Hacker Highschool_ Lesson 10 Web Security and Privacy.pdf
(
731 KB
)
Pobierz
LESSON 10
WEB SECURITY AND
PRIVACY
LESSON 10 – WEB SECURITY AND PRIVACY
“License for Use” Information
The following lessons and workbooks are open and publicly available under the following
terms and conditions of ISECOM:
All works in the Hacker Highschool project are provided for non-commercial use with
elementary school students, junior high school students, and high school students whether in a
public institution, private institution, or a part of home-schooling. These materials may not be
reproduced for sale in any form. The provision of any class, course, training, or camp with
these materials for which a fee is charged is expressly forbidden without a license including
college classes, university classes, trade-school classes, summer or computer camps, and
similar. To purchase a license, visit the LICENSE section of the Hacker Highschool web page at
www.hackerhighschool.org/license.
The HHS Project is a learning tool and as with any learning tool, the instruction is the influence
of the instructor and not the tool. ISECOM cannot accept responsibility for how any
information herein is applied or abused.
The HHS Project is an open community effort and if you find value in this project, we do ask
you support us through the purchase of a license, a donation, or sponsorship.
All works copyright ISECOM, 2004.
2
LESSON 10 – WEB SECURITY AND PRIVACY
Table of Contents
“License for Use” Information............................................................................................................... 1
Contributors..............................................................................................................................................1
10.1 Fundamentals of Web Security..................................................................................................... 1
10.1.1 How the web really works.......................................................................................................1
10.1.2 Rattling the Locks....................................................................................................................1
10.1.3 Looking through Tinted Windows - SSL................................................................................. 1
10.1.4 Having someone else do it for you – Proxies....................................................................... 1
10.2 Web Vulnerabilities..........................................................................................................................1
10.2.1 Scripting Languages................................................................................................................1
10.2.2 Common Web Application Problems................................................................................... 1
10.2.3 Guidelines for Building Secure Web Applications................................................................1
10.3 HTML Basics – A brief introduction................................................................................................1
10.3.1 Reading HTML...........................................................................................................................1
10.3.2 Viewing HTML at its Source.....................................................................................................1
10.3.3 Links ..........................................................................................................................................1
10.3.4 Proxy methods for Web Application Manipulation............................................................. 1
10.4 Protecting your server.....................................................................................................................1
10.4.1 Firewall.......................................................................................................................................1
10.4.2 Intrusion Detection System (IDS).............................................................................................1
10.5 Secure Communications................................................................................................................1
10.5.1 Privacy and Confidentiality....................................................................................................1
10.5.2 Knowing if you are communicating securely......................................................................1
10.6 Methods of Verification.................................................................................................................1
10.6.1 OSSTMM.....................................................................................................................................1
Exercises...............................................................................................................................................1
Further Reading.......................................................................................................................................1
3
LESSON 10 – WEB SECURITY AND PRIVACY
Contributors
Simon Biles
Pete Herzog, ISECOM
Bill Matthews
Hernán Marcelo Racciatti
Chris Ramirez
P. Shreekanth
Kim Truett , ISECOM
Marta Barceló, ISECOM
Dario Riquelme Zornow
4
LESSON 10 – WEB SECURITY AND PRIVACY
10.1
Fundamentals of Web Security
What you do on the World Wide Web is your business. Or so you would think. But it's just not
true. What you do on the web is about as private and anonymous as where you go when
you leave the house. Again, you would think that it's your business and many, including
ISECOM, would agree with you. However, consider a private investigator following you
around town, writing down what you saw and who you spoke with.
The focus of this lesson is to get you learn how to protect yourself on the web and to do that,
you will have to learn where the dangers are.
The World Wide Web works in a very straight-forward manner. Once connected to the
Internet through you ISP, you open a browser, tell it a website, and you get that website on
your screen. However, the truth is in the details. How does the web really work?
A quick trip to the World Wide Web Consortium (W3C), those fine folks who make standards
for the web, will teach you all you want to know about the web. http://www.w3.org. Even
the history of the web: http://www.w3.org/History.html The problem is, will definitions and
standards teach you how to be safe? Apparently not. The people who want to hurt you do
not necessarily follow the standards.
10.1.1 How the web really works
The steps involved in connecting to the Internet and then to the web are very detailed even if
it does seem to be smooth from the user end.
So what happens for real when you just want to get to the ISECOM website? Assuming you
are already connected to the internet, here are the steps that occur in order:
1. You open your browser.
2. You type in the URL (website name).
3. Website name saved in History Cache on the hard disk.
4. Your computer looks up the name of the address to your default DNS server to find
the IP address.
5. Your computer connects to the server at the IP address provided at the default
web port of 80 TCP if you used “HTTP://” or 443 TCP if you used “HTTPS://” at the front
of the web server name (by the way, if you used HTTPS then there are other steps
involved using server certificates which we will not follow in this example).
6. Your computer requests the page or directory you specified with the default often
being “index.htm” if you don't specify anything. But the server decides t's default
and not your browser.
7. The pages are stored in a cache on your harddisk. Even if you tell it to store the
information in memory (RAM), there is a good chance it will end up somewhere on
your disk either in a PAGEFILE or in a SWAPFILE.
8. The browser nearly instantaneously shows you what it has stored. Again, there is a
difference between “perceived speed” and “actual speed” of your web surfing
which is actually the difference between how fast something is downloaded
(actual) and how fast your browser and graphics card can render the page and
graphics and show them to you (perceived). Just because you didn't see it doesn't
mean it didn't end up in your browser cache.
5
Plik z chomika:
Eroza800
Inne pliki z tego folderu:
Exploiting Web-Based Applications - FREE Video Training Course PART 1.rar
(506812 KB)
Exploiting Web-Based Applications - FREE Video Training Course PART 2.rar
(933817 KB)
50 Android Hacks.pdf
(3465 KB)
50 Reasons For Mastering Penetration Testing.azw3
(171 KB)
610.1 - Malware Analysis Fundamentals.pdf
(31650 KB)
Inne foldery tego chomika:
Pliki dostępne do 08.07.2024
Pliki dostępne do 21.01.2024
!!! 0123456 !!! wskazówka
001 PORNO
acrylic painting
Zgłoś jeśli
naruszono regulamin