Internet / Intranet Fall 2000 Class 5 Web Server Security Intro Javascript.

Internet / Intranet

Fall 2000

Class 5Web Server Security

Intro Javascript

Brandeis University Internet/Intranet Spring 2000 2

Class 5 Agenda

Discuss Milestone 1Discuss HomepagesDiscuss Log File Homework

Web Security PresentationsIntro JavaScriptLab Work:

JavaScriptNext Week:

More JavascriptDHTML, DOM

Forms


Practical Internet Security

Analogous to “Real-Life” Security (e.g. a Bank)Like Software, Security Must Be Well-DesignedImplementing Security Requires Trade-Offs

Ease of Use is AffectedBusiness Processes are AffectedBusiness Culture is AffectedAffects Both Users and EmployeesSecurity is Expensive

Time, Effort, Lost ProductivityEnforcement

Physical Security is Only Half the StoryImplementation/Enforcement is Just as Important


Security Design Issues

Know the Threats You are Protecting AgainstWhat are the Probabilities?What is the Cost if it Happens?

DollarsCustomer/Employee Confidence

Know Your EnvironmentWhat are the Customer/User Requirements?What are the Budget Constraints?What is the Culture/Attitude of Those Affected?What is the Probability That Policies Will Be Followed Enforced?


Security SermonSecurity is Often Mis-Used in Technology Environments

Provides Peace of MindNot Necessarily Real Security

Often Avoids the Real IssuesAppeases Management

Common Security Mistakes (Analogies)Using an Expensive/High Security Safe

But Leaving the Key/Combination Where it Can Be StolenLeaving the Safe UnlockedLittle Professional Enforcement/Review of Procedures

Storing a Dime in a SafeCost of Security Exceeds Risk of Stolen Dime

High-Tech Solution Instead of Low-Tech Common SenseE.g. Convenience Store Having a Safe vs. Nightly Bank Deposits

Security Has Consequences on Human PerceptionsE.g. Installing a Metal Detector May Make Employees Feel Less Secure


Security Tips

Thieves/Hackers Follow Easiest PathOne That Gives Them Most ValueOne They Know About

The Environment is Key!A Mercedes in a Lot Full of Chevys is Likely to Be Stolen FirstThe Same Mercedes in a Lot Full of Rolls Royces is Likely to Be Stolen LastSame Mercedes in an Unsecure Garage is Safer Because Fewer Thieves Know About It

Therefore:Know Other Likely Targets and Be Less Attractive Than They AreMake Your Site More Difficult to Hack Than its WorthDon’t Publicize What Doesn’t Need to Be Public


Security Tips (2)

Does Not Guarantee No HackingBut Reduces the Probability Significantly

Most Security Problems Come From Human Error, Not From Intentional Hacking

Focus on Minimizing Chance of Human Error

Identify Each Risk SeparatelySolutions May Vary Widely

Security is Only as Good as Your ExpertiseProfessional Security Requires Professional System Administrator

Use Common Sense / Be Realistic


Internet RisksDestruction of Data

RandomTargeted

Modification of DataRandomTargetedWorms/Viruses

Publication of Private/Sensitive DataSensitve/Embarassing InformationConfidential Information

Competitive InformationCustomer Information

KeysInformation That Furthers Other Risks

E.g. Credit Card Information, Museum Floor PlanNetwork DisruptionMachine Crashes / Inoperable Serving Software


Protecting Data

Machine LevelPhysical Isolation

Physically Isolate Machines From UsersProtect From Theft / Natural Disasters

UsersSystem Administration PermissionsRemote Access

Single-Purpose vs. Multi-Purpose ServerShared HostingTest vs. Production

Application LevelServer ConfigurationServer’s Ability to Access Files / System ResourcesRestrict Applications Running on Machine

Don’t Load Applications/Protocols You Don’t Need


Protecting Data (2)Script Level

Who Can Modify Scripts?Remote Access

Script’s Ability to Access Files / System ResourcesScripts Identified by File Extension or Directory?

