Tangledweb Index.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Tangledweb Index.Pdf tw_book.book Page 283 Tuesday, October 18, 2011 10:07 AM INDEX Symbols & Numbers Accept request header, 43 Access-Control-Allow-Origin header, & (ampersand), in HTML, 71 237–238, 240 < > (angle brackets) acrobat: scheme, 36 browser interpretation, 74–75 action parameter, for <form> tag, 80 in HTML, 71 ActionScript, 132–134 <![CDATA[...]]> blocks, 72, 78, 250 Active Server Pages, 75 <!DOCTYPE> directive, 71 ActiveX, 129, 136–137 <!ENTITY> directive, 76 address bars, 220 <!-- and -->, for HTML comments, 72 and EV SSL, 65 <% ... %> blocks, Internet Explorer hiding, 221 and, 75 manipulation, 256–257 @ directives, in CSS, 89–90 Adobe Flash, 119, 130, 132–134 \ (backslashes) in URLs, browser accep- and cross-domain HTTP headers, 147n tance of, 29 file handling without Content-Type, 199 ` (backticks), as quote characters, 74, 111 HTML parser offered by plug-in, 133 !- directives, 76 policy file spoofing risks, 156–157 // fixed string, in URLs, 25 security rules, 154–157 % (percent sign), for character Adobe Reader, 130 encoding, 31 Adobe Shockwave Player, 132 . (period), hostnames with, and cookie- ADS (Alternate Data Stream) Zone setting algorithms, 159 Identifier, 231 ?-directives, 76 advertisements, new window for, 217 <?xml-stylesheet href=... ?> directive, 88 Akamai Download Manager, 137 ; (semicolon), as delimiter Allow-forms keyword, for sandbox in HTTP headers, 48–49 parameter, 246 in URLs, 29 AllowFullScreen parameter, for Flash, 155 200–299 status codes, 54 AllowNetworking parameter, for Flash, 155 300–399 status codes, 55 Allow-same-origin keyword, for sandbox 400–499 status codes, 55–56 parameter, 246 500–599 status codes, 56 AllowScriptAccess parameter, for Flash, 154 Allow-scripts keyword, for sandbox A parameter, 246 Allow-top-navigation keyword, for sandbox <a href=...> tag (HTML), 79 parameter, 246 target parameter, 174–175 Alternate Data Stream (ADS) Zone about:blank document, origin inheritance, Identifier, 231 165, 166–167 ambient authority, 60, 60n about:config (Firefox), navigation risks, 188 ampersand (&), in HTML, 71 absolute URLs, vs. relative, 25 anchor element (HTML), specifying Accept-Language request header, 43 name of, 28 The Tangled Web © 2011 by Michal Zalewski tw_book.book Page 284 Tuesday, October 18, 2011 10:07 AM angle brackets (< >) BMP file format, 83 browser interpretation, 74–75 <body> tag (HTML), 83 in HTML, 71 BOM (byte order marks), 208 anonymity, scripts and, 249 Breckman, John, 52n anonymous requests, in CORS, 239 browser cache anonymous windows, 175 information in, 59 antimalware, 236n poisoning, 60 Apache browser extensions and UI, 161 and Host headers, 47 browser-managed site permissions, 226–227 PATH_INFO, 201 browser market share, May 2011, 19 APNG file format, 83 browser-side scripts, 95–116 Apple QuickTime, 119, 130, 132 browser wars, 10–11, 233 Apple Safari. See Safari (Apple) buffer overflow, 265 <applet> tag (HTML), 83, 128, 135, 183 bugs, preventing classes of, 7 application/binary, 212 Bush, Vannevar, 8 application/javascript document type, 118 byte order marks (BOM), 208 application/json document type, 118, 202 application/mathml+xml document type, 119 C application/octet-stream document type, 200–201, 212 cache. See browser cache application/x-www-for-urlencoded, 81 Cache-Control directive, 48, 59 Arce, Ivan, 2n cache manifests, 257 Arya, Abhishek, 209 cache poisoning, 189, 263 asynchronous XMLHttpRequest, 146 caching behavior, in HTTP, 58–60 Atom, 123 caching HTTP proxy, keepalive <audio> tag (HTML), 84, 119 sessions and, 57 authentication, in HTTP, 62–63 Caja, 116 authorization, vs. authentication, 62n Cake (proposal), 257 Authorization header (HTTP), 63 call stack, limiting size, 216 callto: scheme, 36 <canvas> tag (HTML5), 183 B CAPTCHA, 184–185, 185n background parameter for HTML tags, 83 Cascading Style Sheets (CSS), 11, 12, 73, background processes, in JavaScript, 258 83, 87–93 backslashes (\) in URLs, browser accep- basic syntax, 88–90 tance of, 29 character encoding, 91–92 backticks (`), as quote characters, 74, 111 interaction with HTML, 90 Bad Request status error (400), 55 opacity property, 179 bandwidth, and XML, 123n parser resynchronization risks, 90–91 Barth, Adam, 16, 177, 240, 241, 246, 257 property definitions, 89 Base64 encoding, 50n case of tags, HTML vs. XML, 72 basic credential-passing method, 63 <![CDATA[...]]