15.6 Resources

Important Terms Introduced

  • anonymous proxy

  • authority

  • bogus certificate

  • bogus site

  • browser cookie

  • client-side script

  • command injection

  • continuous availability

  • continuous operation

  • database

  • GET

  • high availability

  • HTTP tunneling

  • hypertext

  • hypertext link

  • POST

  • routine availability

  • same origin policy

  • sandbox

  • scheme

  • server-side script

  • stateless protocol

  • web crawler

Abbreviations Introduced

  • ASP—Active Server Pages

  • ASPX—Active Server Pages, Extended

  • CFM—Cold Fusion Markup Language

  • CGI—Common Gateway Interface

  • CMS—content management system

  • CSS—Cascading Style Sheets

  • DBMS—database management system

  • GIF—Graphics Interchange Format

  • IIS—Internet Information Services

  • JPEG—Joint Photographic Engineering Group

  • JS—Javascript

  • JSP—Java Server Page

  • LAMP—Linux, Apache, MySQL, PHP

  • OWASP—Open Web Application Security Project

  • PHP—Personal Home Page/Hypertext Preprocessor

  • PL—Perl

  • PNG—Portable Network Graphics

  • PY—Python

  • RB—Ruby

  • SAN—storage area network

  • SQL—Structured Query Language

  • SSJS—Server-Side Javascript

  • URI—Uniform Resource Identifier

  • URL—Uniform Resource Locator

  • W3C—World Wide Web Consortium

  • XML—Extensible Markup Language

  • XSS—cross-site scripting

  • XXE—XML external entity

15.6.1 Review Questions

  1. R1.     Describe the respective roles of HTML and HTTP in the World Wide Web.

  2. R2.     Identify and describe five HTML tags.

  3. R3.     Identify and describe the four major components of a URL.

  4. R4.     Describe the four steps the browser takes to retrieve and display a web page.

  5. R5.     Identify and describe three different strategies and techniques to manage web use.

  6. R6.     Explain how the web browser authenticates a server that uses SSL.

  7. R7.     Describe three different techniques for masquerading as a particular host that uses SSL.

  8. R8.     Explain the operation of server-side scripts and client-side scripts. How are they the same? How are they different?

  9. R9.     How does a website maintain a state for a web visitor’s session? For example, how does it ensure that it correctly associates a particular browser with a particular shopping cart?

  10. R10.   Describe the basic components of a CMS.

  11. R11.   Describe the role of a DBMS and SQL in a CMS.

  12. R12.   Explain the steps involved in performing a typical operation in a web CMS, like the one illustrated in Figure 15.23.

  13. R13.   Describe how an SQL command injection attack might work.

  14. R14.   Briefly summarize the latest OWASP Top 10 web application risks.

  15. R15.   Summarize the challenges of achieving web confidentiality and integrity.

  16. R16.   Describe the four different categories of site availability.

  17. R17.   Summarize the basic elements of client anonymity and private browsing.

15.6.2 Exercises

  1. E1.     Using an instructor-provided Wireshark packet capture file, locate a series of packets that retrieve a web page.

    1. What frame numbers perform the three-way handshake to open the connection?

    2. What is the host name and/or IP address of the web server?

    3. Identify the frame number containing the GET command.

    4. Does the GET command contain a cookie? How many cookie values does it contain? What name or names are given to the cookie values?

    5. Identify the frame number of the first packet that responds to the GET command.

    6. How many packets are required to transmit the requested page?

  2. E2.     Write a simple web page in HTML. Use Figure 15.2 as an example, but customize it to contain different titles, headings, and text. Hand in two items: (1) the page’s HTML source text and (2) a copy of the page produced by the browser after the script has executed.

  3. E3.     Visit a website’s home page. Note the URL.

    1. Modify the URL to include a user ID (any name will do). Save and hand in any alert that the browser displays. If it displays no alert, simply save and hand in the browser window showing its contents and the modified URL.

    2. Modify the URL to include both a user ID and password. Again, any name will do, and use a simple string of letters as the password. Save and hand in any alert that the browser displays. If it displays no alert, simply save and hand in the browser window showing its contents and the modified URL.

  4. E4.     Visit an SSL-protected website. Use the browser to display the certificate.

    1. Make a copy of the certificate’s contents to hand in.

    2. What is the name of the CA that issued the certificate?

    3. Use the browser to display the certificate for that CA. Make a copy of that certificate’s contents to hand in, too.

  5. E5.     Write a web page that uses JS to customize itself. Use Figure 15.16 as an example, but be sure that it produces a different title and different text on the resulting page. Hand in two items: (1) the page’s HTML source text, including the script and (2) a copy of the page produced by the browser after the script has executed.

  6. E6.     Bob has a web page that contains private information. To protect it from disclosure, he added a client-side script to the beginning of the page. The script checks for a secret password. If the password is wrong, the script won’t let the browser display the rest of the page. Explain why or why not this protects Bob’s private information.

  7. E7.     Redraw Figure 15.20 to show the location and flow of these types of data: HTML, server-side scripts, and SQL.

  8. E8.     Choose at random one of the OWASP Top 10 risks. Locate a recent security incident that illustrates that risk. Write up the incident as an attack case study. See Section 2.3.3 for a description.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset