... DOES THE WEB APPLICATION
REQUIRE AUTHENTICATION OF THE
USER?
Many Web applications require another server
authenticate users
Examine how information is passed between the
two servers
Encrypted channels
Verify that logon and password information is
stored on secure places
Authentication servers introduce a second target
44
37
34
APPLICATION VULNERABILITIES
COUNTERMEASURES (CONTINUED)
Top10 Web application vulnerabilities (continued)
Remote administration flaws
Attacker can gain access to the Web server through the
remote administration interface
Web and application server misconfiguration
Any Web server software out of the box is usually vulnerable
to attack
Default accounts and passwords
Overly informative error messages
32
16
WEB FORMS
Use the <form> element or tag in an HTML document
Allows customer to submit information to the Web server
Web servers process information from a Web form by
using a Web application
Easy way for attackers to intercept data that users
submit to a Web server
7
APPLICATION VULNERABILITIES
COUNTERMEASURES
Open Web Application Security Project (OWASP)
Open, notforprofit organization dedicated to finding
and fighting vulnerabilities in Web applications
Publishes the Ten Most Critical Web Application
Security Vulnerabilities
Top10 Web application vulnerabilities
Unvalidated parameters
HTTP requests are not validated by the Web server
Broken access control
Developers implement access controls but fail to test them
properly
29
USING SCRIPTING LANGUAGES
Dynamic Web pages can be developed using scripting
languages
VBScript
JavaScript
PHP
18
OPEN DATABASE CONNECTIVITY
(ODBC) (CONTINUED)
ODBC defines
Standardized representation of data types
A library of ODBC functions
Standard methods of connecting to and logging on to a
DBMS
24
WEB APPLICATION COMPONENTS
Static Web pages
Created using HTML
Dynamic Web pages
Need special components
<form> tags
Common Gateway Interface (CGI)
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages
Database connectors
6
APACHE WEB SERVER
Tomcat Apache is another Web Server program
Tomcat Apache hosts anywhere from 50% to 60% of all
Web sites
Advantages
Works on just about any *NIX and Windows platform
It is free
Requires Java 2 Standard Runtime Environment (J2SE,
version 5.0)
15
ON WHAT PLATFORM WAS THE WEB
APPLICATION DEVELOPED?
Several different platforms and technologies can
be used to develop Web applications
Attacks differ depending on the platform and
technology used to develop the application
Footprinting is used to find out as much information
as possible about a target system
The more you know about a system the easier it is to
gather information about its vulnerabilities
45
OPEN DATABASE CONNECTIVITY
(ODBC)
Standard database access method developed by
the SQL Access Group
ODBC interface allows an application to access
Data stored in a database management system
Any system that understands and can issue ODBC
commands
Interoperability among backend DBMS is a key
feature of the ODBC interface
23
48
UNDERSTANDING WEB APPLICATIONS
It is nearly impossible to write a program without bugs
Some bugs create security vulnerabilities
Web applications also have bugs
Web applications have a larger user base than standalone
applications
Bugs are a bigger problem for Web applications
5
DOES THE WEB APPLICATION
CONNECT TO A BACKEND DATABASE
SERVER? (CONTINUED)
Basic testing should look for
Whether you can enter text with punctuation marks
Whether you can enter a single quotation mark followed by
any SQL keywords
Whether you can get any sort of database error when
attempting to inject SQL
43
DOES THE WEB APPLICATION USE
DYNAMIC WEB PAGES?
Static Web pages do not create a security
environment
IIS attack example
Submitting a specially formatted URL to the
attacked Web server
IIS does not correctly parse the URL
information
Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/ ... DOES THE WEB APPLICATION
REQUIRE AUTHENTICATION OF THE
USER?
