ITSK3413, ITSK3423 Ecommerce - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

ITSK3413, ITSK3423 Ecommerce

Description:

Network download of code. The Java Model. VM. Sandbox. Bytecode. Verifier. Class. Loader ... Yes, MS's implementation of the Java VM proved flawed ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 34
Provided by: jonapr
Category:

less

Transcript and Presenter's Notes

Title: ITSK3413, ITSK3423 Ecommerce


1
ITSK3413, ITSK3423E-commerce
  • Lecture 5
  • ASP ASP.NET
  • Java Security

2
View of Client-Server Processing
3
Client-Side Processing
  • Weve got compiled items
  • ActiveX
  • Plug-Ins
  • Java Applets/Applications
  • Weve got scripted (in HTML) items
  • JavaScript
  • VBScript

4
Client-Side Processing
  • Consider the security of the client
  • Can the code be trusted?
  • What access to the client do each of the
    technologies grant?

5
Server-Side Processing
  • Weve got compiled items
  • CGI (Perl, C, etc.)
  • ISAPI (persistent servicing program Internet
    Server API aka DLL)
  • Weve got scripted items
  • SSI
  • ASP
  • These are included in the html and pre-processed
  • Hybrid ASP.NET (C and VB.NET)

6
Request/Response Cycle
Client requests file
Network
7
Request/Response Cycle
Client requests file
Network
Server receives request
8
Request/Response Cycle
Client requests file
Network
Server receives request
ASP.DLL
ASP Provider
9
Request/Response Cycle
Client requests file
Network
Server receives request
ASP.DLL
Response to Client
ASP Provider
10
ASP
  • Implemented via asp.dll (ISAPI)
  • Process ASP files before sending to client
  • Uses VBScript or JavaScript
  • Embed code data (BAD!)
  • Mixes content with code
  • Optionally include

11
ASP (cont)
  • Limits access to controls
  • Ad Rotator
  • FileSystemObject
  • ADO (ActiveX Data Object) DB Connections
  • Can purchase 3rd party components or develop COM
    wrappers to access Win32 API

12
Sample ASP Code
  • lt option explicit gt
  • lthtmlgt
  • ltheadgt
  • lttitlegtVerifying User Informaitonlt/titlegt
  • lt dim objConn, objRS, strSQL, strUser, strPass,
    strBID, strBook
  • set objConn Server.CreateObject("ADODB.Connectio
    n")
  • objConn.Open "ITLibrary", user", nothing"
  • strUser Request.Form("User")
  • strPass Request.Form("Pass")
  • strSQL"SELECT SID FROM Student WHERE SEMAIL'"
    strUser "' and SPASS'" strPass "'"
  • set objRSobjConn.Execute(strSQL)
  • gt
  • lt/headgt

13
Sample ASP Code (cont)
  • ltbodygt
  • lt if objRS.EOF then gt
  • ltPgtUsername or Password is not correct or not
    foundltPgt
  • lta href"default.asp"gtClick here to try againlt/agt
  • lt else gt
  • lt Session("UID") objRS("SID") gt
  • ltScript Language"VBScript"gt
  • Navigate("booklist.asp")
  • lt/Scriptgt
  • lt end if gt
  • lt/bodygt
  • lt/htmlgt

14
Sample ASP DB Table
  • ltTABLE border'1'gt
  • ltTRgt
  • ltTHgtFirst Namelt/THgt
  • ltTHgtLast Namelt/THgt
  • ltTHgtPhonelt/THgt
  • lt/TRgt
  • lt do until rs.EOF
  • Response.Write "ltTRgt"
  • Response.Write "ltTDgt" rs("au_fname")
    "lt/TDgt
  • Response.Write "ltTDgt" rs("au_lname")
    "lt/TDgt
  • Response.Write "ltTDgt" rs("phone")
    "lt/TDgt
  • Response.Write "lt/TRgt
  • rs.MoveNext
  • loop gt
  • lt/TABLEgt

15
ASP.NET
  • Implemented via ISAPI aspnet_isapi.dll
  • Processes ASPX files before sending to client
  • Uses the CLR (common language runtime)
  • Can program ASP.NET in ANY CRL language (C
    VB.NET most popular)

16
ASP.NET
  • Full access to the .NET Class Library (immense!)
  • Session information shared across multiple
    servers (server farm scalability)
  • Configuration easy via .config files

