Web Honeypot

Total Page:16

File Type:pdf, Size:1020Kb

Web Honeypot Proyecto de Grado Web Honeypot Autores: Supervisores: Federico Nicol´as Pernas Gustavo Betarte Javier Agust´ın Sanchez Rodrigo Martinez Nicol´as Zeballos Marcelo Rodr´ıguez 2020-12-27 Facultad de Ingenier´ıa- Udelar Abstract ABSTRACT Las Aplicaciones Web suponen un gran atractivo para las Organizaciones, ya que mediante el desarrollo de una ´unicaaplicaci´onweb se puede llegar a un mayor p´ublico,debido a que ´estospueden acceder a ella f´acilmente mediante, por ejemplo, un navegador. Sin embargo, el crecimiento de estas aplicaciones traen consigo preocupaciones sobre su seguridad. En los ´ultimosa~nosse ha estudiado como incorporar Honeypots, los cuales son dispositivos de seguridad (hardware o software) encargados de enga~nara los atacantes, dentro del ambito de las Aplicaciones Web. Estos dispositivos son altamente empleados a nivel de seguridad de la red, pero es deseable poder aplicar sus conceptos y principios para proteger dichas Aplicaciones Web. A partir de estas premisas es que este proyecto se basa en la investigaci´onsobre la posibilidad de usar un Honeypot para proteger Aplicacioes Web en un ambiente de producci´onsin alterar su operativa. De manera de cumplir este objetivo, se especifica un framework gen´ericoy extensible, el cual se puede ver como un Honeypot Embebido de Aplicaciones Web que funciona dentro de la misma aplicaci´on.El Honeypot har´auso de Honeytokens para atraer la atenci´onde los atacantes y poder detectar su posible intrusi´onanalizando el estado de estos componentes en los distintos mensajes intercambiados en la comunicaci´on. Keywords: Honeypot, Honeytoken, Aplicaciones Web, HTTP, Framework, extensible. 2 Facultad de Ingenier´ıa- Udelar ´Indice ´Indice 1. Introducci´on 3 2. Revisi´onde antecedentes 4 2.1. Clasificaci´onde Honeypots . .4 2.2. Principios de Honeypots . .5 2.3. Aplicaciones Web . .5 2.4. Pasaje a Honeypots de Aplicaciones Web . .5 2.5. Content Management System . .7 2.6. Honeytokens y Breadcrumbs . .7 2.7. Sesi´on . .8 3. An´alisisy Dise~no 10 3.1. Objetivos . 11 3.2. An´alisisde HTTP y HTML . 11 3.2.1. Protocolo HTTP . 11 3.2.2. Lenguaje HTML . 12 3.3. Honeypot a desarrollar . 13 3.4. Componentes del Sistema . 16 3.5. Interacci´oncon el Honeypot . 18 3.6. Diagrama de Despliegue . 20 3.7. Diagrama de Clases . 23 3.8. Vista de operaciones . 25 4. Implementaci´on 27 4.1. Representaci´onde Honeytokens en el Honeypot . 27 4.1.1. Consideraciones sobre Honeytokens . 27 4.1.2. Tipos de Honeytokens . 27 4.2. Alcance . 31 4.2.1. Diagrama de Despliegue . 31 4.2.2. Diagrama de Clases y Diagrama de Operaciones . 33 4.3. Manejo de sesiones . 35 4.4. Persistencia de informaci´on . 36 4.5. Infraestructura . 37 4.6. Configuraci´ondel POC . 38 4.7. Dificultades detectadas . 40 4.8. Conclusiones acerca de la implementaci´on . 41 1 Facultad de Ingenier´ıa- Udelar ´Indice 5. Conclusiones y trabajo a futuro 42 5.1. Trabajo futuro . 42 5.1.1. Manejo de sesi´on . 42 5.1.2. Honeytokens . 42 5.1.3. Aumentar el inter´esdel atacante . 43 5.1.4. IOC y Automatizaci´ona trav´esde la plataforma MISP . 43 5.1.5. Recolecci´onde ´ıtems . 43 5.1.6. Despliegue de alarmas ante detecci´onde intrusi´on . 44 5.1.7. Reconocimiento de ataques . 44 5.2. Conclusiones . 