How to protect against Hostile Web Pages and Scripting

written by: Clara Mikeri; article published: year 2006, month 08;


In: Categories » Computers and technology » Data security » How to protect against Hostile Web Pages and Scripting

The dangers of Trojans and viruses are well known. However, many computer users are completely unaware of the dangers involved in viewing Web pages. Through scripting languages, Web page operators can upload and download files to your device (PC/PDA). They can also install mini-programs or grab information from you that can be used to destroy or take over your computer.

Every time you go to a Web page, you actually download the full document to your computer. This includes all text, pictures, and even any code that is required for the Web page to interact or to display properly. After the download is complete, the Web page or programs that have downloaded can run in the background without your knowledge. You might get forced downloads, or the computer from which you requested the Web page could be spying on you. Although this sounds frightening, it is part of normal Web browsing.

A Web page is made up of one or more of the following elements: HTML, XHTML, WML (in the case of wireless browsers), JavaScript or another scripting language, and small programs like Flash and Java Applets. Each of these plays an important part in your Internet experience.

NOTE

XHTML stands for Extensible Hypertext Markup Language. This is the latest version of HTML, which simply allows for customizable HTML code. In other words, the purpose of XHTML is to grant Web developers the power to create their own formatting, and to separate this formatting from the content of the Web page.

HTML and its relative XHTML are the main languages of Web pages. For the most part, a Web page is nothing more than super-formatted text. For example, if you wanted to embolden a font, you would simply type the word, which would look like the word. The tells the browser to start displaying in bold, while the backslash in tells the browser to cease the bolding.

Although the above example is still valid, most developers are using another type of formatting that reduces the amount of overhead and duplicate tags. Using Cascading Style Sheets (CSS), a Web developer has only to define a style once and then she may apply that style to an object in a Web page. For example, using basic HTML, a Web developer may have to format 30 objects in a page with lengthy font formatting definitions. Now, however, she can create a single style value that defines the font and then simply assign that style to any text. Not only does this reduce the amount of time required to create a Web page, but it also helps to make a Web page more organized by separating the actual content from the formatting. In addition, if a Web developer wants to change the color for all the text on a page, she only has to update the CSS, rather than every piece of text in the document.

Scripting languages are either built into the HTML or they run separately on the server. They receive input from you and react accordingly. For example, one of the most common scripts used in Web pages is called a rollover. This can be seen when you move your mouse over an image or word and it changes color or shape. This trick is done though the use of scripting. Other examples include mouse trailers, form submissions, and protecting Web pages from the right-click of a mouse.

Programs comprise an important part of Web pages. There are many different types, but some of the most popular include Flash and Shockwave. These are mainly graphical programs; nevertheless, entire games can be created in Flash and played on the Internet. Other examples are ActiveX components, Java Applets, and even VRML (a virtual reality language).

A complex Web page with database connectivity and user interaction will have code imbedded in the HTML. For example, code can be used to create online shopping carts, dynamic image galleries, and even Web-based applications.

Although these different aspects of a Web page have many excellent uses, they unfortunately create vulnerabilities. These vulnerabilities are actually mistakes, or more accurately, oversights in the programming languages used to make the Web page. These holes are usually well known to those who keep an eye on Internet security issues.

Worse, there are vulnerabilities that can enable a malicious Web site operator to download any file from your computer. This includes password files and program files. For example, it would be easy to create a Web page that requested the name of your computer. In fact, this is standard practice, and is not illegal in any way. However, many people name their computers after themselves. This information, combined with the knowledge that Quicken will store its financial files at c:\program files\Quicken\, can give a hacker all the knowledge she needs to steal your financial information. A Web site operator merely has to query the computer name and to code a Web page to download c:\programfiles\Quicken\YourName .dbf. Once a hacker has this file, she has your whole financial history.

Is There a Way to Prevent Scripting Vulnerabilities?

The answer is a "catch-22." The Internet would not be as useful or powerful if it were not for the extras most people have come to expect and even to demand while they surf online. For example, without scripting languages and Web-based programming, user experiences such as online shopping, online games, Web-based email and more would not exist. However, in order to fully protect yourself from hackers, you would have to disable these extras.

For example, many online stores use a combination of cookies, JavaScript, and some type of server based programming. If you locked down your computer to the safest level, your browser would not run the JavaScript required to validate the entries you made; the cookies used to keep track of your movements through the Web site would be rejected, which would not allow the server side program to function properly. In other words, your shopping experience would not result in a purchase.