Many Web applications require another server
authenticate users
Examine how information is passed between the
two servers
Encrypted channels
Verify that logon and password information is
stored on secure places
Authentication servers introduce a second target
44
37
34
APPLICATION VULNERABILITIES
COUNTERMEASURES (CONTINUED)
Top10 Web application vulnerabilities (continued)
Remote administration flaws
Attacker can gain access to the Web server through the
remote administration interface
Web and application server misconfiguration
Any Web server software out of the box is usually vulnerable
to attack
Default accounts and passwords
Overly informative error messages
32
16
WEB FORMS
Use the <form> element or tag in an HTML document
Allows customer to submit information to the Web server
Web servers process information from a Web form by
using a Web application
Easy way for attackers to intercept data that users
submit to a Web server
7
APPLICATION VULNERABILITIES
COUNTERMEASURES
Open Web Application Security Project (OWASP)
Open, notforprofit organization dedicated to finding
and fighting vulnerabilities in Web applications
Publishes the Ten Most Critical Web Application
Security Vulnerabilities
Top10 Web application vulnerabilities
Unvalidated parameters
HTTP requests are not validated by the Web server
Broken access control
Developers implement access controls but fail to test them
properly
29
USING SCRIPTING LANGUAGES
Dynamic Web pages can be developed using scripting
languages
VBScript
JavaScript
PHP
18
OPEN DATABASE CONNECTIVITY
(ODBC) (CONTINUED)
ODBC defines
Standardized representation of data types
A library of ODBC functions
Standard methods of connecting to and logging on to a
DBMS
24
WEB APPLICATION COMPONENTS
Static Web pages
Created using HTML
Dynamic Web pages
Need special components
<form> tags
Common Gateway Interface (CGI)
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages
Database connectors
6
APACHE WEB SERVER
Tomcat Apache is another Web Server program
Tomcat Apache hosts anywhere from 50% to 60% of all
Web sites
Advantages
Works on just about any *NIX and Windows platform
It is free
Requires Java 2 Standard Runtime Environment (J2SE,
version 5.0)
15
ON WHAT PLATFORM WAS THE WEB
APPLICATION DEVELOPED?
Several different platforms and technologies can
be used to develop Web applications
Attacks differ depending on the platform and
technology used to develop the application
Footprinting is used to find out as much information
as possible about a target system
The more you know about a system the easier it is to
gather information about its vulnerabilities
45
OPEN DATABASE CONNECTIVITY
(ODBC)
Standard database access method developed by
the SQL Access Group
ODBC interface allows an application to access
Data stored in a database management system
Any system that understands and can issue ODBC
commands
Interoperability among backend DBMS is a key
feature of the ODBC interface
23
48
UNDERSTANDING WEB APPLICATIONS
It is nearly impossible to write a program without bugs
Some bugs create security vulnerabilities
Web applications also have bugs
Web applications have a larger user base than standalone
applications
Bugs are a bigger problem for Web applications
5
DOES THE WEB APPLICATION
CONNECT TO A BACKEND DATABASE
SERVER? (CONTINUED)
Basic testing should look for
Whether you can enter text with punctuation marks
Whether you can enter a single quotation mark followed by
any SQL keywords
Whether you can get any sort of database error when
attempting to inject SQL
43
DOES THE WEB APPLICATION USE
DYNAMIC WEB PAGES?
Static Web pages do not create a security
environment
IIS attack example
Submitting a specially formatted URL to the
attacked Web server
IIS does not correctly parse the URL
information
Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/ ... DOES THE WEB APPLICATION
REQUIRE AUTHENTICATION OF THE
USER?