File LevelWho Can Download Files?Who Can Upload Files?Exposed Directories

Communication LevelIP Address RestrictionsPassword RequirementsEncryption

Metaphysical LevelMoralsThe Law


Access Control Techniques

“Passive” TechniquesDon’t Publish URL’sAlways Have Default Pages – Avoid Directory BrowsingComplex Page/Directory Names

Active TechniquesChange Page/Directory Names OftenServer Filters on IP Address, Domain NameRequiring a Name / PasswordUse Non-Standard Ports

Secure (Encrypted) TransmissionsFirewalls (Proxy Servers)

Isolate LAN From General Internet


All Techniques Have Some NegativesPassive Techniques, Non-Standard Ports

If User Guesses Correctly, They Have Full System AccessRequires Publishers to Voluntarily Follow StandardsBest for Non-Critical Security

Security Breach Does Not Disable SystemSite Unlikely to Attract Hackers

IP Address / Domain Name FiltersRequires Significant Effort to AdministerUsers Can’t Move Around EasilySerious Hackers Can Defeat via SpoofingBest For Local Intranet

Site Unlikely to Attract Serious Hackers

EncryptionSignificant Overhead

FirewallsLimits Internet Access of Those Within the Firewall


Name / Password Security

Requires All Parties to Maintain Secure Passwords

Inconveniences UsersDifficult to EnforceOne Violation Can Compromise Entire Plan

Passed in Plain Text as Part of the URLSerious Hackers Can Intercept It

Analogous to to credit card receipts in the trash

Web Servers Allow Unlimited Tries (Stateless)

Best Solution is a Combination of Techniques


Firewall Details

Proxy ServerGatekeeper Between a LAN and the InternetActs as a Local DNSUser Requests a URL

Proxy Server Finds the Equivalent File on the LAN

FirewallPacket-Level-Filter

Restrict Data at the Packet Level e.g. Don’t Allow FTP

Circuit FiltersAlso Takes Into Account the Source and Destination of a PacketMaintains Some History Information

Application-Level FiltersIntercepts Transmissions and Analyzes Them to See if They Make Sense

Requires Knowledge of the Application to be Effective


Encryption Basic Encryption – Privacy / Confidentiality

“Scramble” a Document So Third Party Can’t Read ItWhat Level of Scrambling is Required?

Not Easily Reable By Human EyeSimple Replacement AlgorithmBase64

Extremely Difficult, But Possible to CrackE.g. passwords, “zip” encryption

“Impossible” to Crack

Authentication (Signature)Can Be Assured That Document is From RecipientCan Be Assured That Document Was Not Tampered With

Non-Repudiation (Contract)Can Also Be Assured That Document Was Received IntactNeither Can Tamper With Document

Data IntegrityAssurance That Document Was Not Corrupted


Encryption Technologies

Symmetric Key EncryptionSame Key Used For Encrypting / DecryptingBoth Parties Use Same KeyAnalogy: Standard Door

Asymmetric Key Encryption (Public Key)Each Party Has a Different Private KeyThird Key (Public Key) Required for Encryption/Decryption

Key Held By Trusted Third-Party

Analogy: Safe Deposit BoxMessage Digest Algorithms

Encrypted “Hash” Functions Used For Digital Signatures


Methods of Defeating Encryption

Brute ForceTrying All Possibilities

“Psychic” (For Human Generated Keys Only)Person Has to Be Able to Memorize Key

Brute Force: Prioritized by Easily Memorized Keys

Cipher AttackView The Encrypted Data and Work Back

Analogy: Cryptogram Puzzles

Cryptanalysis Science of Breaking Algorithms

Exploit Mathematical Weaknesses in the Algorithm


How Encryption Works

Develop a mathematical function such that:f (a,b) = cf’ (a,c) = bBUT f’’(b,c) = a Does Not Exist