> blocks, 72, 78, 250 Bell-La Padula security model, 2, 4 certificate authorities, 64 Berners-Lee, Tim, 9, 41, 69 certificates and semantic web, 72–73 extended validation, 65 World Wide Web browser, 9 warning dialog example, 66 World Wide Web Consortium, 11 cf: scheme, 36 <bgsound> tag (HTML), 84, 119 characters binary HTTP, 257 delimiting, in URLs, 29 bitmap images, browser recognition of, 118 encoding in CSS, 91–92 blacklists encoding in filenames, 49–51 of HTTP headers in XMLHttpRequest, 147 encoding in HTML, 76–78 malicious URLs, 236n encoding in JavaScript, 112–113 _blank, as link target, 80 encoding in URLs, 31–35 printable, browser treatment of, 32 The Tangled Web 284 INDEX © 2011 by Michal Zalewski tw_book.book Page 285 Tuesday, October 18, 2011 10:07 AM reserved, 31–35 Common UNIX Printing System (CUPS), unreserved, 32 152–153 character sets Common Vulnerability Scoring System byte order marks and detection, 208 (CVSS), 6–7 detection for non-HTTP files, 210–211 Common Weakness Enumeration (CWE), 6 handling, 206–211 complex selectors, in CSS, 88 for headers, 49–51 computer proficiency of user, 14 inheritance and override, 209 conditionals, explicit and implicit, in markup-controlled, on subresources, HTML, 75–76 209–210 conflicting headers, resolution of, 47–48 sniffing, 264 CONNECT requests, 46, 54 in URLs, 33 Connolly, Dan, 9 @charset (CSS), 89 content directives, on subresources, 204 children objects in JavaScript, 108 Content-Disposition directive, 48, 84, 122 Chrome defensive uses, 203–204 autodetection of passive document NUL character and, 51 types, 205 plug-in-executed code and, 204 cached pages in, 37 user-controlled filenames in, 67 characters in URL scheme name content inclusion in HTML ignored by, 25 hyperlinking and, 79–84 deleting JavaScript function, 103 type-specific, 82–84 and file extensions in URLs, 130 Content-Length header, 43, 52, 147 local file access, 160 in keepalive sessions, 56–58 modal dialogs for prompts, 219 content recognition, 197–211 navigation timing, 259 content rendering, plug-ins for, 127–138 prerendering page, 258–259 Content Security Policy (CSP), 242–245, printable characters in, 32 250, 253 privileged JavaScript in, 161 criticisms of, 244–245 and realm string, 63 violations, 244 and RFC 2047 encoding, 50 content sniffing, 197–198, 205, 264 stored password retrieval, 228 Content-Type directive, 49, 71, 84 SWF file handling without application/binary, 212 Content-Type, 199 application/JavaScript, 118 time limits on continuously executing application/json, 118, 202 scripts, 215 application/mathml+xml, 119 WebKit parsing engine, 70n application/octet-stream, 200–201, 212 window.open() function and, 218 charset parameter, 206, 208 Windows Presentation Foundation image/jpeg, 118, 202, 205 plug-ins, 136 image/svg+xml, 124 chunked data transfers, 57–58 logic to handle absence, 198–199 clickjacking, 179, 180–181, 263 plug-ins and, 128, 204 click() method, 218 slash-delmited alphanumeric client certificates, 64–66 tokens in, 199 client-server architecture, 17–18 special values, 200–201 client-side data, 165 text/css, 118 client-side databases, 258 text/html, 124 client-side errors (400–499), 55–56 text/plain, 118, 156, 200–201, 204, 212 client-side scripts, restricting privileges of unrecognized, 202–203 HTML generated by, 250–251 and XML document parsing, 120 cloud, 15 control characters, JavaScript shorthand Clover, Andrew, 184 notation, 112 command injection, 265 cookie-authenticated text, reading, 181 comments Cookie header. See cookies in CSS syntax, 89 cookie injection, 264 in XHTML and HTML, 72 The Tangled Web © 2011 by Michal Zalewski INDEX 285 tw_book.book Page 286 Tuesday, October 18, 2011 10:07 AM cookies, 11, 257 D deleting, 62 and DNS hijacking, 153 daap: scheme, 36 forcing, 264 data: scheme, 37, 167–168 limitations on third-party, 192–194 data transfers, chunked, 