WEB SECURITY
WEB SECURITY-Web security can be divided into three parts. First how are objects and resources named securely? Second, how can secure, authenticated connections be established? Third, what happens when a web site sends a piece of equitable code? For this we discuss some threats-
THREATS-First, the home page of numerous organizations has been attacked and replace by a new home page of crackers choosing. We prefer to call these people Crackers’. In most cases, the crackers just put up some funny text and the sites were repaired with in a few hours.
Numerous sites have been brought down by denial of service attacks in which the cracker floods the site with traffic, rendering it unable to respond to legitimate queries. Often the attack is mounted from a large number of machines that the cracker has already broken into (DDoS attacks).
SECURE NAMING- Let us start with basic- (take a example).
Alice wants to visit Bob’s web site. You type bob’s URL into your browser after few seconds, a web page appears. But is it Bob’s? May be yes or may be no. Trudy might be up to her old tricks again. For example, she might be intercepting all of Alice’s outgoing packets and examining them. when she captures on HTTP get request headed to Bob’s web site, she could go to Bob’s web site herself to get the page, modify it as wishes, and return the fake page to Alice. Alice would none the wisher. worse yet, Trudy could slash the price at Bob’s e-store to make his good look very attractive, there by tricking Alice into sending her credit card number to Bob to buy some merchandise.
One disadvantage to this classic man-in-middle attack is that Trudy has to be in a position to intercept Alice’s outgoing traffic and forge her incoming traffic. In practice, she has to tap either Alice’s phone line or Bob’s, since tapping the fiber backbone is fairly difficult. While active wire-tapping is certainly possible, it is a certain amount of work, and while Trudy is clever, she is also lazy. Besides, there are easier ways to trick Alice.
DNS SPOOFING- Tricking a DNS server into installing a false IP address is called DNS spoofing. For example, suppose Trudy is able to crack the DNS system, may be just the DNS cache at Alice’s ISP, and replace Bob’s IP address with her (Trudy’s) IP address. When Alice looks up Bob’s IP address, she gets Trudy’s, so all her traffic intended for Bob goes to Trudy. Trudy can now mount a man-in-the-middle attack without having to go to the trouble of tapping any phone lines. Instead she has to break into a DNS server and change one record, a much easier proposition.
How might Trudy fool DNS? It turns out to be relatively easy. Trudy can trick the DNS server at Alice’s ISP into sending out a query to look up Bob’s address .Unfortunately since DNS uses UDP; the DNS server has no real way of checking who supplied the answer. Trudy can exploit this property by forging the expected reply and thus injecting a false IP address into the DNS server’s cache.
Trudy starts the attack by sending a lookup request to Alice’s ISP asking for the IP address of Bob’s. Since there is one entry for this DNS name, the cache server queries the top level server for the com domain to get one. However Trudy beats the com server to the punch and sends back a false reply. If her false reply gets back to Alice’s ISP first, that one will be cached and the real reply will be rejected as an unsolicited reply to a query no longer outstanding. A cache that holds an intentionally false IP address like this is called a poisoned cache.
Related posts:
nice and useful post.thanks for sharing.
While searching for Blogs about WEB SECURITY | Mytechnolife I found your site. Thank you for the effort you have put in.
Didn’t know about it. Very nice information. Submitted this post to Google News Reader.
I really think that this blog can help people. Well done