45 Referencias 46 Appendices 48 A. Funcionamiento de la herramienta 48 A.1. Escenario 1: Modificaci´on del valor de un input oculto . 48 A.2. Escenario 2: Eliminaci´onde input oculto . 50 A.3. Escenario 3: Modificaci´on del valor de una cookie . 53 2 Facultad de Ingenier´ıa- Udelar 1 Introducci´on 1. Introducci´on La seguridad inform´aticatom´ouna trascendencia en ascenso constante desde el incremento del uso de las aplicaciones web. La gran mayor´ıamanejan informaci´onsensible sobre los usuarios, motivo por el cual los atacantes realizan diversas acciones intrusivas sobre las aplicaciones web en b´usquedade vulnerabilidades para hacerse poseedores de esa informaci´on.Asimismo, estos atacantes tambi´enpueden interesarse en da~nardirectamente a la aplicaci´onmediante ataques conocidos, como por ejemplo denegaci´onde servicio. Existen diversas formas de reconocer problemas de seguridad sobre las aplicaciones web, una de ellas es realizar m´ultiplespruebas de seguridad, tarea conocida como hacking ´etico1. Su finalidad est´aen identificar vulnerabilidades sobre determinada aplicaci´on,para lo que es debido situarse del lado atacante con el objetivo de reconocer como perjudicar a dicha aplicaci´on.A su vez, existe otro enfoque m´asproactivo, el cual consiste en agregar dispositivos de seguridad a la infraestructura, como son los Honeypot. Estos Honeypots son utilizados para atraer a los atacantes hacia ellos en b´usquedade que sus ataques no logren vulnerar a los activos principales, y adem´asgenerar informaci´onsobre los ataques recibidos. Sin embargo, la concepci´onde los Honeypots no fue enfocada en el ´ambito de las aplicaciones web, por lo que el trabajo hasta el momento acerca de estos dispositivos en esta ´areaes muy poco. Por lo tanto: En este proyecto se persigue el objetivo de investigar la adaptaci´onde Honeypot dentro del ´area de las aplicaciones web en ambientes de producci´on,evitando un impacto significativo sobre la arquitectura establecida. Este documento se distribuye de la siguiente forma: en la secci´onRevisi´on de antecedentes se presenta el contexto te´oricoa partir del documento Estado del Arte [1]. En la secci´onAn´alisis y Dise~nose presenta un resumen del documento An´alisisy dise~no [2] donde se definen nuevos conceptos a partir de un an´alisisdel comportamiento y el funcionamiento que debe tener un Honeypot como el deseado. En la secci´onImplementaci´onse describe y desarrolla un caso de estudio a trav´esde una prueba de concepto de un Honeypot con las caracter´ısticasdefinidas en la secci´onanterior. Por ´ultimo,en Conclusiones y trabajo a futuro se presentan posibles l´ıneas de investigaci´onque permiten extender el proyecto, y conclusiones finales. 1Se puede ver m´as detalle acerca de este concepto en https://www.synopsys.com/glossary/ what-is-ethical-hacking.html 3 Facultad de Ingenier´ıa- Udelar 2 Revisi´onde antecedentes 2. Revisi´onde antecedentes En el documento Estado del Arte [1] se estudi´ola literatura disponible en donde se presentan diferentes definiciones sobre los Honeypots. Eric Cole, Ronald Krutz y James Conley [3] los defi- nen como sistemas dise~nadospara parecerse a algo que un intruso pueda atacar, construidos con el principal prop´ositode desviar los ataques y aprender de estos sin comprometer la seguridad de la red. Por su lado, Joseph Migga