Application of Web [2 / 2]
Printer Friendly Format![Bookmark page - Application of Web [2 / 2]](/site/templates/standard/images/icons/favourites.gif){kind=icon}
Bookmark this page
Back to "World Wide Web"- Article Index
- Function mode
- Demarcation
- Rich Internet Application
- Web service
- Architecture
- Condition alone
- Integrated
- Comparison
- Advantages
- Disadvantages
- Security
- Buffer overflow
- SQL injection
- CROSS Site Scripting
- Session Hijacking
- CROSS Site Request Forgery
- Directory Traversal
- E-Mail injection
- One in The Middle attack
- Denial OF service
- Phishing
- History
- Examples
- Related links
Security
Security of applications of Web is a too far field, in order to treat it here all-comprehensively. Therefore this section is limited to the description of well-known attack possibilities in connection with applications of Web.
Buffer overflow
With a buffer overflow due to errors in the program for large data sets are written in one for it to small storage area, whereby following information in the memory is overwritten to the goal storage area. The attack consists of selecting the overwriting data in such a way that they can be interpreted of the program as instructions in machine language.
SQL injection
With an SQL injection the aggressor sends connecting inquiries to the Web server, whereby the inquiry parameters are provided with SQL control characters. If the application of Web intercepts these control characters not, but sends it as part of an SQL inquiry to the data base, the aggressor can pick either for it on conventional way accessible data out or not change data.
CROSS Site Scripting
Behind the designation CROSS Site Scripting (XSS) hide themselves two (sometimes still another third type is differentiated) in principle different attacks. With the clientseitigen XSS the aggressor channels HTML control characters and code of a clientseitigen script language, like e.g. Javascript, into a web page, which is implemented in the Webbrowser of the victim. This attack uses thereby safety gaps during the local execution of the Skripte or introduces a CROSS Site Request Forgery. By server-lateral XSS one understands a transferring of manipulated information into a Scriptsprache implemented on the Web server, so that this for example with dynamically generated include () implements a file intended by the programmer (if necessary even of another server).
Session Hijacking
Since HTTP is connectingless minutes, the application of Web must determine the identification of a user. This happens on the basis an session ID, which is usually given to each Request as Cookie or HTTP GET parameter. With the session Hijacking the aggressor knowledge of the session ID of the user tries to attain, in order to then spend themselves as its victim and access with its rights the application of Web.
CROSS Site Request Forgery
CROSS Site Request Forgery presuppose an existing session between the user and the application of Web. The aggressor tries to move the user over different techniques (if necessary XSS) or over a clientseitiges Script also directly the Browser URL manipulated to the call. Differently than with the session Hijacking the aggressor attains however no knowledge of the session ID, since the attack takes place exclusively in the Browser of the user.
Directory Traversal
With a directory Traversal attack uses the aggressor the missing examination of the application of Web to manipulated path data. Expects the application of Web for example a parameter such as item=datei1.html can these if necessary with item=./././Config.sys be abused
E-Mail injection
With a E-Mail injection the aggressor inserts manipulated data into a form for contact, so that in place of the message to the receiver intended by the operator of the application of Web now arbitrary enamels are sent to arbitrary receivers. This possibility is usually abused for the dispatch by Spam.
The following attacks are not directed against the application of Web, are however in their surrounding field to be found frequent:
One in The Middle attack
With an one in The Middle attack (MitM) the aggressor aims off on the fact that the user develops a connection instead of with the Web server directly rather with the computer of the aggressor, without noticing this. "Into the middle "- computer starts with each inquiry of the user for his part an inquiry to the genuine Web server and passes its answer on to the user. The utilizable value consists for the aggressor of being able to manipulate inquiries on or returns of the application of Web at will. Against this kind of attack only the coding of the data communication offers protection by means of SSL. In addition, this protection ineffectively, if the aggressor can provide a SSL certificate of the web page concerned, to which a root certificate in the Browser of the victim is installed.
Denial OF service
With a Denial OF service (DOS) attack tries to extract the aggressor by a multiplicity of connecting inquiries resources for regular inquiries from the Web server. If the attack is accomplished at the same time at the same time by several (if necessary several thousands) computers, one speaks also of a Distributed Denial OF service attack (DDoS). A DOS is limited not to applications of Web, but can be directed against each kind of server.