57–58 and same-origin policy, 150–151 Date/If-Modified-Since header pair, 59 security policy for, 149–153 deceptive framing, 180 semantics, 60–62 dedicated workers, for background user data in, 67 processes, 258 CORS. See Cross-Origin Resource default policy, CSP directive for, 243 Sharing (CORS) default ports, for protocols, overriding, 27 CR characters, stripping from HTTP DELETE method (HTTP), 53 headers, 45 deleting credential-passing methods, 63 cookies, 62 credentials, in URLs, 26 JavaScript functions, 102–103 CRLF (newline), 45 delimiting characters, in URLs, 29 cross-browser interactions, 16–17 denial-of-service (DoS) attacks, 214–219, cross-document links, 8, 9 248, 264 cross-domain communications, and frame DeviceOrientation API, 258 descendant policy, 176–178 dialog use restrictions, 218–219 cross-domain content inclusion, 181–183 digest credential-passing method, 63 cross-domain policy files, 155–156 Digital Rights Management (DRM), 131 cross-domain requests, 236–239 directory traversal, 265 Cross-Origin Resource Sharing (CORS), disable-xss-protection, 242n 148, 236 <div> tag (HTML), 73 current status, 239 DNS hijacking, and cookies, 153 non-simple requests and preflight, 238 DNS labels, security mechanisms request types, 236–237 based on, 142n security checks, 237–238 DNS names, in URLs, browser cross-origin subresources,
Recommended publications
  • Active Server Pages (ASP)
    Active Server Pages (ASP) Outline 11.1 Introduction 11.2 How Active Server Pages Work 11.3 Client-side Scripting versus Server-side Scripting 11.4 Using Personal Web Server or Internet Information Server 11.5 A Simple ASP Example 11.6 Server-side ActiveX Components 11.7 File System Objects 11.8 Session Tracking and Cookies 11.9 Accessing a Database from an Active Server Page 11.10 Case Study: A Product Catalog 11.1 Introduction • Active Server Pages (ASP) – Processed in response to client request – ASP file contains HTML and scripting code – VBScript de facto language for ASP scripting • Other languages can be used – JavaScript – .asp file extension – Microsoft-developed technology – Send dynamic Web content • HTML • DHTML • ActiveX controls • Client-side scripts • Java applets 11.2 How Active Server Pages Work • Client sends request – Server receives request and directs it to ASP – ASP processes, then returns result to client • HTTP request types – Request methods • GET – Gets (retrieves) information from server – Retrieve HTML document or image • POST – Posts (sends) data to server – Send info from HTML form » Client-entered data » Info to search Internet » Query for a database » Authentication info 11.2 How Active Server Pages Work (II) • Browsers often cache Web pages – Cache: save on disk – Typically do not cache POST response • Next POST request may not return same result • Client requests ASP file – Parsed (top to bottom) by ActiveX component asp.dll • ActiveX component: server-side ActiveX control that usually does not have GUI
    [Show full text]
  • International Standard Iso 32000-2
    This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 INTERNATIONAL ISO STANDARD 32000-2 First edition 2017-07 Document management — Portable document format — Part 2: PDF 2.0 Gestion de documents — Format de document portable — Partie 2: PDF 2.0 Reference number ISO 32000-2:2017(E) © ISO 2017 This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 ISO 32000-2:2017(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form orthe by requester. any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of Ch. de Blandonnet 8 • CP 401 ISOCH-1214 copyright Vernier, office Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 www.iso.org [email protected] ii © ISO 2017 – All rights reserved This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 ISO 32000-2:2017(E) Contents Page Foreword ................................................................................................................................................................. vii Introduction .........................................................................................................................................................