17
Sample ASP.NET DB Table
  • lt_at_ Import Namespace"System.Data" gt
  • lt_at_ Import Namespace"System.Data.SqlClient" gt
  • Sub Page_Load(Src As Object, E As EventArgs)
  • Dim DS As DataSet
  • Dim MyConnection As SQLConnection
  • Dim MyCommand As SQLDataAdapter
  • MyConnection New SQLConnection("serverlocalho
    stuidsapwddatabasepubs")
  • MyCommand New SQLDataAdapter("select au_fname
    as 'First Name', au_lname as 'Last Name', Phone
    from Authors", MyConnection)
  • DS new DataSet()
  • MyCommand.Fill(ds, "Authors")
  • grdAuthors.DataSourceds.Tables("Authors").Defau
    ltView
  • grdAuthors.DataBind()
  • End Sub

18
Adding the DataGrid Object to HTML
  • Utilize the DataGrid System control
  • ltbodygt
  • lth1gtAuthorslt/h1gt
  • ltaspDataGrid runatserver idgrdAuthors/gt
  • Information is current as of
  • lt Response.Write(Now.ToString) gt
  • lt/bodygt

19
Java and the Java Virtual Machine
20
Java
  • Begun in 1991 at Sun
  • Purpose was
  • Platform independence
  • Small code
  • For use in various appliances
  • Network download of code

21
The Java Model
BytecodeVerifier
VM
Sandbox
FromWeb
ClassLoader
Java Security Manager
Disk
Console
22
Putting It All Together
  • Class Loader - verifies that the classes conform
    to the run-time system
  • Bytecode Verifier - determines that the code is
    legitimate (not hacked)
  • Sandbox - restricts the programs access to the
    client machine
  • Security Manager - allows security policy to be
    set on a per-program level

23
Java Security Weak Links
  • For Java security to work, you must have correct
    implementation of
  • Security Manager
  • Bytecode Verifier
  • Sandbox

24
The Devils in the Details
  • Implementation can be flawed
  • The Java VM specification is not perfect either

25
Security Issues with the Java VM
  • The Microsoft VM is a virtual machine for the
    Win32 operating environment. It runs atop
    Microsoft Windows 95, 98 or Windows NT. It
    ships as part of each operating system, and also
    as part of Microsoft Internet Explorer. The
    version of the Microsoft VM that ships with
    Microsoft Internet Explorer 4.0 and Internet
    Explorer 5.0 contains a security vulnerability
    that could allow a Java applet to operate outside
    the bounds set by the sandbox and take any
    desired action on the user's computer. If such an
    applet were hosted on a web site, it could act
    against the computer of any user who visited the
    site.

26
Its Not Just Microsoft
  • Yes, MSs implementation of the Java VM proved
    flawed
  • But Suns own VM was shown to have flaws too
    (April 99)
  • Netscape Navigator 4.04 4.74 IE (2000) allows
    for all client-side files to be viewed (Black
    Orifice)

27
Identity
JavaApplet
28
JavaScript
  • Created by Netscape
  • Allows HTML to command the browser
  • Open new windows
  • Display alert boxes
  • Customize status title bar
  • Built-in time/date for clocks/calendars
  • Validate input before sending to server
  • Provides interactivity

29
Security Issues with JavaScript
  • Tighter than strict Java
  • No access to the local machines files
  • No access to network
  • But

30
Script Security Problems
  • The Office Script vulnerability allows any file
    to be saved to a users local hard drive when the
    user is viewing a web page that contains script
    code referencing an Excel 2000 or PowerPoint
    file. By judicious selection of the format and
    location in which the file was saved, a malicious
    web site operator could cause the file to open
    automatically at some later time. If this
    happened, any code within the file would run.

31
Security Issues with the Client-side
  • Code-signing (Authenticode)
  • Identifies publisher
  • Validates code
  • Doesnt prevent bugs or malicious operation
  • Sandbox - code isolated inside VM
  • Doesnt prevent bugs
  • Limits exposure of client resources
  • Requires correct implementation

32
Configuring the Java VM in IE
33
Which Raises Another Issue
  • Who is signed?
  • Who did the signing?
  • Can you trust this?
  • Consider the 1996 incident of Internet Exploder
    signed by the author himself
Write a Comment
User Comments (0)
About PowerShow.com