Introduction
Hand Held Credit Card Machine
When designing a Web site it is foremost to consider how the users will see the Web page. There are many browsers ready that a user could be using to view your Web site. Consideration of the standards between each browser is important. There are so many browsers ready on the shop that the Web page that has been created could, and, most probably will look different on every browser. Some browsers cope clear scripting languages best than others e.g. Mozilla Firefox has no problems handling provocative gifts as rollovers on buttons, whereas Internet Explorer 5 cannot cope them and will not display them correctly or may not display them at all. In section 2 of this record will discuss the standards between browsers, browsers ready and how the browsers cope the Html language in different ways. This section will also show the usage between the most popular browsers and will display the statistics as a pie chart with each chunk representing a different browser. In section 3 of this report, will discuss the safety risks from both the client side and server side and will list the top ten vulnerabilities that a Web site must overcome to stay protected. This section will also display the statistics of safety risks in a bar chart. Section 4 discusses how the information that is in this record will be used in the main project.
Section 5 is the conclusion of all the information that has been gathered to make this record and how it can be used to create a best compatible and derive Web site.
Browsers
As the internet was created to unite the world into one inter connecting community, the use of so many different browsers that view Web pages in different ways makes it harder for a Web designer to create a Web site and it can stop users looking a Web page in the same way. When designing a Web site, the designer must test their pages in different browsers to check the outcome of that page. With so many browsers available, it is foremost to consider which browsers to test for and how many past browser versions need to be catered for within the designs.
As technology has advanced, the situation has improved to that of a few years ago but the question has not been wholly resolved. You can now be clear that at least 99% of users have browsers that withhold nearly all of Html 4. However, there are still inconsistencies in the way Cascading Style Sheets are implemented and older browser versions pre-dating the current standards take a long time to fade away entirely. A Web site designer must now also consider the movable user; phones, Pdas and other handheld media devices that have access to the internet. The browser that these devices use will be a variant of a accepted browser but the user will view the pages on a much smaller screen. A movable browser, also called a micro browser, mini browser or wireless internet browser (Wib) are optimised so as to display Web content most effectively for small screens on movable devices. movable browser software must also be small and effective to adapt the low memory capacity and low-bandwidth of wireless handheld devices. Typically, they were stripped-down Web browsers but as of 2006 some movable browsers can cope newest technologies such as Css 2.1, JavaScript and Ajax. Jennifer Niederst Robbins (2006) says;
"1996 to 1999: The Browser Wars begin.
For years, the Web development world watched as Netscape and Microsoft battled it out for browser shop dominance. The result was a variety of ownership Html tags and incompatible implementations of new technologies, such as JavaScript, Cascading Style Sheets, and Dynamic Html. On the clear side, the competition between Netscape and Microsoft also led to the rapid advancement of the medium as a whole."
The World Wide Web consortium establishes the basic rules on how to translate a Html document and the legal Html standards.
The Html standards say that the Table tag should withhold a Cellspacing attribute to define the space between parts of the table. Html standards don't define the default value for that attribute, so unless you explicitly define Cellspacing when building your page, two browsers may use different amounts of white space in your table. Html standards are commonly ahead of what browsers support. Over the past few years Internet Explorer has done a much best job of this than Netscape Navigator, though Opera has done arguably the best job.
If you build a Web page and the user's browser does not understand part of the language, then they will ignore that part and continue creating the rest of the page. This will cause some browsers not to display the page the way it was designed to be seen.
The best way to minimize these problems is to pay attentiveness to browser compatibility when building your Web page. Avoid using Html extensions and be careful about using cutting-edge features of the language that may not yet be supported by all the major browsers.
The major contrast between two versions of the same browser is their withhold for newer portions of the Html language. A new browser is commonly best at displaying Web pages than an old one.
Web Application Security
When creating any Web application such as an e-commerce Web site, safety must be on the designers mind at all times. A fabricate flaw in the application could cause a hacker to surely access the Web server through cross site scripting on the Web site. The Web server is a common target for hackers as it is a very suited engine with a large estimate of bandwidth and also allows anonymous users to access it. The Web wasn't designed to be secure, nor was it designed to run applications or for businesses selling over a network. It was designed to be static and for users to derive information. As the Web applications come to be more suited with what they are able to do, the safety risks come to be greater for a inherent attacker. As code is intermitted with data such as Javascript embedded in Html, hackers use a malicious piece of code that gets mistaken for part of the Web site code which then gives a hacker more permission than they should be allowed, enabling them to alter securely protected data.
Taking benefit of unexpected or unplanned errors within the Web application to gain unauthorised access is known a safety bug. There are three elements required in order for a safety bug to take place; an Asset, a Vulnerability and a hacker, if all three things exist in the Web application then there will be risk of a safety bug.
There are ten main safety vulnerabilities:
1. Cross Site Scripting (Xss)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site invite Forgery (Csrf)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict Url Access
Any kind of charge that happens on to a Web application will fall under one of the above categories. information on the above vulnerabilities can be found at http://www.owasp.org/index.php/Top_10_2007.