Kizza [4] los define como un mecanismo de se~nuelomonitoreado que se utiliza para mantener a un hacker alejado de recursos valiosos de la red y proporcionar una indicaci´ontemprana de un ataque. Mientras, Lance Spitzner [5] define a estos dispositivos como recursos de seguridad cuyo valor radica en ser sondeados, atacados o comprometidos. En el contexto de este proyecto definiremos Honeypot como: Un dispositivo de seguridad que funciona como \cebo" llamativo para los atacantes, lo cual provoca que se mantengan alejados de los activos principales y que se pueda generar informaci´onsobre sus ataques 2.1. Clasificaci´onde Honeypots Joseph Migga Kizza [4] y Lance Spitzner [5] clasifican a los Honeypots de dos maneras. La primera de ellas es respecto a su prop´osito, siendo estas categor´ıaslas de Honeypots de producci´on, que son aquellos presentes en ambientes de producci´onde una organizaci´ondonde su finalidad es desviar la atenci´onde los atacantes sobre los activos principales, y Honeypots de investigaci´on, que tienen la finalidad de ser utilizados para generar informaci´onacerca de los ataques realizados sobre el mismo. Se espera que los Honeypots de producci´onsirvan para prevenir ataques (mantener alejados a los atacantes), detectar ataques (reconocer y alertar actividad sospechosa) y responder ante ataques (devolver al atacante un resultado esperado por ´el). La segunda clasificaci´onse basa en la interacci´onque tiene un atacante con el dispositivo. Ante mayor interacci´on,aumenta la cantidad de acciones que podr´arealizar un atacante, sin embargo, tambi´enaumenta el riesgo asociado a su uso. El primer nivel dentro de esta clasifica- ci´ones el de baja interacci´on, identific´andose principalmente por ser un componente sencillo capaz de brindar respuestas simples a un atacante. Un nivel de alta interacci´on pretende simu- lar completamente un servicio, sistema operativo u otro componente funcionalmente completo, acarreando consigo un alto costo de puesta en producci´on.Por ´ultimo,el nivel de media in- teracci´on es una combinaci´onde los dos anteriores, logrando un Honeypot con gran nivel de interacci´ona bajo costo de despliegue. 4 Facultad de Ingenier´ıa- Udelar 2 Revisi´onde antecedentes 2.2. Principios de Honeypots Las siguientes tres principios se infieren de los distintos papers analizados en el documento Estado del Arte [1]: no interferencia, que puede entenderse como la capacidad de ser agregados dentro de una infraestructura sin alterar el funcionamiento previo. No exposici´on, el cual hace referencia a que un Honeypot no debe ser expuesto de manera tal que reduce las posibilidades de que un usuario \normal" pueda llegar a ´el.Por ´ultimoel principio no establecer comunicaci´on con usuarios leg´ıtimos, el cual refuerza el principio anterior y refiere a evitar la mayor cantidad de falsos positivos, entendiendo que para acceder al Honeypot es necesario que se realice alguna actividad que pueda considerarse sospechosa. 2.3. Aplicaciones Web En la actualidad muchos negocios operan mediante sitios o aplicaciones web, por lo que es de inter´esencontrar maneras de proteger estos puntos de entrada a una red privada. Su dificultad de protecci´onradica en que no solo presentan un ´unicopunto de riesgo, sino que pueden potencialmente presentar varias debilidades.
