Surprisingly, many web applications do not provide any way for users to change their password. However, this functionality is necessary for a well designed authentication mechanism for two reasons: ■ Periodic enforced password change mitigates the threat of password compromise by reducing the window in which a given password can be targeted in a guessing … Read more
If an application uses an unencrypted HTTP connection to transmit login credentials, an eavesdropper who is suitably positioned on the network will of course be able to intercept them. Depending on the user’s location, potential eavesdroppers may reside: ■ On the user’s local network ■ Within the user’s IT department ■ Within the user’s ISP … Read more
On the face of it, authentication is conceptually among the simplest of all the security mechanisms employed within web applications. In the typical case, a user supplies her username and password, and the application must verify that these items are correct. If so, it lets the user in. If not, it does not. Authentication also … Read more
Transmitting Data via the Client Many applications leave themselves exposed because they transmit critical data such as product prices and discount rates via the client in an unsafe manner. If possible, applications should avoid transmitting this kind of data via the client altogether. In virtually any conceivable scenario, it is possible to hold such data … Read more
ActiveX controls are a much more heavyweight technology than Java applets. They are effectively native Win32 executables that, once accepted and installed by the user, execute with the full privileges of that user and can carry out arbitrary actions, including interacting with the operating system. ActiveX can be used to implement practically any client-side control, … Read more
Besides HTML forms, the other main method for capturing, validating, and submitting user data is to use a thick-client component. The technologies you are most likely to encounter here are Java applets, ActiveX controls, and Shockwave Flash objects. Thick-client components can capture data in various different ways, both via input forms and in some cases … Read more
The other principal way in which applications use client-side controls to restrict data submitted by clients occurs with data that was not originally specified by the server but was gathered on the client computer itself. HTML forms are the simplest and most common mechanism for capturing input from the user and submitting it to the … Read more
Transmitting Data via the Client It is very common to see an application passing data to the client in a form that is not directly visible or modifiable by the end user, in the expectation that this data will be sent back to the server in a subsequent request. Often, the application’s developers simply assume that … Read more
It is often possible to infer a great deal about server-side functionality and structure, or at least make an educated guess, by observing clues that the application discloses to the client. Dissecting Requests Consider the following URL, which is used to access a search function: https://wahh-app.com/calendar.jsp?name=new%20applicants&isExpired= 0&startDate=22%2F09%2F2006&endDate=22%2F03%2F2007&OrderBy=name As we have seen, the .jsp file extension … Read more
It is normally possible to fingerprint the technologies employed on the server via various clues and indicators. Banner Grabbing Many web servers disclose fine-grained version information, both about the web server software itself and about other components that have been installed. For example, the HTTP Server header discloses a huge amount of detail about some … Read more