Many Web applications require another server
authenticate users
Examine how information is passed between the
two servers
Encrypted channels
Verify that logon and password information is
stored on secure places
Authentication servers introduce a second target
44
37
34
APPLICATION VULNERABILITIES
COUNTERMEASURES (CONTINUED)
Top10 Web application vulnerabilities (continued)
Remote administration flaws
Attacker can gain access to the Web server through the
remote administration interface
Web and application server misconfiguration
Any Web server software out of the box is usually vulnerable
to attack
Default accounts and passwords
Overly informative error messages
32
16
WEB FORMS
Use the <form> element or tag in an HTML document
Allows customer to submit information to the Web server
Web servers process information from a Web form by
using a Web application
Easy way for attackers to intercept data that users
submit to a Web server
7
APPLICATION VULNERABILITIES
COUNTERMEASURES
Open Web Application Security Project (OWASP)
Open, notforprofit organization dedicated to finding
and fighting vulnerabilities in Web applications
Publishes the Ten Most Critical Web Application
Security Vulnerabilities
Top10 Web application vulnerabilities
Unvalidated parameters
HTTP requests are not validated by the Web server
Broken access control
Developers implement access controls but fail to test them
properly
29
USING SCRIPTING LANGUAGES
Dynamic Web pages can be developed using scripting
languages
VBScript
JavaScript
PHP
18
OPEN DATABASE CONNECTIVITY
(ODBC) (CONTINUED)
ODBC defines
Standardized representation of data types
A library of ODBC functions
Standard methods of connecting to and logging on to a
DBMS
24
WEB APPLICATION COMPONENTS
Static Web pages
Created using HTML
Dynamic Web pages
Need special components
<form> tags
Common Gateway Interface (CGI)
Active Server Pages (ASP)
PHP
ColdFusion
Scripting languages
Database connectors
6
APACHE WEB SERVER
Tomcat Apache is another Web Server program
Tomcat Apache hosts anywhere from 50% to 60% of all
Web sites
Advantages
Works on just about any *NIX and Windows platform
It is free
Requires Java 2 Standard Runtime Environment (J2SE,
version 5.0)
15
ON WHAT PLATFORM WAS THE WEB
APPLICATION DEVELOPED?
Several different platforms and technologies can
be used to develop Web applications
Attacks differ depending on the platform and
technology used to develop the application
Footprinting is used to find out as much information
as possible about a target system
The more you know about a system the easier it is to
gather information about its vulnerabilities
45
OPEN DATABASE CONNECTIVITY
(ODBC)
Standard database access method developed by
the SQL Access Group
ODBC interface allows an application to access
Data stored in a database management system
Any system that understands and can issue ODBC
commands
Interoperability among backend DBMS is a key
feature of the ODBC interface
23
48
UNDERSTANDING WEB APPLICATIONS
It is nearly impossible to write a program without bugs
Some bugs create security vulnerabilities
Web applications also have bugs
Web applications have a larger user base than standalone
applications
Bugs are a bigger problem for Web applications
5
DOES THE WEB APPLICATION
CONNECT TO A BACKEND DATABASE
SERVER? (CONTINUED)
Basic testing should look for
Whether you can enter text with punctuation marks
Whether you can enter a single quotation mark followed by
any SQL keywords
Whether you can get any sort of database error when
attempting to inject SQL
43
DOES THE WEB APPLICATION USE
DYNAMIC WEB PAGES?
Static Web pages do not create a security
environment
IIS attack example
Submitting a specially formatted URL to the
attacked Web server
IIS does not correctly parse the URL
information
Attackers could launch a Unicode exploit
http://www.nopatchiss.com/scripts/...
... and re- near the grammatical end of the continuum
are called grammatical morphemes.
Note that grammatical morphemes include forms that we can consider to be
words like the, a, and, and of and ... of all, we
should understand deeply about its morpheme system.
Living in a community, human beings need a tool to communicate with each
other, and to carry on human and social affairs. They, ... also play an
17
English morpheme system Luong Thuan & Kim Phuong
• First, both English morphemes and Vietnamese morphemes are the smallest
unit of language and can not be divided into smaller...
... Linux
ext2 Kiểu filesystem đợc dùng chủ yếu trên Linux partition.
iso9660 Kiểu ISO 9660 filesystem đợc dùng với CD-ROM disks.
sysv Kiểu Nhằm hỗ trợ cho dạng UNIX System V filesystem.
msdos ... dới Linux systems:
#
# Sample /etc/fstab file for a Linux machine
#
# Local mounts
/dev/sda1 / ext2 defaults 1 1
mkswap /dev/hda2
2. Mounting and unmounting file systems
Mounting file systems
Nh ... Bỏ mount một hệ thống file (điểm mount).
I. File Systemand Disk Administration
1. Cấu trúc th mục trên Unix
/ - Th mục gốc trên UNIX file system.
/bin - Là symbol link tới /usr/bin chứa các...
