Beruflich Dokumente
Kultur Dokumente
PART 21
Web break-through
The devices on which web applications run are very diverse, ranging from classic desktop systems to smartphones or embedded devices, such as gaming consoles or television sets. Each of these devices runs an operating system, which may already contain security controls for specific operations, such as determining the location of the device. Stacking several security controls on top of each other may be problematic and can confuse the user. Additionally, the security controls defined in the specification are typically more fine-grained than the underlying security controls. At present, the so called Web breakthroughs are most widespreaded. In its development the browsers went far from the initial versions intended only for consideration of hypertext documents. Their functionality constantly increasing, they are already full component of the operational systems. In parallel with this development numerous problems araise with security of used technologies, such as: additional modules (plug-ins), the elements ActiveX, Java applications, resources for preparation of scenarious Java Sript, VBScript, PerlScript, Dynamic HTML. Due to the support for these technologies not only from browsers, but also from email clients and errors in them, a big ammount of of virus in the mail appears, but also virus infecting html files (Implemented in VBScript using ActiveX objects). Also the troyan horses received large distribution. The Web-breakthrough is carried out usualy automatically by executable programs, which intended theft or destruction of computer data. They can be installed on the client computer when surfing the web and downloading necessary files from other web sites, or most often in ICQ or IRC sessions. This type of programs can be Java applets, ActiveX objects, Java Script, Visual Basic scripts, or virtually any new programming language intended for design Web pages.
The cookies
One of the dangers for Web traffic are so called "Cookies. Because that the cookies are not contain executable programs, themselves can not cause any attack, but, at another case, they contain confidential information about clients' habits. Therefore, it would could be read from another website through a specially made script or ActiveX program. Netscape Navigator first implemented support for cookies in its version 2.0 browser, dating from 1996. Cookies offered a mechanism to allow a server to store per-client state, and have the client supply a (server-assigned) pointer to its state, automatically (via the client implementation) when sending any request to the cookie-specified domain and URL path. Many sites used this facility to identify a user session with the site, and then stored per-user/session data (such as a shopping cart) related to the cookie identifier. Cookies became successful because they were more reliable session indicators than competing mechanisms (such as putting session state in the URI or body of an HTTP request, which require that users don't accidentally drop the session part of the URI, for example) In order to ensure that a cookie was sent only to the originating domain, the browser needed to be able to determine the domain associated with a document and thus, the "origin" was born - scheme, host and port defining a unique origin. The same-origin policy states that a document from one unique origin may only load resources from the origin from which the document was loaded. In particular this applies to XMLHttpRequest calls made from within a document. Images, CSS and dynamically-loaded scripts are not subject to same-origin policy. Technical University - Sofia