Symmetricf( message,key) = encrypted_messagef’ (encrypted_message, key) = message

Asymmetricf (my_message, your_public_key) = encrypted_messagef’ (encrypted message, your_private_key) = my_message

Signaturef (signature, my_private_key) =encrypted_signaturef’ (signature, my_public_key) = signature


Internet Encryption ProtocolsPublic Key Encryption Requires Trusted Third Party

Certificate AuthorityRSA – Rivest, Shamir, Adelman

MIT Professors – Invented AlgorithmsSome are Patented

Size of Key is ImportantLonger Keys are Harder to BreakGovernment Limits to Size of Keys

Controls on Exports

PGP – Pretty Good PrivacyFreeware Encryption

DES56-bit Symmetric KeyTriple DESRC2, RC4 – Uses Shorter Keys – Can Be Used For Export


Internet Encryption Protocols (2)SET

Protocol For Passing Credit Card InformationUses DES for Data, RSA for Keys and Credit Card NumberIncludes Protocols for Authorization and Validation of Credit Card

Encrypted HTTPS-HTTP (Secure HTTP) CommercenetSSL – (Secure Sockets Layer) Netscape

PPP TCP/IP Itself Cannot Be EncryptedLogin Passwords Are in Clear

PAP – (Password Authentication Protocol) Passwords Sent in ClearCHAP (Challenge Handshake Authentication Protocol)

Password Used to Create a Response That is Passed to Server

Key ManagementKeys Must Be Kept Private or Security is Lost

Keys are Too Long For Memorization

Kerberos (MIT), (ISAKMP – Internet Security Association)


IP Level Security

Virtual Private Networks (VPNs)Tunneling (Encapsulation)

Encrypts Data at a Point Low in the ISO StackEncapsulates it in Another Protocol

PPTP – Point-To-Point Tunneling ProtocolWorks Over Public Networks

Only Client and Server Need to Be PPTP AwareIP Information is encrypted and carried within another IP packet

L2F – Layer 2 ForwardingRequires All Routers/Servers Between Client and Server to Support L2F

L2TP – Combination of PPTP and L2FTACACS, RADIUS

For Dial-Up Access


Non-Encrypted Security

Change Passwords RegularlySecurity Breaches are “Temporary”

Increases Effort Necessary to Break InAnalogy: Changing Locks

DHCP – IP Addresses are TemporarySimilar to Changing Passwords at IP LevelIP Addresses Dynamically Assigned

Private NetworkTraffic Between Customers of ISP Does Not Pass Through “Public” Internet

ISP Keeps Routers SecureAT&T Strategy


Security Key Points

Use Common Sense Above AllSecurity is Useless if it is Not Enforceable

Once Adopted Must Be Policed / Tested / EnforcedPolicing Software is Important

Automate Mundane Tasks

Security Policies Will Usually Impact Productivity

Use Them Wisely

Two Major Aspects to Security:Keys and Key Maintenance (e.g. Passwords)Encryption


The Need For Client Side ScriptingPerformance

Move More Processing to ClientEspecially Items Requiring Faster Response

E.g. Field Validation

UsabilityMake HTML More “Windows-Like”

HTML Extensions (e.g. Tab Order)CSS Extensions (e.g. style=“cursor:hand”)

Dynamic Event Handling (e.g. onMouseOver)

Requires Scripting LanguageECMA Script – (European Computer Manufactuers Association)Netscape – Created Own Version: JavaScript (No Relation to Java)

Marketing Ploy: to Capitalize on Java Popularity

Microsoft – VBScriptWindows/IIS Only

Also Support JavaScript – (Called it JScript)


JavaScriptDe-Facto Standard Client-Side Scripting Language

However, Other Scripting Languages are Supported by Servers. Add-Ons for Others.

