Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security and Penetration Testing

Published byShona Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security and Penetration Testing"— Presentation transcript:

1 Computer Security and Penetration Testing
Chapter 13 Programming Exploits

2 Objectives Describe the evolution of programming exploits
Recognize vulnerabilities in ActiveX controls Identify steps to counter vulnerabilities in ActiveX controls Recognize vulnerabilities in VBScript Identify steps to counter vulnerabilities in VBScript Computer Security and Penetration Testing

3 Objectives (continued)
Recognize vulnerabilities in HTML Identify steps to counter vulnerabilities in HTML Recognize vulnerabilities in Java and JavaScript Identify steps to counter vulnerabilities in Java and JavaScript Computer Security and Penetration Testing

4 C and C++ Vulnerabilities in the C and C++ Programming Languages.
- Buffer over-runs - Failure to handle errors - Improper file access C and C++ Security Measures Computer Security and Penetration Testing

5 C and C++ Computer Security and Penetration Testing

6 .NET Framework Vulnerabilities in the .NET Framework
- Cross-site scripting - Integer overflow Countering .NET Framework Vulnerabilities Computer Security and Penetration Testing

7 HTML5 Hypertext Markup Language (HTML) HTML is not a dynamic language
Most basic script used to develop Web pages Uses a set of markup tags to define the structure of Web pages Browsers represent pages by interpreting these tags HTML is not a dynamic language Cannot be executed successfully except within a Web browser Computer Security and Penetration Testing

8 HTML5 (continued) HTML is essentially bulletproof and benign as long as it is used to display static text Arbitrary requirements for more finished and sophisticated pages Have required the development of many more tags and formatting conventions With increased complexity came increased opportunities for hackers to discover vulnerabilities Computer Security and Penetration Testing

9 Countering HTML5 Vulnerabilities
Make sure patches are up to date Pay attention when new exploits are reported Activate the automated patch management software Turn off services and features that you Know to be vulnerable to attack Do not understand Do not use Avoid known dangerous sites by installing and updating security software Computer Security and Penetration Testing

10 Countering HTML5 Vulnerabilities (continued)
Secure transfer of data has been made available by protocols such as Secure Sockets Layer (SSL) The way Internet Explorer handled SSL was discovered to be susceptible to a man-in-the-middle exploit Generating random encryption keys of 40 or 128 bits in length has solved this problem Computer Security and Penetration Testing

11 Java and JavaScript Java is a programming language that is compiled into applications or applets Java applications are stand-alone applications Run on the server or are downloaded to the client JavaScript is a scripting language that runs between <script> tags in a Web page A JavaScript cannot operate on its own, and is not compiled to run Computer Security and Penetration Testing

12 Java Object-oriented programming language (OOP) developed by Sun Microsystems Designed to run in a platform-independent manner using Java Runtime Environment (JRE) Installed on the client computer as its sandbox In Java, each function is modularized With this low-level modularization There is less of a chance that updating one piece of the application will break other parts Computer Security and Penetration Testing

13 Java (continued) Java was intended to be developed quickly with pretested parts Java applets provide functionality on the Internet Require Java-enabled browsers Java is machine-safe Can only act upon other objects within the JRE Java has no access to write, modify, or delete files on the hard drive or to modify the operating system Computer Security and Penetration Testing

14 JavaScript Scripting language developed by Netscape Communications Corporation Similar to VBScript in terms of implementation Almost every browser on almost every platform is JavaScript-enabled Like Java, requires a runtime environment As a script, the network bandwidth and client-side memory resource use is less than that required for the larger and more robust Java Computer Security and Penetration Testing

15 Security Vulnerabilities in Java
Vulnerabilities of Java: Client-side malevolent applets Server-side cross-scripting Server-side address spoofing A substantial percentage of vulnerabilities are related to vulnerabilities in the JRE Which can result in applets arbitrarily giving themselves elevated privileges Computer Security and Penetration Testing

16 Security Vulnerabilities in Java (continued)
Computer Security and Penetration Testing

17 Security Vulnerabilities in Java (continued)
Because Java is a platform-independent technology Issues such as malevolent applets can be used against any platform that has the JRE installed Client-side attacks include: Attacks on file integrity Buffer overflow Storm attacks Denial-of-service attacks Disclosure attacks Annoyance attacks Computer Security and Penetration Testing

18 Vulnerabilities in JavaScript
Vulnerabilities are similar to those in VBScript JavaScript vulnerabilities allow: Sending messages with information about the target computer to a client Opening and closing applications on the target computer Modifying files on the victim’s computer Main threat posed by JavaScript May be used to download components on a user’s computer without his or her knowledge Computer Security and Penetration Testing

19 Countering Java and JavaScript Vulnerabilities
Best preventative measure for an end user Perform all updates as soon as they are available Keep virus definitions in their antivirus or security program updated Set the Internet Options Control Panel To ask for permission before running JavaScripts or downloading Java applets Check the authenticity of the validation signatures attached to applets and scripts Computer Security and Penetration Testing

20 Countering Java and JavaScript Vulnerabilities (continued)
Check for security of links available on the signed scripts Programmers should develop and adhere to secure programming guidelines And sign their scripts Computer Security and Penetration Testing

21 Summary Programming exploits are the defects in various programming languages that are used to develop server-side and client-side applications ActiveX controls are stand-alone compiled applications that make it possible to link and allow interactions between various applications The design flaw in ActiveX is that it can do anything the user can do Attackers can use ActiveX to modify resources on an implementation of Windows Computer Security and Penetration Testing

22 Summary (continued) To safeguard against attacks, end users should install the most recent and stable version of Internet Explorer available VBScript can be used within HTML tags to produce a dynamic HTML page One of the most common exploits used on the Internet is a buffer overflow If you are administering a network, do not allow use of IE or Outlook Computer Security and Penetration Testing

23 Summary (continued) If you are the administrator of a Web site, run an antivirus application on your Web server to search for known bad ActiveX controls Hypertext Markup Language (HTML) is the most basic script used to develop Web pages The most effective way to counter HTML-related exploits is to keep up with the latest patches Java and JavaScript languages The best preventive measure for end users is to perform all updates as soon as they are available Computer Security and Penetration Testing

Download ppt "Computer Security and Penetration Testing"

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Internet Security Protocols

Internet Security Protocols
DT228/3 Web Development WWW and Client server model.

DT228/3 Web Development WWW and Client server model.
Understand Web Page Development 98-361 Software Development Fundamentals LESSON 4.1.

Understand Web Page Development Software Development Fundamentals LESSON 4.1.
Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.

Building Applications using ASP.NET and C# / Session 1 / 1 of 21 Session 1.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
Chapter Concepts Review Markup Languages

Chapter Concepts Review Markup Languages
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Database Processing

Introduction to Web Database Processing
Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias

Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)

Similar presentations

Ads by Google