View/Open - JUWEL - Forschungszentrum Jülich

Weitere Magazine

Empfehlungen

Info

Hacking and Protecting a Cultural Website : The Case ofCVC Once the user has introduced his user and password, these have to be checked in order to be validated against the database and to be able to obtain the credentials that allow him to enter. Once the data has been checked to be time, it is necessary to do some security verifications to know if the access has been made successfully or if the page is being entered using forbidden way. The security layer in ASP is in charge of checking that a security context exists in order to show or not the restricted application which wants to be entered. This security module will do all the suitable verifications and will operate allowing or denying the access, depending on the resulted verifications . Apart from the code controls made in the web applications, the web server has to be shaped applying the necessary security policies to strengthen it in view of any attack. A first safety barrier would be to establish in the web server the appropriate entry and execution permits to minimize the possibilities of any cracker writing his own code in a file inside a wrongly shaped folder, talking into account security . He would then be able to run it with the default granted permissions. The case of CVC and AVE When talking about the CVC, we are not only talking about a static web. There are numerous web applications where the user has to authenticate himself in order to be able to enter the restricted access application. For example, lets enter the following application : The world through words We can see that we have established a first security level, which is an invisible url . As second security level, the user and password page appears. Without the proper data, the user will have the restricted access application entrance denied . Once we have entered the application, and if we copy the url and open another session in the navigator sticking the url, we will see that the page appearing is the user and password page instead of the page we wanted to enter. So, by means of the security layer established in every page, we are making sure that no intruder will be able to enter the application without logging in . Another example would be the following web application: The translator's stand In this case, the security levels established are three : The first level consists of an entering invisible url. The second level is where the windows integrated authentication is carried out And finally, in the third level, the authentication is made through user and password. AVE Ifwe enter the Spanish course, we will come across a screen in which an entrance form appears . It is here where the student has to validate himself in order to obtain his credentials . On the other hand, to maintain our students' integrity a hash function is used in order to validate the session in the web server. 87
Hacking and Protecting a Cultural Website : The Case ofCVC Authorization from the development point of view Once the system has authenticated the entrance of a user, depending on the user's profile, one setting or another will be accessed. Moreover, depending on the access level some operations will be carried out and others won't. Talking about the different profiles a student could have in our Spanish course, I'll say that we have got two different setting . Administration setting. User's setting. Each user who enters in each setting has gos a specific profile which allows him to enter a specific private module. When talking about the administration setting the profiles a user can have are the following ones : Administrator Deputy Head of the Cervantes Institute Deputy Head of linguistic technology Administrative officer Depending on their profile, each user will do more or less restricted operations . Measures to take when developing a web page : Html comments The navigator ignores all the html comments when showing the page, but the comments can be seen when having a lot at the page code. So in this case we must be careful with the comments we write . Links The links can help us to understand the logic of the application. Moreover, used technologies can be identified. E-mail addresses Many pages have got references to e-mail addresses. They could be used by Spammers to obtain addresses to which they could send virus . Hidden fields You must be careful because the hidden fields can show parameters ofthe application. Measures to take against invalid entrance attacks Canonization Files inclusions containing the route " . ./" due to security primary route accesses are not allowed . Buffer overflow When developing certain functions care must be taken because they can provoke overflow which would change the return address . 8 8
Seite 1 und 2:
Forschungszentrum Jülich in der He
Seite 4 und 5:
Forschungszentrum Jülich GmbH Zent
Seite 6 und 7:
Inhaltsverzeichnis Vorwort. . . . .
Seite 8:
Vorwort In Zeiten einer vernetzten
Seite 12 und 13:
Eröffnungsvortrag Eröffnungsvortr
Seite 14 und 15:
Eröffnungsvortrag Müllentsorgung"
Seite 16 und 17:
Eröffnungsvortrag somit nicht kont
Seite 18:
Eröffnungsvortrag 1971-1973 Resear
Seite 22 und 23:
Sicherheit und Verunsicherung im Ze
Seite 24 und 25:
Seite 26 und 27:
Seite 28 und 29:
Seite 30 und 31:
Trends in der Entwicklung von Infor
Seite 32 und 33:
Seite 34 und 35:
Seite 36 und 37:
Seite 38 und 39:
Seite 40 und 41:
Seite 42 und 43:
The most dangerous enemy sits in my
Seite 44 und 45: The most dangerous enemy sits in my
Seite 46 und 47: The most dangerous enemy sits in my
Seite 48: The most dangerous enemy sits in my
Seite 51 und 52: Asymmetric Security and Network Int
Seite 53 und 54: Asymmetric Security and Network Int
Seite 56: aus philosophischer, künstlerische
Seite 60 und 61: Does something like ethical hacking
Seite 62 und 63: Bibliothek quo vadis? Sicher ins Ne
Seite 64 und 65: Bibliothek quo vadis? Sicher ins Ne
Seite 66: Bibliothek quo vadis? Sicher ins Ne
Seite 70 und 71: In a Magic Triangle: IT-Security in
Seite 72 und 73: In a Magic Triangle: IT-Security in
Seite 74: In a Magic Triangle: IT-Security in
Seite 77 und 78: Secure Solutions for Public Network
Seite 79 und 80: Les PME et la s6curit6 ICT - «Vers
Seite 85 und 86: Les PME et la securite ICT - «Vers
Seite 87 und 88: Les PME et la s6curit6 ICT - oVers
Seite 90 und 91: Hacking and Protecting a Cultural W
Seite 92 und 93: Hacking and Protecting a Cultural W
Seite 96: Hacking and Protecting a Cultural W
Seite 100: Network security - managing interna
Seite 104 und 105: Richtlinien der EG zum Urheberrecht
Seite 112 und 113: Who is protecting what?-The challen
Seite 114 und 115: Who is protecting what?-The challen
Seite 116 und 117: Chart 2 : frequency of damage to PC
Seite 118: Who is protecting what?-The challen
Seite 121 und 122: Buchverlage und Internet - Risiken
Seite 130: , gL _ Jl,~ ' e, Sektion V Netz - Z
Seite 133 und 134: Bad memories, bad dreams in library
Seite 142: Bad memories, bad dreams in library
Seite 146:
Kunstinstallation : Netzwerke Währ
Seite 149:
Schriften des Forschungszentrums J
Alle anzeigen

View/Open - JUWEL - Forschungszentrum Jülich

Sie wollen auch ein ePaper? Erhöhen Sie die Reichweite Ihrer Titel.

Template löschen?

Als Template speichern?