Interpreted LanguageObject-Oriented“Full” Scripting Language

Core JavaScript – Standalone Scripting LanguageNo File I/O

Client-Side JavaScript – For Use in HTML PagesPrimary Use of JavaScript

Server-Side JavaScript – Perl/Java AlternativeSimilar to Other Languages

C-Like Syntactic StructureUntypedAssociative Arrays


JavaScript (2)

UsabilityFairly Complex LanguageWeb OrientationEasiest to Look at and Modify Existing CodeFull, Complex Language

Many Ways to Achieve the Same Function

Versions1.0 – Base Version

Netscape Navigator 2.0, IE 3.0

1.1 – Improved Array Support, Other FeaturesNetscape Navigator 3.0

1.2 – (Current) Regular Expressions, Other FeaturesNetscape Navigator 4.0

ECMA-262 : Standardized Version of Javascript 1.2IE 4.0


Client-Side JavaScript

Core JavaScript LanguageHTML EventsDocument Object Model (DOM)

Ability to Refer to the Elements of an HTML Document

Significant Differences Between Microsoft and Netscape Implementations

Especially in DOM Implementation

So, as With CSS, HTML, etc.Know Your Target Audience / Platform

What Level of Support Will You Provide For Those Not Using Your Target Platform?


Dynamic HTML - Scripting

All Properties Can Be Set by ScriptsNew Dynamic Properties: Useful for Scripting

DISABLED / ENABLED Attribute (Form Fields)Display PropertyVisibility Property

Pop-Up BoxesCreation of New Windows

New Instance of Browser


Invoking a ScriptScript Code Within HTMLButtons

Button Selection Invokes a ScriptEvents

Focus Eventsonfocus, onblur

Mouse Eventsonmouseover, onmouseoutonmousedown, onmouseuponclick, ondblclick, onselect

Keyboard EventsOnkeydown, onkeyup, onkeypress

Scroll EventOnscroll

Help Eventonhelp – (F1 key, not Browser Help Button)

Timer Events


Document Object Model

Defines Hierarchy of ObjectsEach Has its Own Event HandlersEvent Bubbling

Which Event Handler Gets Events?

Name Space Definitions Each Object in HTML Form Can Be Addressed

E.g. Clicking Button Can Be Used to Change Text Value in a Specific Field of Another Window

A CaveatJavascript is Still a Scripting Language

Not Great For Large, Complex Programse.g. Limited Debugging

As With Perl, Powerful Features Can Also Make Bugs Difficult to Detect / Prevent

Stepping Back: Basic JavaScript<SCRIPT Language=“JavaScript”></SCRIPT>

Older Browsers Ignore Script Tag if They Don’t Support Script

However, They Will Try to Display Text Within TagsTherefore, Enclose All Script Within Tags as HTML Comments

Script Processor Will Ignore HTML Comment TagsUse // For JavaScript Comments

Newer Browsers Will Ignore All Within Tags if They Don’t Recognize the Language. JavaScript is the Default.

<NOSCRIPT> </NOSCRIPT> Tags Can Then Be Used to Specify Alternative. All in Between Ignored By Browser.Note That Specific Version of Language Can Be Specified (e.g. Javascript1.2>


Javascript BasicsSimilar to C/JavaCase Sensitive

Case Conventions Not Always ObviousIn Most Cases Don’t Get Error Message,

Just Unexpected Result

== vs. = in if statement (Like C)E.g. if (a == 2) {Vs. if (a = 2 ) {

Lines end in ;In Line JavaScript: Executed Where Encountered

document.write (“<H1>Hello World</H1> \n”);document.writeln (“Hello World”);

NOTE: Output is Interpreted as HTMLDynamic Page Example


Objects and PropertiesObjects

Objects are Collections of Named Data Often Called Properties or Fields

PropertiesUntyped

Can be Data, Arrays, Functions, Other ObjectsIf Property is a Function it is Called a Method

Referenced by object.propertye.g. document.myform.button

Properties Can be Dynamically Assigned to Objectsvar point = new Object();point.x = 7;point.y = 3;

