LESSON 10 WEB SECURITY AND PRIVACY part I

Table of Contents
10.1 Fundamentals of Web Security

10.1.1 How the web really works

10.1.2 Rattling the Locks

10.1.3 Looking through Tinted Windows - SSL

10.1.4 Having someone else do it for you – Proxies

10.2 Web Vulnerabilities

10.2.1 Scripting Languages

10.2.2 Common Web Application Problems

10.2.3 Guidelines for Building Secure Web Applications

10.3 HTML Basics – A brief introduction

10.3.1 Reading HTML

10.3.2 Viewing HTML at its Source

10.3.3 Links

10.3.4 Proxy methods for Web Application Manipulation

10.4 Protecting your server

10.4.1 Firewall

10.4.2 Intrusion Detection System (IDS)

10.5 Secure Communications

10.5.1 Privacy and Confidentiality

10.5.2 Knowing if you are communicating securely

10.6 Methods of Verification

10.6.1 OSSTMM

Exercises

Further Reading

目录

10.1 网页安全基本原理

10.1.1 网页真实工作原理

10.1.2 拍锁

10.1.3 通过车窗玻璃看-SSL

10.1.4 让别人代你做---代理服务器

10.2 网页漏洞

10.2.1 脚本语言

10.2.2 普通网页应用程序问题

10.2.3 创建安全网页应用程序指南

10.3 HTML 基础---简单介绍

10.3.1 阅读HTML

10.3.2 浏览HTML原始资料

10.3.3 链接

10.3.4 网页应用程序操作代理

10.4 保护主机安全

10.4.1 防火墙

10.4.2 入侵侦测系统

10.5 保密通信

10.5.1 信息保密

10.5.2 了解自己通信是否安全

10.6 验证方法

10.6.1 OSSTMM

练习

深入阅读

 

10.1 Fundamentals of Web Security
What you do on the World Wide Web is your business. Or so you would think. But it's just not
true. What you do on the web is about as private and anonymous as where you go when
you leave the house. Again, you would think that it's your business and many, including
ISECOM, would agree with you. However, consider a private investigator following you
around town, writing down what you saw and who you spoke with.
The focus of this lesson is to get you learn how to protect yourself on the web and to do that,
you will have to learn where the dangers are.
The World Wide Web works in a very straight-forward manner. Once connected to the
Internet through you ISP, you open a browser, tell it a website, and you get that website on
your screen. However, the truth is in the details. How does the web really work?
A quick trip to the World Wide Web Consortium (W3C), those fine folks who make standards
for the web, will teach you all you want to know about the web. http://www.w3.org. Even
the history of the web: http://www.w3.org/History.html The problem is, will definitions and
standards teach you how to be safe? Apparently not. The people who want to hurt you do
not necessarily follow the standards.

 

10.1 网页安全基本原理

你肯定认为你在万维网上做什么是你自己的事情。但是不一定。你在网络上所做的一切和你离开家去某个地方一样隐私。一样，你会认为这是你自己的隐私，很多人，包括ISECOM都会同意你的想法。但是，要知道很可能会有一个私人侦探跟着你在整个镇上转悠，记录下你接触的人和事。

这节课的重点是让你学会如何在网络上保护自己，首先你需要知道网络上都存在哪些不安全的地方。

万维网的工作原理很简单，一旦通过ISP连上网，你打开网络浏览器，输入某个网页网址，就能看到该网页。但是在细节上到底是怎么工作的呢？

查一下万维网联盟，这些好人制作了网络标准，你会得到所有关于网页的知识。http://www.w3.org。下面一个网站是关于网页发展史的：http://www.w3.org/History.html 问题是，这些定义和标准能告诉你怎样做才是安全的吗？很显然不行。那些想伤害你的人不需要遵守那些标准。

 

10.1.1 How the web really works
The steps involved in connecting to the Internet and then to the web are very detailed even if
it does seem to be smooth from the user end.
So what happens for real when you just want to get to the ISECOM website? Assuming you
are already connected to the internet, here are the steps that occur in order:
1. You open your browser.
2. You type in the URL (website name).
3. Website name saved in History Cache on the hard disk.
4. Your computer looks up the name of the address to your default DNS server to find
the IP address.
5. Your computer connects to the server at the IP address provided at the default
web port of 80 TCP if you used “HTTP://” or 443 TCP if you used “HTTPS://” at the front
of the web server name (by the way, if you used HTTPS then there are other steps
involved using server certificates which we will not follow in this example).
6. Your computer requests the page or directory you specified with the default often
being “index.htm” if you don't specify anything. But the server decides t's default

and not your browser.
7. The pages are stored in a cache on your harddisk. Even if you tell it to store the
information in memory (RAM), there is a good chance it will end up somewhere on
your disk either in a PAGEFILE or in a SWAPFILE.
8. The browser nearly instantaneously shows you what it has stored. Again, there is a
difference between “perceived speed” and “actual speed” of your web surfing
which is actually the difference between how fast something is downloaded
(actual) and how fast your browser and graphics card can render the page and
graphics and show them to you (perceived). Just because you didn't see it doesn't
mean it didn't end up in your browser cache.