Recommended publications
  • Security Analysis of Firefox Webextensions
    6.857: Computer and Network Security Due: May 16, 2018 Security Analysis of Firefox WebExtensions Srilaya Bhavaraju, Tara Smith, Benny Zhang srilayab, tsmith12, felicity Abstract With the deprecation of Legacy addons, Mozilla recently introduced the WebExtensions API for the development of Firefox browser extensions. WebExtensions was designed for cross-browser compatibility and in response to several issues in the legacy addon model. We performed a security analysis of the new WebExtensions model. The goal of this paper is to analyze how well WebExtensions responds to threats in the previous legacy model as well as identify any potential vulnerabilities in the new model. 1 Introduction Firefox release 57, otherwise known as Firefox Quantum, brings a large overhaul to the open-source web browser. Major changes with this release include the deprecation of its initial XUL/XPCOM/XBL extensions API to shift to its own WebExtensions API. This WebExtensions API is currently in use by both Google Chrome and Opera, but Firefox distinguishes itself with further restrictions and additional functionalities. Mozilla’s goals with the new extension API is to support cross-browser extension development, as well as offer greater security than the XPCOM API. Our goal in this paper is to analyze how well the WebExtensions model responds to the vulnerabilities present in legacy addons and discuss any potential vulnerabilities in the new model. We present the old security model of Firefox extensions and examine the new model by looking at the structure, permissions model, and extension review process. We then identify various threats and attacks that may occur or have occurred before moving onto recommendations.
    [Show full text]
  • Mozilla/Firefox: MDN Web Docs, Recommended Extensions and Tenfourfox FPR23 for Intel
    Published on Tux Machines (http://www.tuxmachines.org) Home > content > Mozilla/Firefox: MDN Web Docs, Recommended Extensions and TenFourFox FPR23 for Intel Mozilla/Firefox: MDN Web Docs, Recommended Extensions and TenFourFox FPR23 for Intel By Rianne Schestowitz Created 12/06/2020 - 5:32am Submitted by Rianne Schestowitz on Friday 12th of June 2020 05:32:58 AM Introducing the MDN Web Docs Front-end developer learning pathway[1] The MDN Web Docs Learning Area (LA) was first launched in 2015, with the aim of providing a useful counterpart to the regular MDN reference and guide material. MDN had traditionally been aimed at web professionals, but we were getting regular feedback that a lot of our audience found MDN too difficult to understand, and that it lacked coverage of basic topics. Fast forward 5 years, and the Learning Area material is well-received. It boasts around 3.5?4 million page views per month; a little under 10% of MDN Web Docs? monthly web traffic. At this point, the Learning Area does its job pretty well. A lot of people use it to study client- side web technologies, and its loosely-structured, unopinionated, modular nature makes it easy to pick and choose subjects at your own pace. Teachers like it because it is easy to include in their own courses. Recommended extensions ? recent additions [2] When the Recommended Extensions program debuted last year, it listed about 60 extensions. Today the program has grown to just over a hundred as we continue to evaluate new nominations and carefully grow the list. The curated collection grows slowly because one of the program?s goals is to cultivate a fairly fixed list of content so users can feel confident the Recommended extensions they install will be monitored for safety and security for the foreseeable future.
