. EavesDropping

• It is the act of surreptitiously listening to a private

conversation, typically between hosts on a network.
• In general, the majority of network communications occur
in an unsecured or "cleartext" format, which allows an
attacker who has gained access to data paths in your
network to "listen in" or interpret (read) the traffic.
• Without strong encryption services that are based on
cryptography, your data can be read by others as it
traverses the network.
 4. SQL Injection
• A SQL injection attack consists of insertion or "injection" of a SQL query via
the input data from the client to the application.
• A successful SQL injection exploit can read sensitive data from the database,
modify database data (Insert/Update/Delete), execute administration
operations on the database (such as shutdown the DBMS), recover the
content of a given file present on the DBMS file system and in some cases
issue commands to the operating system.
 5. Hacking

• When a person secretly gets access to a computer system

in order to get information, cause damage, etc.
• It is broadly defined as intentionally gaining accesses to a
computer without authorization or exceeding authorized
access.
 6. Cross-Site Scripting:

• An attacker implements malicious script into a

server which is then sent to unsuspecting users.
• The script can read cookies and other sensitive
information or even rewrite the content of the page
• Usually come in the form of embedded JavaScript.
• Any embedded content is a vulnerability source:
ShockWave, Vbscript, Flash, e.t.c
 7. Cookie Poisoning
• Cookie: Small pieces of text that are sent to the web client browser by a server and
intended to be sent back to the server, unchanged, each time it accesses the same server or
another server in the same domain.
• Used for authentication, tracking, maintaining state over stateless HTTP, as well as
maintaining specific information about the user such as their site preferences, etc.
• Were originally developed for use in Web applications that used online or virtual shopping
baskets- they allowed for the contents of the basket to be changed, based on the user's
actions and tracked items in the basket between browser sessions.
• Cookies are also used when users log in to a Web site. Users enter their username and
password into a login page and, if they are authenticated, a cookie is saved that allows the
Web site to know the users are already logged in as they navigate around the site,
permiting them access to any functionality that may be available only to logged-in users,
probably the primary use of cookies at this time.
• Another use of cookies is to save user preferences for a site so that the site presentation
and functionality can be personalized, based on the preferences of the user.
• Cookies are used to track user actions across the site or domain.
• Cookies are destroyed at the point the user closes the browser unless a deletion date has
been set. If a deletion date has been set, the cookie will be destroyed on that date instead.
The cookies that have deletion dates are called persistent cookies.
 Cookie Poisoning
• The modification of or theft of a cookie in a user's machine by an
attacker in order to release personal information.
• If the cookie contains username and password, thieves can use
their own computers and confiscated cookies to enter victims'
accounts.
• An attacker using cookie poisoning can gain unauthorized access
to a user's account on the particular site the cookie was created
for, or potentially tricking a server into accepting a new version of
the original intercepted cookie with modified values.
• One such example of cookie poisoning might involve intercepting
an online retailer's cookie before its information is sent from a
user's computer to the server during a "cart checkout" process
and modifying price values to trick the server into charging the
user less money.
• As cookie poisoning is fairly easy to do, most high quality web
applications are developed so that certain key parameters are not
stored within cookies, and are also given non-intuitive names and
possible values to deter guessing and modification by an attacker.
 8. DoS

• A cyber-attack where the perpetrator seeks to make a

machine or network resource unavailable to its
intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet.
• Denial of service is typically accomplished by flooding
the targeted machine or resource with superfluous
requests in an attempt to overload systems and prevent
some or all legitimate requests from being fulfilled.
 Web Page Security
• The following practices may be useful in ensuring
the security of your web site:
i. Implementation of standard security protocols such as
HTTPS and SSL.
ii. Subscribing to security experts such as Symantec who
offer services such as web-page scanning.
iii. Vulnerability assessments
iv. Security features in web-page design such as hidden
characters
v. Input validation
vi. Firewalls
 Web-Page security cont…DoS

• Load testing tools, such as Jmeter

• Check your error handling scheme to ensure that
an error cannot affect the overall operation of the
application
• For un-authenticated users:
– Avoid any unnecessary access to databases or other
expensive resources
– Caching the content received by un-authenticated
users instead of generating it or accessing databases
to retrieve it
 Input validation: Validation Criteria
• Data type
• Allowed character set
• Minimum and maximum length
• Whether null is allowed
• Whether the parameter is required or not
• Whether duplicates are allowed
• Numeric range
• Specific legal values
• Specific patterns
 3. Improper error handling

• The errors must be handled according to a well

thought out scheme that will
–provide a meaningful error message to the user
–provide diagnostic information to the site maintainers
–provide no useful information to an attacker
• All security mechanisms should deny access until
specifically granted, not grant access until denied
 Top web-development languages
Client-side scripting
• Client-side scripting — which includes HTML and CSS — is any code that runs within a web
browser.
• This means that the web browser temporarily downloads all the files from a web server
and, in turn, displays a static web page; you would be able to view these files even if you
lost your Internet connection (as long as you left your web browser open).
• JavaScript and ActionScript are the two most commonly used client-side scripts.