Associative ArraysProperties Can Be Accessed via Associative Arrays

E.g. point[“x”]document.myform[“button”]


Creating Objects

Variables Can Be Used Without Declaratione.g. myname=“evan”

However it is Preferable to Declare Them Firstvar i, j, k;Can Be Initialized on Declaration:

var i=0, j=0, k=0;

Objects and Arrays Must First Be Createdvar book = new Object();Then Can Assign Properties Without Declaration

book.chapter1 = “How To”;Book.chapter1.length = “20 pages”;

All Objects / Variables Have Default Methods/PropertiesE.g.

st=“abcdefg”;stlen = st.length;


Scoping

Objects Declared Outside of a Function are GlobalObjects Declared With var Statement in a Function are Local

Objects Not Declared are Treated as GlobalsThis is the Reason All Variable Should be Declared

Local – Only Defined Within the Local FunctionGlobal – Defined Within All NOTE: A Local Variable Can Have Same Name as Global

The Local Variable Takes Precedence


ArraysSome Useful Array Functions

array.concat (array1, array2, …)Concatenates Arrays

array.join (separator)Returns a String of All Elements of Array Separated by Separator

array.length – Returns the Number of Elements in the Arrayarray.pop – Remove and Return the Last Element of an Arrayarray.push – Append an Element to an Arrayarray.reverse – Reverses the Elements of An Arrayarray.shift – Removes and Returns the First Element of An Arrayarray.unshift – Insert an Element at the Beginning of an Arrayarray.slice (start,end) – Return a Portion of the Array.array.sort – Sorts an Arrayarray.splice – Inserts or Deletes Elements of an Array


Miscellaneous Concatenate Strings Using +Variables are Untyped

Automatically ConvertedMay Cause Unexpected Results

e.g. v1 = 1 + 2 + “ classes” v1 contains “3 classes”

But: v1 = “I took “ + 1 +2+ “classes” v1 contains “I took 12 classes”

Arrays Identified With BracketsE.g. point[0]

Not { as with Perl

nullSpecial Value

Different Than 0

thisIdentifies Current Object


Functions

Use return Statement to Return a Value from a Function

E.g. return (3);

arguments is a Special Object Available in a Function

arguments[] Holds the Argument Values Passed InArguments.length – The Number of Arguments Passed


More JavaScript

Comments are // or /* */Strings concatenated with +Functions Should be Declared Before Being Used

Typically Defined in <HEAD> Section

alert – Creates a Pop-Up Message Boxprompt – Prompts User for InputButtons - <Input Type = “Button” Value=“Click Here” onclick = “functionname()”window.open – Opens a New Instance of Browser

Example


More Examples

Events Example

onLoadonUnload

Environment Information Example

HTTP Header InformationCookies


In-Class Exercise

Create a JavaScript version of your test page<SCRIPT LANGUAGE = “JavaScript”>myname = “Evan”;Document.writeln(“<H1>Welcome to “ + myname + “’s Homepage”</H1>”)

</SCRIPT>

Add a BUTTON to your Homepage to show this page in a new Browser WindowAdvanced: Choose the Name at Random. Set this in a function.


FOR NEXT CLASS


HTML Extensions for Forms“Tool Tips”

TITLE Attribute on Form Tags Label Associated With Form Entry

User Can Click On Label to Select Entry Field<LABEL FOR=“TextID”>Enter Name: </LABEL><INPUT TYPE=“Text” ID=“TextID” Name=“Tname”>

Shortcuts Alt-Character selects Entry FieldACCESSKEY=“X”

Tab OrderTABINDEX=3Negative Number Excludes Field From Tab Order

FieldSetGroups Controls Together (Outline Box)<Legend> Adds Text To Outline Box

Example

Internet / Intranet Fall 2000 Class 5 Web Server Security Intro Javascript.

Documents

Transcript of Internet / Intranet Fall 2000 Class 5 Web Server Security Intro Javascript.