    [Show full text]
  • Introduction to HTML/CSS/SVG/D3
    D3 Tutorial Introduction of Basic Components: HTML, CSS, SVG, and JavaScript D3.js Setup Edit by Jiayi Xu and Han-Wei SHen, THe OHio State University HTML - Hyper Text Markup Language • HTML is the standard markup language for creating Web pages • HTML describes the structure of Web pages using markup • HTML elements • HTML elements are the building blocks of HTML pages • represented by tags • Tags • HTML tags label pieces of content such as • <head> tag for “heading” • <p> for “paragraph” • <table> for “table” and so on • Browsers do not display the HTML tags, but use them to render the content of the page HTML - Plain Text • If we display the information only by plain text HTML Basics HTML is designed for marking up text by adding tags such as <p> to create HTML elements. Example image: HTML - Codes and the Result HTML - DOM • When a web page is loaded, the browser creates a Document Object Model of the page • The HTML DOM model is constructed as a tree of Objects HTML - DOM Document Root element: <html> Element: Element: <head> <body> Element: Element: Element: Element: <p> Element: <p> <title> <h1> <img> "to create Text: "HTML Text: "HTML Element "is designed Element: "by adding Element Element: Attribute: Attribute: HTML Tutorial" Basics" <strong> for" <em> tags such as" <code> <strong> "src" "style" elements. " "marking up “Example "HTML" "<p>" text" image” HTML - DOM • With the object model, JavaScript can create dynamic HTML by manipulating the objects: • JavaScript can change all the HTML elements in the page • Change all the
    [Show full text]
  • Mitigating Javascript's Overhead with Webassembly
    Samuli Ylenius Mitigating JavaScript’s overhead with WebAssembly Faculty of Information Technology and Communication Sciences M. Sc. thesis March 2020 ABSTRACT Samuli Ylenius: Mitigating JavaScript’s overhead with WebAssembly M. Sc. thesis Tampere University Master’s Degree Programme in Software Development March 2020 The web and web development have evolved considerably during its short history. As a result, complex applications aren’t limited to desktop applications anymore, but many of them have found themselves in the web. While JavaScript can meet the requirements of most web applications, its performance has been deemed to be inconsistent in applications that require top performance. There have been multiple attempts to bring native speed to the web, and the most recent promising one has been the open standard, WebAssembly. In this thesis, the target was to examine WebAssembly, its design, features, background, relationship with JavaScript, and evaluate the current status of Web- Assembly, and its future. Furthermore, to evaluate the overhead differences between JavaScript and WebAssembly, a Game of Life sample application was implemented in three splits, fully in JavaScript, mix of JavaScript and WebAssembly, and fully in WebAssembly. This allowed to not only compare the performance differences between JavaScript and WebAssembly but also evaluate the performance differences between different implementation splits. Based on the results, WebAssembly came ahead of JavaScript especially in terms of pure execution times, although, similar benefits were gained from asm.js, a predecessor to WebAssembly. However, WebAssembly outperformed asm.js in size and load times. In addition, there was minimal additional benefit from doing a WebAssembly-only implementation, as just porting bottleneck functions from JavaScript to WebAssembly had similar performance benefits.
    [Show full text]
  • Javascript DOM Manipulation Performance Comparing Vanilla Javascript and Leading Javascript Front-End Frameworks
    JavaScript DOM Manipulation Performance Comparing Vanilla JavaScript and Leading JavaScript Front-end Frameworks Morgan Persson 28/05/2020 Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the bachelor’s degree in software engineering. The thesis is equivalent to 10 weeks of full-time studies. Contact Information: Author(s): Morgan Persson E-mail: [email protected] University advisor: Emil Folino Department of Computer Science Faculty of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 455 38 50 00 SE–371 79 Karlskrona, Sweden Fax : +46 455 38 50 57 Abstract Background. Websites of 2020 are often feature rich and highly interactive ap- plications. JavaScript is a popular programming language for the web, with many frameworks available. A common denominator for highly interactive web applica- tions is the need for efficient methods of manipulating the Document Object Model to enable a solid user experience. Objectives. This study compares Vanilla JavaScript and the JavaScript frameworks Angular, React and Vue.js in regards to DOM performance, DOM manipulation methodology and application size. Methods. A literature study was conducted to compare the DOM manipulation methodologies of Vanilla JavaScript and the selected frameworks. An experiment was conducted where test applications was created using Vanilla JavaScript and the selected frameworks. These applications were used as base for comparing applica- tion size and for comparison tests of DOM performance related metrics using Google Chrome and Firefox. Results. In regards to DOM manipulation methodology, there is a distinct difference between Vanilla JavaScript and the selected frameworks.
