Internet / Intranet CIS-536 Class Web Server Security Intro Javascript Class Agenda Web Security Presentations Intro JavaScript Next Week: More Javascript DHTML, DOM Forms Practical Internet Security Analogous to “Real-Life” Security (e.g a Bank) Like Software, Security Must Be Well-Designed Implementing Security Requires Trade-Offs Ease of Use is Affected Business Processes are Affected Business Culture is Affected Affects Both Users and Employees Security is Expensive Time, Effort, Lost Productivity Enforcement Physical Security is Only Half the Story Implementation/Enforcement is Just as Important Security Design Issues Know the Threats You are Protecting Against What are the Probabilities? What is the Cost if it Happens? Dollars Customer/Employee Confidence Know Your Environment What are the Customer/User Requirements? What are the Budget Constraints? What is the Culture/Attitude of Those Affected? What is the Probability That Policies Will Be Followed Enforced? Security Sermon Security is Often Mis-Used in Technology Environments Provides Peace of Mind Not Necessarily Real Security Often Avoids the Real Issues Appeases Management Common Security Mistakes (Analogies) Using an Expensive/High Security Safe But Leaving the Key/Combination Where it Can Be Stolen Leaving the Safe Unlocked Little Professional Enforcement/Review of Procedures Storing a Dime in a Safe Cost of Security Exceeds Risk of Stolen Dime High-Tech Solution Instead of Low-Tech Common Sense E.g Convenience Store Having a Safe vs Nightly Bank Deposits Security Has Consequences on Human Perceptions E.g Installing a Metal Detector May Make Employees Feel Less Secure Security Tips Thieves/Hackers Follow Easiest Path One That Gives Them Most Value One They Know About The Environment is Key! A Mercedes in a Lot Full of Chevys is Likely to Be Stolen First The Same Mercedes in a Lot Full of Rolls Royces is Likely to Be Stolen Last Same Mercedes in an Unsecure Garage is Safer Because Fewer Thieves Know About It Therefore: Know Other Likely Targets and Be Less Attractive Than They Are Make Your Site More Difficult to Hack Than its Worth Don’t Publicize What Doesn’t Need to Be Public Security Tips (2) Does Not Guarantee No Hacking But Reduces the Probability Significantly Most Security Problems Come From Human Error, Not From Intentional Hacking Focus on Minimizing Chance of Human Error Identify Each Risk Separately Solutions May Vary Widely Security is Only as Good as Your Expertise Professional Security Requires Professional System Administrator Use Common Sense / Be Realistic Internet Risks Destruction of Data Random Targeted Modification of Data Random Targeted Worms/Viruses Publication of Private/Sensitive Data Sensitve/Embarassing Information Confidential Information Competitive Information Customer Information Keys Information That Furthers Other Risks E.g Credit Card Information, Museum Floor Plan Network Disruption Machine Crashes / Inoperable Serving Software Protecting Data Machine Level Physical Isolation Physically Isolate Machines From Users Protect From Theft / Natural Disasters Users System Administration Permissions Remote Access Single-Purpose vs Multi-Purpose Server Shared Hosting Test vs Production Application Level Server Configuration Server’s Ability to Access Files / System Resources Restrict Applications Running on Machine Don’t Load Applications/Protocols You Don’t Need Protecting Data (2) Script Level Who Can Modify Scripts? Remote Access Script’s Ability to Access Files / System Resources Scripts Identified by File Extension or Directory? File Level Who Can Download Files? Who Can Upload Files? Exposed Directories Communication Level IP Address Restrictions Password Requirements Encryption Metaphysical Level Morals The Law Dynamic HTML - Scripting All Properties Can Be Set by Scripts New Dynamic Properties: Useful for Scripting DISABLED / ENABLED Attribute (Form Fields) Display Property Visibility Property Pop-Up Boxes Creation of New Windows New Instance of Browser Invoking a Script Script Code Within HTML Buttons Button Selection Invokes a Script Events Focus Events onfocus, onblur Mouse Events onmouseover, onmouseout onmousedown, onmouseup onclick, ondblclick, onselect Keyboard Events Onkeydown, onkeyup, onkeypress Scroll Event