Server-Side Scripting
• All websites need to be hosted (i.e. stored) in a database on a web server.
• Server-side scripting simply refers to any code that facilitates the transfer of data from
that web server to a browser.
• It also refers to any code used to build a database or manage data on the web server
itself.
• Server-side scripts run on the web server, which has the power and resources to run
programs that are too resource intensive to be run by a web browser.
• Server-side scripts are also more secure, because the source code remains on the web
server rather than being temporarily stored on an individual’s computer.
 Top Web Development Languages to date
1. HTML5
• HTML is a scripting language and not a programming language itself.
• HTML is the standardized markup language that structures and formats content on the web.
• It is one of the core technologies in use on the Internet and serves as the backbone of all web pages.

2. JavaScript
• A survey conducted by StackOverflow in 2015 shows that JavaScript is actually the most used programming language, slotting
ahead of Java and PHP.
• JavaScript is the programming language that brings animation, games, apps, interactivity and other dynamic effects to life. After
HTML and CSS, it’s the most ubiquitous of the client-side scripts.
• Some JavaScript applications can even run without connecting back to a web server, which means they’ll work in a browser with
or without an Internet connection.

3. PHP
• More than 75% of the top websites use PHP as their server side programming language.
• A general-purpose server-side scripting language. The chief advantages of PHP are that it is open source.
• PHP is most often used by websites with lower traffic demands.

4. Java
• It has numerous modules that aid web development and since it is not platform dependent, using Java and deploying Java
applications becomes all the more easier.
• It is the most used server side programming language, but when it comes to websites that attract high traffic, Java and
JavaScript are clear ahead.

5. Python
• The easiest to write and learn .
• Python is also used extensively as a scripting language thus proving its worth in the web development foray.
6. .NET
• Microsoft came up with the .NET framework in 2000 and even though it is used primarily for systems running
on Windows, that restriction is compensated by .NET’s application in scientific, research level and academic
fields.
• Windows App Development has added another notable armor in .NET’s illustrious cabin, and has given the
language standing ground amongst the web development languages.

7. Ruby
• The reason why everyone is why the Ruby programming language has been gaining admirers exponentially in
the past few years is its ease of use and high utility in creative software and designs with ease and perfection.
• Ruby is similar to Python in its simplicity and Pearl for its programmer friendly interface, so it won’t be wrong
to say that Ruby, in many ways, is a blend of the qualities of Python and Pearl.

8. CSS
• CSS (Cascading Style Sheets) is a style-sheet language that basically allows web developers to “set it and forget
it.”
• Paired with HTML, CSS allows a programmer to define the look and format of multiple webpages at once;
elements like color, layout and fonts are specified in one file that’s kept separate from the core code of the
webpage.
Programming languages used in most
popular web-sites

Source: Wikipedia
 Search Engines
• A software system that is designed to search for
information on the World Wide Web.
• Search engines use software called "spiders" and
"crawlers" to routinely scour the web to identify and index
web pages.
• Search engine algorithms take the key elements of a web
page, including the page title, content and keyword
density, and come up with a ranking for where to place the
results on the pages.
• The software used by each search engine works a bit differently.
• The same search conducted with different search engines will yield different
results.
• You may want to try your search in more than one search engine and
compare results.
• Web search engines get their information by web crawling from site to site.
• The "spider" checks for the standard filename robots.txt, addressed to it,
before sending certain information back to be indexed depending on many
factors, such as the titles, page content, JavaScript, Cascading Style
Sheets (CSS), headings, as evidenced by the standard HTML markup of the
informational content, or its metadata in HTML meta tags.
• Indexing means associating words and other definable tokens found on
web pages to their domain names and HTML-based fields. The associations
are made in a public database, made available for web search queries.
• A query from a user can be a single word. The index helps find information
relating to the query as quickly as possible.
• Some of the techniques for indexing, and caching are trade secrets,
whereas web crawling is a straightforward process of visiting all sites on a
systematic basis.
 How Search Engines Work
(Sherman 2003)

Crawler
URL1
URL2

Indexer The Web

URL3 URL4

Search All About

Eggs - 90%
Engine Your
Eggs
Eggo - 81%
Database Eggs? Browser
by40%
Ego-
Eggs. S. I.-Am
Huh? 10%

22
 How do search engines
work? elaboration
For a number of reasons crawlers do not cover all of the web –
just a fraction
what is not covered is “invisible web”

23