    [Show full text]
  • Downloads the Lists of Search Engines and Query Terms That Are Previously Defined As Part of an Experimental Design
    Running Head: ALGORITHM AUDITING AT A LARGE-SCALE 1 Algorithm Auditing at a Large-Scale: Insights from Search Engine Audits Roberto Ulloa1, Mykola Makhortykh2 and Aleksandra Urman3 1 GESIS – Leibniz-Institute for the Social Sciences 2 University of Bern 3 University of Zurich Author Note We have no conflicts of interest to disclose. This is a preprint and working version of the paper. Data collections were sponsored from the SNF (100001CL_182630/1) and DFG (MA 2244/9-1) grant for the project “Reciprocal relations between populist radical-right attitudes and political information behaviour: A longitudinal study of attitude development in high- choice information environments” lead by Silke Adam (U of Bern) and Michaela Maier (U of Koblenz-Landau) and FKMB (the Friends of the Institute of Communication and Media Science at the University of Bern) grant “Algorithmic curation of (political) information and its biases” awarded to Mykola Makhortykh and Aleksandra Urman. Running Head: ALGORITHM AUDITING AT A LARGE-SCALE 2 Abstract Algorithm audits have increased in recent years due to a growing need to independently assess the performance of automatically curated services that process, filter and rank the large and dynamic amount of information available on the internet. Among several methodologies to perform such audits, virtual agents stand out because they offer the ability to perform systematic experiments, simulating human behaviour without the associated costs of recruiting participants. Motivated by the importance of research transparency and replicability of results, this paper focuses on the challenges of such an approach. It provides methodological details, recommendations, lessons learned and limitations that researchers should take into consideration when setting up experiments with virtual agents.
    [Show full text]
  • Desarrollo De Una Aplicación Para La Web Utilizando El Web Audio API
    Escola Tècnica Superior d’Enginyeria Informàtica Universitat Politècnica de València Desarrollo de una aplicación para la Web utilizando el Web Audio API Trabajo Fin de Grado Grado en Ingeniería Informática Autor: Víctor Hernández Medrano Tutor: Manuel Agustí Melchor Curso 2018/19 Desarrollo de una aplicación para la Web utilizando el Web Audio API 2 Resumen Este proyecto de fin de grado se centra en el estudio de técnicas de procesado y síntesis de sonido bajo el control de un navegador web, desarrollando una aplicación para la Web basada en la utilización de una interfaz de programación de aplicaciones implementada en el lenguaje de programación JavaScript y especializada para el control del audio. Con el objetivo principal de entender el correcto funcionamiento de la herramienta y ponerla en práctica en una aplicación web real. La solución ha sido programar pequeños ejemplos que ayudan a comprender la mecánica de programación y además sirven de base para el desarrollo de la aplicación final. Después de todo el proceso se ha conseguido elaborar una aplicación web cimentada en el manejo del sonido gracias a los recursos aprendidos y dotándole de interactividad con el usuario. Palabras clave: aplicación web, sonido, JavaScript, interfaz de programación de aplicaciones, navegador web. 3 Desarrollo de una aplicación para la Web utilizando el Web Audio API Resum Aquest projecte de fi de grau se centra en l'estudi de tècniques de processament i síntesi de so sota el control d'un navegador web, desenvolupant una aplicació per a la Web basada en la utilització d'una interfície de programació d'aplicacions implementada en el llenguatge de programació Javascript i especialitzada per al control de l'àudio.