Fortunately, most browsers make it easy to regulate and balance the level of security with the amount of functionality. For example, Internet Explorer provides its users with an easy way to control these settings by clicking on the Tools -> Internet Options -> Security tab. In this properties sheet, you can quickly determine what to allow and what to restrict. You can even use preset options to quickly apply high, medium, and low settings.

Keep in mind that the level of security you set on your browser or firewall corresponds to the level of functionality you will have when surfing the Internet. Most Web sites are safe. If you stick to the main roads and avoid the "red light district" of the Internet, you reduce your risk of being molested. Also, if you are asked to download a program or plug-in when you enter a Web site, make sure that you really need the program.

If at any time you suspect a rogue script on your computer, you can view the offending Web page's code with your browser. The viewing method depends on the browser you are using: In Internet Explorer, you can usually right-click on any blank part of a Web page and select the View Source option from the menu. In Netscape, you can find the same option under the Edit menu at the top of the browser.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. How to protect against Spoofing and Session Hijacking
Spoofing is the term hackers use to describe the act of faking information sent to a computer. This is a broad definition of spoofing, but there are many subtle variations of this attack. However, the purpose is generally the same: to disguise the location from which the attack originates. Session hijacking takes the act of spoofing one step further. It involves the faking of one's identity in order to take over a connection that is already established. Because spoofing is required in order to successfully hijack a conn...

2. Which Are The Most Common Network Security Risks
A network security incident isany network-related activity with negative security implications. Security incidents on the Internet can come in all shapes and sizes, launched from specific systems or networks. An intrusion may be a comparatively minor event involving a single site or a major event in which tens of thousands of sites are compromised. A typical attack pattern consists of gaining access to a user's account and using the victim's system as a launch platform for attacks on other sites. The following are other example...

3. The Most Common Network Security Tools and Technologies
The following taxonomy is useful in understanding the security systems, technologies and authentication tools widely available to support secure transmission and storage of information in a networked e-business environment. Firewalls Firewalls are used to keep a network secure from intruders. A firewall is a network node consisting of both hardware and software that isolates a private network. In order to understand how a firewall works, one should have an understanding of packets, IP addresses and DoS attacks. Howev...

4. Securing Multiple Servers and Domains with SSL
As organizations and service providers enhance their Web sites and extranets with newer technology to reach larger audiences, server configurations have become increasingly complex. They must now accommodate: Redundant server backups that allow Web sites and extranets to maximize site performance by balancing traffic loads among multiple servers Organizations running multiple servers to support multiple site names Organizations running multiple servers to support a s...

5. How to protect against Unexpected Inputs
When you surf the Internet, you download one of two types of Web pages to your computer: static or dynamic. A static Web page sits on a Web server until a client computer sends a request for it. Once requested, the Web page is then downloaded to the client computer exactly as it was created, where the Web browser then views the page. A static Web page is really nothing more than a brochure or advertisement, and does not allow the true power of the Internet to be expressed. However, a static page is relatively safe from hackers....

6. What are Buffer Overflows
Exploiting a buffer overflow is an advanced hacking technique. However, it is a leading type of security vulnerability. To understand how a hacker can use a buffer overflow to infiltrate or crash a computer, you need to understand exactly what a buffer is. A computer program consists of many different variables, or value holders. As a program is executed, these different variables are assigned a specific amount of memory as required by the type of information the variable is expected to hold. For example, a short integer ...

7. Protecting the Security of Information
The first and best line of defense against unwarranted intrusions into personal privacy is for individuals to employ e-commerce technology to protect themselves. Industry-developed and supplied encryption technologies and firewalls, for example, provide individuals with substantial tools to guard against unwarranted intrusions. Encryption is technology, in either hardware or software form, which scrambles e-mail, database information, and other computer data to keep them private. Using a sophisticated mathemati...

8. Why Is Authenticated SSL Necessary
Notions of identity and authentication are fundamental concepts in every marketplace. People and institutions need to get to know one another and establish trust before conducting business. In traditional commerce, people rely on physical credentials (such as a business license or letter of credit) to prove their identities and assure the other party of their ability to consummate a trade. In the age of e-business, authenticated SSL certificates provide crucial online identity and security to help establish trust between ...

9. Virus Prevention ~ How to protect against Internet Viruses
There are several elements to a good virus defense. The most important element requires some self-control—you must NEVER open a file/program unless you are 100% sure it is not infected. No matter how attractive the file is, where it came from, or what it promises you, you can never assume that a file is what it claims to be. For example, the Melissa virus reproduced through email and sent copies of itself to every one in the victim's address book. Because of this, relatives and friends of the victim were soon infected as ...