... solaris dùng lệnh newfs), mkswap tạo swap file
system.
Ví dụ
mke2fs /dev/hda1
mkswap /dev/hda2
3. Mounting and unmounting file systems
Mounting file systems
Như ta đ biêt hệ thống file của UNIX ... của người sử dụng.
ỹ Số trang đ in.
VIII.
File Systemand Disk Administration
1. Cấu trúc thư mục trên Unix
ỹ / - Thư mục gốc trên UNIX file system.
ỹ /bin - Là symbol link tới /usr/bin chứa ... recover bởi fsck.
2. Creating file systems
Giới thiệu về UNIX- Một số thao tác cơ bản trên UNIX
77
ỹ sysv Kiểu Nhằm hỗ trợ cho dạng UNIX System V filesystem.
ỹ msdos Kiểu DOS partition...
... configure Nagios.
CHAPTER 6
N
NETWORK MONITORING
159
The last options from the Monitoring section that I want to cover here are Service
Problems, Host Problems, andNetwork Outages. Each of these ... small example network in which four Linux
servers are used. Three of these are on the internal network, and one of them is on the
Internet. Nagios can monitor other operating systems as well, ...
N
NETWORK MONITORING
132
+ap_+j]ceko.+dpl]oos`*qoano
, but this file is not created automatically. The following
command creates it for you, puts a user with the name
j]ceko]`iej
in it, and...
...
Each office uses a standard user account and password for all servers in that office. Network
administrators in each office know the user account and password combination. Network administrators ... of the bandwidth used between the Chicago and New York offices.
Bandwidth utilization between these two offices is currently cause for concern. Network traffic
between the Chicago and New York ... level of availability and reduced
latency between the New York and Boston offices is required. Bandwidth utilization between the
Boston and New York offices is minimal and is not a concern in...
... Level and Performance Monitoring
✦ The System Monitor application can be demanding on resources. You can use
logs instead of displaying a graph, and then import the data into report pro-
grams and ... introduced Service Level and Service Level Management. More and
more companies and business plans are demanding that MIS maintain SL standards.
To ensure that MIS or IT and IS managers adhere to ... Console starts, it loads a blank System Monitor graph into
the console tree.
System Monitor
System Monitor allows you to analyze system data and research performance and
bottlenecks. The utility...
...
three-phase system into an equivalent one-phase systemand performing simple
hand calculations. The method of symmetrical components can be used to ana-
lyze unbalanced three-phase systems. Another ... Figure P6.3 Unbalanced Three-phase System
6.4 For the system with network function
Hs
ss s
ssss
()
=
+++
++++
32
432
4164
20 12 10
find the poles and zeros of
Hs
().
6.5 Use ... Figure 6.5 3-phase System, Wye-connected Source and Wye-
connected Load
Z
t1
Z
t2
Z
t3
Z
2
V
an
V
bn
V
cn
Z
3
Z
1
Figure 6.6 3-phase System, Wye-connected Source and Delta-
connected...
... Security and VPN,” 2001).
Step 5: Measure and Report Network Traffic Statistics
for the Computers on Your Network That Are Using the
Most Bandwidth
Measuring the number of bytes a computer sends and ... computer on the network. As a
76 COMPUTER ANDNETWORK SECURITY IN HIGHER EDUCATION
Step 3: Implement Intrusion Detection Systems at Key Points
Within Your Network to Monitor Threats and Attacks
An ... much akin to shared Ethernet
and may be susceptible to surreptitious monitoring of network traf-
80 COMPUTER ANDNETWORK SECURITY IN HIGHER EDUCATION
Step 3: Use a Network Scanning Utility to...
... introduction of distributed systems and the use of networks and communications facilities for carrying data
between terminal user and computer and between computer and computer. Network security measures ... of and countermeasures for intruders and viruses, and the
use of firewalls and trusted systems.
In addition, the book includes an extensive glossary, a lis t of frequently used acronyms, and ... Reading and Web Sites
461
Section 20.5. Key Terms, Review Questions, and Problems
463Appendix A. Standards and Standards-Setting Organizations
464
Section A.1. The Importance of Standards...