    [Show full text]
  • Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome Igor Bilogrevic, Balazs Engedy, Judson L
    “Shhh. be quiet!” Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome Igor Bilogrevic, Balazs Engedy, Judson L. Porter III, Nina Taft, Kamila Hasanbega, Andrew Paseltiner, Hwi Kyoung Lee, Edward Jung, Meggyn Watkins, PJ McLachlan, and Jason James, Google https://www.usenix.org/conference/usenixsecurity21/presentation/bilogrevic This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. “Shhh...be quiet!” Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome Igor Bilogrevic Balazs Engedy Judson L. Porter III Nina Taft Kamila Hasanbega Andrew Paseltiner Hwi Kyoung Lee Edward Jung Meggyn Watkins PJ Mclachlan Jason James Google {ibilogrevic,engedy,jud,ninataft,hkamila,apaseltiner,hwi,edwardjung, meggynwatkins,pjmclachlan,jasonjames}@google.com Abstract having to install and run dedicated applications. Some of those APIs provide access to sensitive data (such as geolocation or Push notifications can be a very useful feature. On web the microphone), and in those cases the website has to ask browsers, they allow users to receive timely updates even if the user for permission before it can access such data [44]. the website is not currently open. On Chrome, the feature has Moreover, permission-gated APIs can provide an additional become extremely popular since its inception in 2015, but it is layer of security from other kinds of abuses, such as spam, also the least likely to be accepted by users. Chrome teleme- phishing or deceptive marketing [5, 29]. try shows that, although 74% of all permission prompts are about notifications, they are also the least likely to be granted Web push notifications are a very popular mechanism for with only a 10% grant rate on desktop and 21% grant rate websites to keep their users updated with timely content when on Android.
    [Show full text]
  • Identifying Javascript Skimmers on High-Value Websites
    Imperial College of Science, Technology and Medicine Department of Computing CO401 - Individual Project MEng Identifying JavaScript Skimmers on High-Value Websites Author: Supervisor: Thomas Bower Dr. Sergio Maffeis Second marker: Dr. Soteris Demetriou June 17, 2019 Identifying JavaScript Skimmers on High-Value Websites Thomas Bower Abstract JavaScript Skimmers are a new type of malware which operate by adding a small piece of code onto a legitimate website in order to exfiltrate private information such as credit card numbers to an attackers server, while also submitting the details to the legitimate site. They are impossible to detect just by looking at the web page since they operate entirely in the background of the normal page operation and display no obvious indicators to their presence. Skimmers entered the public eye in 2018 after a series of high-profile attacks on major retailers including British Airways, Newegg, and Ticketmaster, claiming the credit card details of hundreds of thousands of victims between them. To date, there has been little-to-no work towards preventing websites becoming infected with skimmers, and even less so for protecting consumers. In this document, we propose a novel and effective solution for protecting users from skimming attacks by blocking attempts to contact an attackers server with sensitive information, in the form of a Google Chrome web extension. Our extension takes a two-pronged approach, analysing both the dynamic behaviour of the script such as outgoing requests, as well as static analysis by way of a number of heuristic techniques on scripts loaded onto the page which may be indicative of a skimmer.
    [Show full text]
  • Programación Web Profesor: César A. De
    MINISTERIO DE EDUCACIÓN CENTRO EDUCATIVO BILINGÜE FEDERICO ZÚÑIGA FELIÚ ASIGNATURA: MULTIMEDIA Y DESARROLLO WEB MÓDULO 2: PROGRAMACIÓN WEB PROFESOR: CÉSAR A. DELGADO B. Multimedia y Desarrollo Web Antes de tratar cualquier asunto relacionado con los entornos de programación para la Web, es preciso comentar que no es necesario tener conocimientos previos del lenguaje de marcado HTML, pero deberíamos estar, al menos, familiarizado con el uso básico de computadoras, y usar la Web pasivamente (por lo menos haber utilizado un navegador o buscador web para consumir contenido de la Web) Debemos tener claro que es fundamental para un Programador Web contar con un entorno de trabajo básico y entender cómo crear, gestionar archivos y carpetas que encontramos en el sistema operativo de nuestro ordenador. Ahora bien, Internet es una red que conecta ordenadores a través de todo el planeta, para compartir contenidos alojados, a través de algunos de esos ordenadores, normalmente denominados servidores. Así, cada servidor puede contener algún tipo de recurso o de servicio. El servicio más extendido de Internet es sin duda la World Wide Web; es decir, la red de servidores de páginas web. Los servidores de la World Wide Web contienen páginas web que pueden ser consultadas por cualquier usuario para acceder a información e incluso interactuar con ellas, comportándose como verdaderas aplicaciones. Las páginas web internamente se estructuran como archivos de texto que, al ser transferidos al ordenador o al dispositivo del usuario, pueden ser interpretados con sentido por un navegador web, como Firefox, Chrome, Opera, Safari, etc. Para que los navegadores puedan entender correctamente las páginas web, éstas utilizan un conjunto de normas denominadas HTML (que viene de HyperText Markup Language), que son empleadas para definir la estructura semántica de la información contenida en una página web.
