Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Vulnerabilities in web based systems module. There are several web based vulnerabilities and threats that we should be familiar with. Mobile code is software that is downloaded and executed on a personal computer. Applets are platform independent programs which are sent from a server to a client to perform some action.
JavaScript is one example of an applet and it uses memory isolation in order to protect from malicious software being run on a user's system. There is no such system on Microsoft's ActiveX technology, therefore, it is considered to be less secure. Whenever you have an add on in your browser, such as Java, Apple QuickTime, Flash, Adobe Acrobat Reader, this can increase the vulnerabilities in your system, as these add ons have been found to have security weaknesses.
Extensible mark up language or xml is a standard document description language for databases, and is common on the web. XML injection attacks occur due to failure to screen or sanative xml input, and sequel injection attacks can also occur with sequel databases. In order to enhance the security of your system, you should use a public key infrastructure, and SSLTLS to encapsulate and encrypt any sensitive XML data so that attackers are not able to capture this data and view it or modify the data.
SAML, or the security assertions markup language, is an XML based framework that can be used for exchanging security information and for providing single sign on between business partners. Whenever we receive email messages, we must be concern with many different types of threats. Including malicious attachments, HTML links, phishing websites, and social engineering attacks.
If we do not properly validate the input that we receive from a user, we can have many different types of attacks against our web server and our databases. It is very important to make sure that we have input validation. With a man in the middle attack, an attacker will intercept traffic between two parties.
This can be a passive attack where they simply monitor or steal the information between the two people that are communicating. Or it can be an active attack, such as TCPIP hijacking, where they can actually take over a users authenticated session and pretend to be that user. Cookie files are used to track users access to websites and are typically placed on a users machine by the web server that they're communicating with.
This data, however, can be mimed by malicious sites To gain an example of the type of web sites that the user is visiting, or to attempt to steal their credentials or other data. With a cross site scripting attack, an attacker is able to inject a malicious script into a web page. This is commonly used to steal users' web log on credentials for different web sites In a cross site forgery request is where a unauthorized person tricks an authenticated user to take an unwanted action. We also have adware and spyware. We can use pop-up blockers to help Help reduce these threats.
Adware is generally considered in new since because it pops ads up on to the user screen but Spyware is considered to be much more of a threat because it actually steals the user's sensitive data. We should also be concerned with network resource abuse. We can have impersonation attacks where an individual pretends to be a different user, interception attacks where an individual captures our network traffic and looks for sensitive data that may be transmitted Denial of service attacks where an attacker attempts to take our systems offline and also theft of network resources.
We can use multi-factor authentication We can use Kerberos secure authentication technology and policies and accountability and auditing to reduce these types of threats. Data flow control is essentially information flow control. This is a procedure that we can use to make sure that when information is being transferred within our system.
We are not violating any of our security policies. Process can be isolated in different layers based on sensitivity for security. So we would have our high security processes Totally isolated from our low security processes. We can use cryptography to hide our sensitive data and also verify the integrity of data to make sure that a user has not been able to modify a message while it was in transit.
Privilege escalation is when a user has too much access to a system. They may be able to bypass the security of your access control list or reference monitor. And you should be conducting audits frequently to detect this common vulnerability. Where an individual is able to gain access to more systems than they should.
With web servers, you should also be concerned with directory traversal attacks, where an attacker is able to move around on your web server from your route directory into restricted directories. And possibly gain access to data they should not be able to access. This concludes our vulnerabilities in web based systems module.
Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!