    [Show full text]
  • The Unicode Cookbook for Linguists: Managing Writing Systems Using Orthography Profiles
    Zurich Open Repository and Archive University of Zurich Main Library Strickhofstrasse 39 CH-8057 Zurich www.zora.uzh.ch Year: 2017 The Unicode Cookbook for Linguists: Managing writing systems using orthography profiles Moran, Steven ; Cysouw, Michael DOI: https://doi.org/10.5281/zenodo.290662 Posted at the Zurich Open Repository and Archive, University of Zurich ZORA URL: https://doi.org/10.5167/uzh-135400 Monograph The following work is licensed under a Creative Commons: Attribution 4.0 International (CC BY 4.0) License. Originally published at: Moran, Steven; Cysouw, Michael (2017). The Unicode Cookbook for Linguists: Managing writing systems using orthography profiles. CERN Data Centre: Zenodo. DOI: https://doi.org/10.5281/zenodo.290662 The Unicode Cookbook for Linguists Managing writing systems using orthography profiles Steven Moran & Michael Cysouw Change dedication in localmetadata.tex Preface This text is meant as a practical guide for linguists, and programmers, whowork with data in multilingual computational environments. We introduce the basic concepts needed to understand how writing systems and character encodings function, and how they work together. The intersection of the Unicode Standard and the International Phonetic Al- phabet is often not met without frustration by users. Nevertheless, thetwo standards have provided language researchers with a consistent computational architecture needed to process, publish and analyze data from many different languages. We bring to light common, but not always transparent, pitfalls that researchers face when working with Unicode and IPA. Our research uses quantitative methods to compare languages and uncover and clarify their phylogenetic relations. However, the majority of lexical data available from the world’s languages is in author- or document-specific orthogra- phies.
    [Show full text]
  • Active Server Pages Architecture
    Active Server Pages Architecture Li Yi South Bank University Contents 1. Introduction ...................................................................................................................................... 2 1.1 Host-based databases ............................................................................................................... 2 1.2 Client/server databases ............................................................................................................ 2 1.3 Web databases........................................................................................................................... 3 2. Active Server Pages ........................................................................................................................ 5 2.1 ASP Components ...................................................................................................................... 6 2.2 ADO and Database................................................................................................................... 7 2.3 The steps of executing a query ............................................................................................. 11 3 ASP Attributes ................................................................................................................................ 12 References:.......................................................................................................................................... 13 1 1. Introduction The development of databases always comes
    [Show full text]
  • Implementing OGC Web Map Service Client Applications Using JSP, JSTL and XMLC
    Implementing OGC Web Map Service Client Applications Using JSP, JSTL and XMLC Hao Ding , Richard Pascoe & Neville Churcher Department of Computer Science University of Canterbury. Christchurch, New Zealand Phone: +64 3 364-2362 Fax: +64 3 364-2569 Email: [email protected] , {richard, neville}@cosc.canterbury.ac.nz Presented at SIRC 2002 – The 14th Annual Colloquium of the Spatial Information Research Centre University of Otago, Dunedin, New Zealand th December 3-5 2002 ABSTRACT Java technologies are widely used in web application development. In this paper are described three approaches to developing Java-based web applications and our experiences with applying each to the development of client that interact with servers implementing the OGC (Open GIS Consortium) Web Map Service (WMS) specification. Also described is the installation and configuration of open source software that implements the WMS specification. The paper is concluded with some preliminary insights into when one of the three approaches to WMS client implementation is more suited to another. Keywords and phrases: WMS, JSP, JSTL, XMLC, map layer, web map server 1.0 INTRODUCTION Of the many technologies, such as Common Gateway Interface (CGI), Active Server Pages (ASP), JavaServer Pages (JSP), that are used to develop web applications, three are of particular interest to the research presented here. These three technologies or approaches to developing clients that utilise web services are JavaServer Pages (JSP), JSP with the use of tags from the JSP Standard Tag Library (JSTL), and the eXtensible Markup Language Compiler (XMLC). JSP is a more convenient way to write Java servlets, and allows the insertion of Java code directly into static HTML (Hypertext Markup Language) pages.