    [Show full text]
  • Download Chromium Windows Latest Version Chromium for Windows
    download chromium windows latest version Chromium for Windows. Chromium is the open-source version of the vastly popular Google Chrome. It features the development build that they use to continue to update the latest versions of the web. While it is different, it remains similar to the regular Chrome. User Interface. Chromium is quite similar to Chrome as they are based on Chromium OS. It features the all-in-one tab that has the setting and bookmarks. There is no scrolling mechanism for when you open up too many tabs, making it difficult to switch between them when you have many open. Features. The main characteristic Chromium comes with is the ability to have all your Google account information synchronised with it. The software is ideal for people who are developing websites or who want to develop extensions, as they can make the most of the dev build. It also comes with the ability to use a wide variety of extensions to make the user’s life easier. Google Translate comes pre-loaded into the browser. It is safe and has no viruses. Problems. The main issue with it is the lack of updates. You will have to ensure that your version remains up to date. Finding these upgrades can be a hassle because there are a variety of versions on the internet. While the browser is one of the fastest, it consumes a lot of RAM. This problem worsens if you keep a lot of tabs open. Alternatives. Google Chrome is the first competitor as it’s almost identical.
    [Show full text]
  • CENTRO UNIVERSITÁRIO DO CERRADO PATROCÍNIO UNICERP Graduação Em Sistemas De Informação
    CENTRO UNIVERSITÁRIO DO CERRADO PATROCÍNIO UNICERP Graduação em Sistemas de Informação GABRIEL RODRIGUES GOMES A EFICÁCIA DO USO DE NODE.JS NA CONSTRUÇÃO DE APIS PATROCÍNIO/MG 2018 GABRIEL RODRIGUES GOMES A EFICÁCIA DO USO DE NODE.JS NA CONSTRUÇÃO DE APIS Trabalho de Conclusão de Curso apresentado como exigência parcial para obtenção do grau de bacharel em Sistemas de Informação, pelo Centro Universitário do Cerrado Patrocínio – UNICERP. Orientador: Prof. Esp. Breno Cristovão Rocha PATROCÍNIO/MG 2018 AGRADECIMENTOS Agradeço em primeiro lugar a Deus, por me dar a oportunidade de através do meu esforço chegar a este momento tão esperado. Em sequência agradeço aos meus familiares cujo estiveram ao meu lado em todo o decorrer do curso, em momentos de alegria, desânimo e dificuldades, sempre me impulsionando para um bem maior. A todos os professores que de alguma forma contribuíram para que este momento fosse possível, em especial meu professor e orientador Breno Cristovão Rocha, que disponibilizou dias neste ano para auxiliar-me no desenvolvimento deste projeto, sendo então possível que este momento de êxito chegasse. Por fim, agradeço também a todos que um dia retiraram uma pequena parcela de seus dias e de suas vidas para aconselhar e orientar-me sobre minha vida acadêmica e profissional, sem todos os citados acima, com certeza nada disso seria possível. RESUMO Introdução: Com o alto crescimento dos meios de comunicação, destacando neste projeto a web, a demanda de aplicações que sejam estáveis, rápidas e com grande capacidade de integração com outros meios, vem crescendo a cada dia. Com a junção do conceito de integração advindo das APIs e da proposta de escalabilidade e diminuição no fluxo de espera de processamentos utilizando Node.js, este artigo foi elaborado a fim de mostrar como ambas tecnologias podem se mostrar eficientes lado a lado.
    [Show full text]