When building an e-commerce Web site the Asset would be the data stored in the database and the personal information of a customer e.g. Reputation card details. The Vulnerabilities that a hacker will try to use are the ten safety flaws above. The Web site designer must considered agenda the code to eliminate all attacks. If an charge happens then it must be rectified as swiftly as inherent to stop any additional problems. An e-commerce Web site must be monitored and patched for any safety or functionality bugs.
Figure 2's unabridged statistics includes pathology results of 32,717 sites and 69,476 vulnerabilities of different degrees of severity. The detailed information can be found at http://www.Webappsec.org/projects/statistics/.
Attacks happen on a Web application whether from the client side, server side or on the network communicating between the client and server.
Client side attacks
Attackers are going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. To help to forestall attacks it helps to keep up to date with current application patches and keep antivirus software updated.
A cookie is a piece of data that is sent by the server and stored on the client to track the user across manifold request/response cycles. Cookies, according to the same origin safety policy, can only be retrieved by the server that sets them. Servers can only read from cookies that they have created, cookies can only be read from the primary server origin and cannot be read by other domains. Attacks are able to hijack a session and impersonate a client by using a stored cookie on a client-side computer. Web mail clients, for instance, utilise cookies to recognize a user at a later time so the user does not have to contribute their credentials each time they would like to access their mail. If an attacker can access the cookie, unauthorised access to the mail catalogue could also be obtained.
The browser history and the browser cache are other confidential pieces of information that attackers are able to gain access to. When a user visits Web site, the browser will record these Web pages in its cache and browser history. If an attacker is able to gain access to the cache or browser history, information, such as what email service or bank a user has browsed can be used in subsequent attacks, such as phishing and cookie stealing attacks. Cache and browser history can be obtained via browser vulnerabilities, JavaScript, Css, inspection of visited link colour and timing attack.
Server side attacks
All Web frameworks (Php,.Net, J2Ee, Ruby on Rails, ColdFusion, etc.) and all types of Web applications are at risk from Web application safety defects, fluctuating from insufficient validation through to application logic errors. The most exploited types of vulnerabilities are:
• Php Remote File Include: Php is the most common Web application language and framework in use today. By default, Php allows file functions to access resources on the Internet using a feature called "allow_url_fopen". When Php scripts allow user input to work on file names, remote file inclusion can be the result. This charge allows (but is not limited to):
• Remote code doing
• Remote root kit factory
• On Windows, perfect law compromise may be inherent through the use of Php's Smb file wrappers
• Sql Injection: Injections, particularly Sql injections, are common in Web applications. Injections are inherent due to intermingling of user supplied data within dynamic queries or within poorly constructed stored procedures. Sql injections allow attackers:
• To create, read, update, or delete any arbitrary data ready to the application
• In the worst case scenario, to wholly compromise the database law and systems colse to it
• Cross-Site Scripting (Xss): Cross site scripting, best known as Xss, is the most malicious and surely found Web application safety issue. Xss allows attackers to deface Web sites, insert hostile content, guide phishing attacks, take over the user's browser using JavaScript malware, and force users to guide commands not of their own selecting - an charge known as cross-site invite forgeries, best known as Csrf.
• Cross-site invite forgeries (Csrf): Csrf forces legitimate users to execute commands without their consent. This type of charge is very hard to forestall unless the application is free of cross-site scripting vectors, along with Dom injections. With the rise of Ajax techniques, and best knowledge of how to properly exploit Xss attacks, Csrf attacks are becoming very sophisticated, both as an active private charge and as automatic worms.
Conclusion
The internet is great for industrial businesses to sell their products online, it allows a user to shop from home and when is favorable to them. This luxury comes at a price, and the price is security. There are tradeoffs that every Web designer must go through. safety is not one of them. Protecting personal data must be at the top of these priorities. The Web designer and the whoever maintains the Web site must keep up to date with current safety threats and be able to patch up any safety holes that may occur on the site.
As shown in shape 1 Internet Explorer has the majority of the browser shop and yet has the most problems with security. Internet Explorer is so popular due to the fact that it is shipped and installed with windows, which is installed on most pc's that are sold. It would be advisable to any Web designer to build the Web site and test to make sure it is compatible with Internet Explorer as much as inherent due to large estimate of the shop that it covers, followed by Mozilla Firefox and Safari. When designing the Web site you may want to show off your skills and add as many complex and impressive Web applications as you can to the site. However, this would cause the site to be less compatible across browsers; the trade off the Web designer must pick is how many browsers they want the site to be compatible with compared to how impressive they want the site to look.
Security must be designed for from the start of the scheme and must enduringly be tested for and improved as more new safety bugs are created. Overall, when it comes to security, it is a never ending battle against attackers and therefore holding up to date with investigate on safety issues is very important.
It seems that hackers have started to concentrate more on attacks from the client side rather than the server side. It is likely that his shift from server side attacks to client side attacks will soon be supplanted by a different approach once clients come to be more secure.
References
Niederst Robbins, J. (2006) Web fabricate in a Nutshell, Third edition, 1005 Gravenstein Highway North, Sebastopol, O'Reilly Media Inc.
owasp.org/index.php/Top_10_2007 (accessed on 15/08/2009)
Webappsec.org/projects/statistics/ (accessed on 15/08/2009)
![]()
Browser Standards and security
No URL