    [Show full text]
  • Suitcase Fusion 8 Getting Started
    Copyright © 2014–2018 Celartem, Inc., doing business as Extensis. This document and the software described in it are copyrighted with all rights reserved. This document or the software described may not be copied, in whole or part, without the written consent of Extensis, except in the normal use of the software, or to make a backup copy of the software. This exception does not allow copies to be made for others. Licensed under U.S. patents issued and pending. Celartem, Extensis, LizardTech, MrSID, NetPublish, Portfolio, Portfolio Flow, Portfolio NetPublish, Portfolio Server, Suitcase Fusion, Type Server, TurboSync, TeamSync, and Universal Type Server are registered trademarks of Celartem, Inc. The Celartem logo, Extensis logos, LizardTech logos, Extensis Portfolio, Font Sense, Font Vault, FontLink, QuickComp, QuickFind, QuickMatch, QuickType, Suitcase, Suitcase Attaché, Universal Type, Universal Type Client, and Universal Type Core are trademarks of Celartem, Inc. Adobe, Acrobat, After Effects, Creative Cloud, Creative Suite, Illustrator, InCopy, InDesign, Photoshop, PostScript, Typekit and XMP are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Apache Tika, Apache Tomcat and Tomcat are trademarks of the Apache Software Foundation. Apple, Bonjour, the Bonjour logo, Finder, iBooks, iPhone, Mac, the Mac logo, Mac OS, OS X, Safari, and TrueType are trademarks of Apple Inc., registered in the U.S. and other countries. macOS is a trademark of Apple Inc. App Store is a service mark of Apple Inc. IOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license. Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S.
    [Show full text]
  • A Novel Approach of MIME Sniffing Using
    ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 4, Issue 11, May 2015 A Novel Approach of MIME Sniffing using AES Ankita Singh, Amit Saxena, Dr.Manish Manoria TRUBA Institute of Engineering and Information Technology (TIEIT), Bhopal (M.P) We discuss some web application attacks which can be Abstract— In today’s scenario communication is rely on possible over browser also discuss security concern can be web, users can access these information from web with the use applied in future for security on web application of browsers, as the usage of web increases the security of data is required. If browser renders malicious html contents or environment. JavaScript code block, the content sniffing attack may occur. The contents are divided in different sections. In section In this paper we provide a framework with AES algorithm to 2 we mention different types of attacks. Related work is secure the content sniffing for the web browsers with text, discussed in section 3. Proposed work is discussed in image and PDF files. In this work the data files having section 4. Result analysis in section 5. Conclusion and encryption then partition in multiple parts for reducing the future direction in Section 6, and then references are duration of file transmission and transferring with parity bit checking to identify the attack. mention. II. ATTACKS Index Terms— Cross-Site Scripting, Web Application We discuss about some attacks, associated with this Security, Content Sniffing, MIME, AES. work. ClickJacking[11] - The purpose of this attack is to open I.