The history of the World Wide Web ( just “web” from now on ) started at CERN1 in 1989. It was
conceived by Tim Berners-Lee and Robert Cailliau who built a basic hypertext based system
for sharing information. Over the next few years Tim Berners-Lee continued to develop the
system until in 1993 CERN announced that the web was free for anyone to use, and the web
as we know it now exploded onto the scene.
The Web is a client and server based concept, with clients such as Internet Explorer, Firefox,
Mozilla, Opera, Netscape and others connecting to web servers such as IIS and Apache
which supply them with content in the form of HTML2 pages. Many companies, organizations
and individuals have collections of pages hosted on servers delivering a large amount of
information to the world at large.
So why do we care about web security then? Web servers often are the equivalent to the
shop window of a company. It is a place where you advertise and exhibit information, but this
is supposed to be under your control. What you don't want to do is leave the window open so
that any passer by can reach in and take what they want for free, and you ideally want to
make sure that if someone throws a brick, that the window doesn't shatter ! Unfortunately
web servers are complex programs, and as such have a high probability of containing a
number of bugs, and these are exploited by the less scrupulous members of society to get
access to data that they shouldn't be seeing.
And the reverse is true as well. There are risks also associated with the client side of the
equation like your browser. There are a number of vulnerabilities which have been discovered
in the last year which allow for a malicious web site to compromise the security of a client
machine making a connection to them.

 

10.1.1 网页真实工作原理

尽管在用户看来联网很简单顺畅，但连网、连网页的步骤都是很具体的。

如果你想连接到ISECOM网站上，到底连接过程中发生了什么呢？假设你现在已经联网了，下面就是按顺序的实际操作步骤：

1、你打开你的网页浏览器。

2、键入网页域名

3、网页域名保存在硬盘上的历史记录缓存中

4、电脑通过默认的DNS服务器查找网页地址的域名来查找对应的IP地址。

5、电脑连接该IP地址的服务器，如果你在域名前面使用的“HTTP://”，该IP地址由默认网页接口80TCP提供，如果你使用“HTTPS://”， 

     该IP地址由接口443TCP提供。（顺便说一下，如果你使用HTTPS，那么需要额外的步骤，我们采用HTTP做例子）

6、如果你没有指定模式，那你的电脑请求你默认的主页模式的页面或目录，由服务器不是浏览器来决定采用默认格式。

7、网页储存在你电脑硬盘上的缓存中，就算你设置将网页储存在内存中，结果还是会存储在硬盘上的文档中。

8、网页浏览器会马上将网页内容显示出来。浏览网页的“感觉速度”和“实际速度”是有差别的，这种差别是由实际下载速度和网页浏览器 和显示卡阅读网页和图片的速度差别造成的。网页内容都会储存在浏览器缓存中，不会因为你没有看就不储存。

 

万维网于1989年在欧洲粒子物理研究所（CERN）诞生，是由Tim Berners-Lee和Robert Cailliau 设计出来的，他们设计了一个基本超文本系统来交换信息。在接下来的几年里，Tim Berners-Lee继续发展这套系统，直到1993年，CERN宣称任何人都可以免费使用网页，于是现在网页得到了疯狂的发展。

 

网页是基于客户端/服务器理念设计的，客户端有网络浏览器，Firefox浏览器、Mozilla浏览器、Opera浏览器、网景浏览器等等。这些浏览器连接到网页服务器上，服务器有互联网信息服务、Apache等等，这些服务器以HTML网页的形式提供信息。有许多公司，组织和个人都收藏了一些服务器上的网页，这些服务器向世界各地发送大量的信息。

 

那我们为什么要关注网页安全呢？网页服务器就像一个公司的商店橱窗。你可以通过它宣传广告或者传播信息，但你必须能控制这些行为。你不希望橱窗大开，让每个经过的人都能够免费的拿他们想要的东西。你希望别人像你的橱窗扔个砖头，橱窗都不会破！但是网页服务器是复杂的程序，所以就可能含有很多的漏洞，社会上的一些人就会利用这些漏洞来获取他们不应该看到的信息。

 

对客户端也是一样的，通过网页浏览器浏览信息的客户端也存在安全风险。近几年发现了很多的漏洞，一旦客户端和一些恶意网站相连，这些恶意网站会利用这些漏洞来威胁客户端的安全。