Phishing
With the Phishing it does not concern a safety gap of an application of Web; it belongs rather into the range of the Social Hacking. Here the aggressor requests its potential victims usually in great quantities by E-Mail, entrance data, like e.g. Pin and TAN to on-line Banking to enter on a web page. This looks usually outwardly in such a way, like those of the operator of the application of Web, is subject however to control of the aggressor. If the victim does not notice this falsification and its if price gives entrance data, the aggressor can use these for his favour.
History
For an application of Web it is to be received necessarily user inputs. Today the forms for HTML for this used are for the first time in the draft for HTML+ from 8 November 1993 contained. But already the first HTML version of Tim Berners Lee offered a possibility with "isindex" the day of sending parameters to the Web server. The parameters were attached thereby to the URL, the forerunner of the HTTP GET method. The first larger system that of it use made was very probably a Web interfaces the "SPIRES HEP", for a data base of the Stanford university (source). This Urahn of all today's applications of Web went to 1991 on-line.
The first Webbrowser, which implemented an extensive support for forms for HTML, was the NCSA Mosaic 2,0 in December 1993; at that time the Browser with the largest spreading. The first server-lateral interface to the receipt of form data was "htbin". This was published on 4 November 1993 as part of the version 2.13 of the W3C-HTTP-Servers. Already on 11 February 1994 the cgi interface in release 2.15beta, which is until today the used, followed. Cgi is independent of the used programming language. For the first applications of Web C or Perl was used. Perl offered itself because of the powerful functions for the processing of character strings.
The first application of Web, which was noticed by a broad public, developed likewise at the Stanford university. Two students developed the Web listing Yahoo! from their personal Bookmarkverwaltung. As programming language they used Perl.
In the following years there were advancements of the cgi interface, which improved the performance. In the spring 1997 Sun Microsystems published the Servlet technology. Servlets are Java of programs, which are very similar to cgi programs. The main difference consists of the fact that a HTTP Request is only processed not in its own process, but its own Thread. This brought an enormous performance gain.
The procedure to build web pages up from HTML code which was firmly in the program code deposited, saved however a large problem: it was not pedantic to program, and made possible a separation from logic and contents. This problem was in a similar way solved from several sides. The program code for the dynamically produced expenditures was embedded into the otherwise static HTML. The language PHP, which was based around the year 1997 from a Perl project developed, pursues this beginning Java servers Pages, which are based on Servlets, and Active server Pages (ASP) of Microsoft.
In the time of the large Internet boom around the turn of the century applications of Web experienced an enormous thrust. Many of the companies that celebrated by the stock exchange new Economy develop their business model on an application of Web. Exaggerated expectations led 2001 to the blow-out of the so-called Dotcom blister. In addition, in this time applications of Web became like e.g. Ebay, Yahoo and Google born, which are today become a natural part of the life.
Examples
Some examples are in of the: Category: Application of Web.
Related links
Back to topArticles in category "Application of Web [2 / 2]"
We found here 12 articles.
A» Application of Web | B» Babelfish | C» CProjects |
E» EBay | F» Flickr» Furl | G» Guest book |
I» ImageShack | S» Shoutbox» SAP NetWeaver portal | T» TRACK |
Y» YouTube |
Related Websites
We found here 5 related websites.
- ASP.NET
The www.asp.net site is a portal site for the ASP.NET development community. From here you can download ASP.NET, download Web Matrix - a free web ... - Category:OWASP Project - OWASP
... OWASP CAL9000 Project - a JavaScript based web application security testing suite ... all types of security testing on web applications and web services ... - Desktop Applications | Web Database Design Custom Web Based ...
Web database design, web application development, desktop applications, custom application development by creating desktop applications, web based ... - The W3C Workshop on Web Applications and Compound Documents
This workshop addresses client-side Web applications only. ... A Web application is typically downloaded on demand each time it is "executed", ... - Web application - Wikipedia, the free encyclopedia
Web applications are popular due to the ubiquity of the browser as a client ... Like their networked brethren, such applications generate web pages as their ...
Index | Privacy | Terms Of Use | Sitemap | Feedback