    [Show full text]
  • Tool Support for Computer Role-Playing Game Programming: Foundations, Guidelines and Applications
    Tampereen teknillinen yliopisto. Julkaisu 1237 Tampere University of Technology. Publication 1237 Juha-Matti Vanhatupa Tool Support for Computer Role-Playing Game Programming: Foundations, Guidelines and Applications Thesis for the degree of Doctor of Science in Technology to be presented with due permission for public examination and criticism in Tietotalo Building, Auditorium TB222, at Tampere University of Technology, on the 17th of October 2014, at 12 noon. Tampereen teknillinen yliopisto - Tampere University of Technology Tampere 2014 ISBN 978-952-15-3341-9 (printed) ISBN 978-952-15-3393-8 (PDF) ISSN 1459-2045 Abstract Computer role-playing games (CRPGs) are a genre of computer games, which aim at providing similar player experience than their ancestors, paper-and- pen role-playing games. For a type of digital games, their evolution is already rather long, as the first ones were created in 1980s. Typically CRPGs em- phasize character development and to support this huge fantasy worlds and sophisticated storylines are also present. CRPG development has unique challenges, which derive from these typical features. Content creation is a continuous issue, since huge virtual worlds and long storylines must be filled with content. Personalization is also an important issue, because all fun of creating personalized character is lost if it has no effect into the game. Low starting threshold is important for successful game. It is becoming essential that the player can start playing quickly and she is not required to spent time waiting the installation to be completed. This can be achieved by web-based approach, since web-based games do not require installations.
    [Show full text]
  • Ecma International External Liaison Report for 2013-2014
    Ecma/TC39/2014/029 Ecma/TC49/2014/010 Ecma International External Liaison Report for 2013–2014 Prepared for the ISO/IEC JTC 1/SC 22 Plenary in Madrid, Spain September 8–9, 2014 Prepared by Rex Jaeschke [email protected] Date: 2014-07-17 Recommendation to SC 22 regarding the Portable Common Tool Environment (PCTE) Standards The draft agenda for the 2014 Plenary of SC 22 lists the following standards as being up for Periodic Review: • ISO/IEC 13719-1:1998 Information technology -- Portable Common Tool Environment (PCTE) – Part 1: Abstract specification • ISO/IEC 13719-2:1998 Information technology -- Portable Common Tool Environment (PCTE) – Part 2: C programming language binding • ISO/IEC 13719-3:1998 Information technology -- Portable common tool environment (PCTE) – Part 3: Ada programming language binding • ISO/IEC 13719-4:1998 Information technology -- Portable Common Tool Environment (PCTE) – Part 4: IDL binding (Interface Definition Language) These standards were developed and published by Ecma, and then Fast-Tracked to JTC 1. No work has been done on them since and there is no longer a Technical Committee for PCTE. As such, Ecma recommends that SC 22 stabilize these standards. Ecma (www.ecma-international.org) currently has two Technical Committees, TC39 and TC49 (the latter having multiple Task Groups), with SC 22-related projects, as follows: 1. TC39 (ECMAScript language): ECMAScript 5th edition was adopted by the Ecma General Assembly in December 2009, and then published as ISO/IEC 16262:2011 (which ECMA-262 edition 5.1 now matches). The editor of record for the standard is Allen Wirfs-Brock.
    [Show full text]
  • XML: Looking at the Forest Instead of the Trees Guy Lapalme Professor Département D©Informatique Et De Recherche Opérationnelle Université De Montréal
    XML: Looking at the Forest Instead of the Trees Guy Lapalme Professor Département d©informatique et de recherche opérationnelle Université de Montréal C.P. 6128, Succ. Centre-Ville Montréal, Québec Canada H3C 3J7 [email protected] http://www.iro.umontreal.ca/~lapalme/ForestInsteadOfTheTrees/ Publication date April 14, 2019 XML to PDF by RenderX XEP XSL-FO Formatter, visit us at http://www.renderx.com/ XML: Looking at the Forest Instead of the Trees Guy Lapalme Professor Département d©informatique et de recherche opérationnelle Université de Montréal C.P. 6128, Succ. Centre-Ville Montréal, Québec Canada H3C 3J7 [email protected] http://www.iro.umontreal.ca/~lapalme/ForestInsteadOfTheTrees/ Publication date April 14, 2019 Abstract This tutorial gives a high-level overview of the main principles underlying some XML technologies: DTD, XML Schema, RELAX NG, Schematron, XPath, XSL stylesheets, Formatting Objects, DOM, SAX and StAX models of processing. They are presented from the point of view of the computer scientist, without the hype too often associated with them. We do not give a detailed description but we focus on the relations between the main ideas of XML and other computer language technologies. A single compact pretty-print example is used throughout the text to illustrate the processing of an XML structure with XML technologies or with Java programs. We also show how to create an XML document by programming in Java, in Ruby, in Python, in PHP, in E4X (Ecmascript for XML) and in Swift. The source code of the example XML ®les and the programs are available either at the companion web site of this document or by clicking on the ®le name within brackets at the start of the caption of each example.