Onscroll Help Event onhelp – (F1 key, not Browser Help Button) Timer Events Document Object Model Defines Hierarchy of Objects Each Has its Own Event Handlers Event Bubbling Which Event Handler Gets Events? Name Space Definitions Each Object in HTML Form Can Be Addressed E.g Clicking Button Can Be Used to Change Text Value in a Specific Field of Another Window A Caveat Javascript is Still a Scripting Language Not Great For Large, Complex Programs e.g Limited Debugging As With Perl, Powerful Features Can Also Make Bugs Difficult to Detect / Prevent Stepping Back: Basic JavaScript > Older Browsers Ignore Script Tag if They Don’t Support Script However, They Will Try to Display Text Within Tags Therefore, Enclose All Script Within Tags as HTML Comments Script Processor Will Ignore HTML Comment Tags Use // For JavaScript Comments Newer Browsers Will Ignore All Within Tags if They Don’t Recognize the Language JavaScript is the Default Tags Can Then Be Used to Specify Alternative All in Between Ignored By Browser Note That Specific Version of Language Can Be Specified (e.g Javascript1.2> Javascript Basics Similar to C/Java Case Sensitive Case Conventions Not Always Obvious In Most Cases Don’t Get Error Message, Just Unexpected Result == vs = in if statement (Like C) E.g if (a == 2) { Vs if (a = ) { Lines end in ; In Line JavaScript: Executed Where Encountered document.write (“Hello World \n”); document.writeln (“Hello World”); NOTE: Output is Interpreted as HTML Dynamic Page Example Objects and Properties Objects Objects are Collections of Named Data Often Called Properties or Fields Properties Untyped Can be Data, Arrays, Functions, Other Objects If Property is a Function it is Called a Method Referenced by object.property e.g document.myform.button Properties Can be Dynamically Assigned to Objects var point = new Object(); point.x = 7; point.y = 3; Associative Arrays Properties Can Be Accessed via Associative Arrays E.g point[“x”] document.myform[“button”] Creating Objects Variables Can Be Used Without Declaration e.g myname=“evan” However it is Preferable to Declare Them First var i, j, k; Can Be Initialized on Declaration: var i=0, j=0, k=0; Objects and Arrays Must First Be Created var book = new Object(); Then Can Assign Properties Without Declaration book.chapter1 = “How To”; Book.chapter1.length = “20 pages”; All Objects / Variables Have Default Methods/Properties E.g st=“abcdefg”; stlen = st.length; Scoping Objects Declared Outside of a Function are Global Objects Declared With var Statement in a Function are Local Objects Not Declared are Treated as Globals This is the Reason All Variable Should be Declared Local – Only Defined Within the Local Function Global – Defined Within All NOTE: A Local Variable Can Have Same Name as Global The Local Variable Takes Precedence Arrays Some Useful Array Functions array.concat (array1, array2, …) Concatenates Arrays array.join (separator) Returns a String of All Elements of Array Separated by Separator array.length – Returns the Number of Elements in the Array array.pop – Remove and Return the Last Element of an Array array.push – Append an Element to an Array array.reverse – Reverses the Elements of An Array array.shift – Removes and Returns the First Element of An Array array.unshift – Insert an Element at the Beginning of an Array array.slice (start,end) – Return a Portion of the Array array.sort – Sorts an Array array.splice – Inserts or Deletes Elements of an Array Miscellaneous Concatenate Strings Using + Variables are Untyped Automatically Converted May Cause Unexpected Results e.g v1 = + + “ classes” v1 contains “3 classes” But: v1 = “I took “ + +2+ “classes” v1 contains “I took 12 classes” Arrays Identified With Brackets E.g point[0] Not { as with Perl null Special Value Different Than this Identifies Current Object Functions Use return Statement to Return a Value from a Function E.g return (3); arguments is a Special Object Available in a Function arguments[] Holds the Argument Values Passed In Arguments.length – The Number of Arguments Passed More JavaScript Comments are // or /* */ Strings concatenated with + Functions Should be Declared Before Being Used Typically Defined in Section alert – Creates a Pop-Up Message Box prompt – Prompts User for Input Buttons -