CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [83]
Obviously, cookies are considered a risk because they have the potential to contain your personal information, which could get into the wrong hands. If security is your utmost concern, the best protection is to not allow cookies to be accepted. Almost every browser offers the option of enabling or disabling cookies. If you enable them, you can usually choose whether to accept/reject all or only those from an originating server.
Cross-site scripting (XSS)
Using a client-side scripting language, it is possible for a ne’er-do-well to trick a user into visiting their site and having code then execute locally. When this is done, it is known as cross-site scripting. As an example, UserA may get a message telling him that he needs to make changes to his XYZ account, but the link in the message is not really to the XYZ site (a phishing ploy). When he clicks on the link, a JavaScript routine begins to run on his machine. Since the script is running on UserA’s system, it has his permissions and can begin doing such things as running malevolent routines to send/delete/alter data.
The best protection against cross-site scripting is to disable the running of scripts.
Input Validation
Anytime a user must supply values in a session, validation of the data entered should be done. Many vendors, however, have fallen prey to input validation vulnerabilities within their code. In some instances, empty values have been accepted, while others have allowed privilege escalation if certain backdoor passwords were used.
The best protection against input validation vulnerabilities is for developers to follow best practices and always validate all values entered. As an administrator, when you learn of an input validation vulnerability with any application on your system, you should immediately stop using it until a patch has been released and installed.
Java Applets
A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they’re becoming one of the most popular tools used for website development.
Java-enabled applications can accept programmed instructions (Java scripts) from a server and control certain aspects of the client environment. Java requires you to download a virtual machine in order to run the Java applications or applets. Java scripts run on the client.
The applets run in a restricted area of memory called the sandbox. The sandbox limits the applet’s access to user areas and system resources. An applet that runs in the sandbox is considered safe, meaning it won’t attempt to gain access to sensitive system areas. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations. Attackers on client systems have exploited this weakness. From a user’s standpoint, the best defense is to make certain you run only applets from reputable sites you’re familiar with. From an administrator’s standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.
JavaScript
JavaScript is a programming language that allows access to system resources of the system running a script. A JavaScript script is a self-contained program that can be run as an executable file