    [Show full text]
  • Hands-On Laboratory on Web Content Injection Attacks
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science TUT Centre for Digital Forensics and Cyber Security Hands-on laboratory on web content injection attacks Master’s thesis ITC70LT Anti Räis 121973IVCMM Supervisors Elar Lang, MSc Rain Ottis, PhD Tallinn 2015 Declaration I declare that this thesis is the result of my own research except as cited in the refer- ences. The thesis has not been accepted for any degree and is not concurrently submitted in candidature of any other degree. Anti Räis May 22, 2015 ........................ (Signature) Abstract This thesis focuses on explaining web application injection attacks in a practical hands-on laboratory. It is an improvement on Lang’s [1] master’s thesis about web appli- cation security. One of the main contributions of this thesis is gathering and structuring information about Cross Site Scripting (XSS) attacks and defenses and then presenting them in a practical learning environment. This is done to better explain the nuances and details that are involved in attacks against web applications. A thorough and clear under- standing of how these attacks work is the foundation for defense. The thesis is in English and contains 95 pages of text, 6 chapters, 4 figures, 27 tables. Annotatsioon Magistritöö eesmärk on selgitada kuidas töötavad erinevad kaitsemeetmed veebi- rakenduste rünnete vastu. Töö täiendab osaliselt Langi [1] magistritööd veebirakenduse rünnete kohta. Põhiline panus antud töös on koguda, täiendada ja struktureerida teavet XSS rünnete kohta ning luua õppelabor, kus on võimalik antud teadmisi praktikas rak- endada. See aitab kinnistada ja paremini mõista teemat. Selge ning täpne arusaamine, kuidas ründed toimuvad, on korrektse kaitse aluseks.
    [Show full text]
  • Der Security-Leitfaden Für Webentwickler
    Tangled Web - Der Security-Leitfaden für Webentwickler Deutsche Ausgabe – Aktualisiert und erweitert von Mario Heiderich von Michal Zalewski, Mario Heiderich 1. Auflage Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG Thematische Gliederung: Netzwerksicherheit – Netzwerksicherheit dpunkt.verlag 2012 Verlag C.H. Beck im Internet: www.beck.de ISBN 978 3 86490 002 0 Inhaltsverzeichnis: Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich 245 13 Mechanismen zur Inhaltserkennung Bis jetzt haben wir einige gutgemeinte Browsermerkmale betrachtet, die sich im Laufe der Entwicklung der Technologie als kurzsichtig und geradezu gefährlich erwiesen haben. In der Geschichte des Web hat sich jedoch nichts als so fehlgelei- tet herausgestellt wie das sogenannte Content-Sniffing. Ursprünglich lag dem Content-Sniffing folgende simple Annahme zugrunde: Browseranbieter gingen davon aus, dass es in manchen Fällen angemessen – und sogar wünschenswert – sei, die normalerweise vom Server stammenden verbind- lichen Metadaten eines geladenen Dokuments zu ignorieren, so etwa den Header Content-Type. Anstatt die erklärte Absicht des Entwicklers zu akzeptieren, versu- chen viele existierende Browser stattdessen den Inhaltstyp zu erraten, indem sie proprietäre Heuristiken auf die vom Server zurückgegebenen Daten anwenden. Das Ziel dieses Vorgehens ist es, eventuelle Unstimmigkeiten zwischen Typ und Inhalt zu »korrigieren«. (Erinnern Sie sich
    [Show full text]