With this lesson we reach the half-way point of our 10-part series: Computer Security 101. The series provides a simple overview of the technology, terminology and acronyms used everyday regarding computer systems and the Internet. The goal of the series is that by having an understanding of what the technology is called and what it does you will be able to understand when there is a threat that affects you and take the appropriate steps to secure your computer system.
In Lesson 4 we covered email borne viruses, hidden file extensions and email spoofing. This lesson we will go on to cover some of the common interactive elements used on the Internet including Javascript and ActiveX applets, IM (Instant Messaging) and P2P (Peer-to-Peer) networks. We will also discuss cross-site scripting (XSS) and packet sniffing.
About 10 “people years” (or about 60 years ago in “web years” according to the FAQ on Tim Berners-Lee’s
web site) ago the World Wide Web was text-based. In 1989 Tim Berners-Lee began creating a global hypertext project. By the summer of 1991 the World Wide Web was born and released to the Internet at large.
The Hypertext Markup Language (HTML) used to create the web pages continued to be refined. By late 1992 Marc Andreessen and the NCSA team created X-Mosaic. Mosaic introduced the “img” tag which allowed graphics to be inserted into the web pages as well. This brought on the explosive growth and popularity of the World Wide Web, however the pages were still static- meaning they only showed whatever they were programmed to show in the first place.
In order to provide more functionality- whether for business or entertainment- companies needed to find a way to make the pages dynamic. They wanted to be able to present new information or update the information on the screen automatically. Active scripting was created to fulfill this need.
Marc Andreessen had left NCSA and formed Netscape Communications by this time. Working with Sun Microsystems, who had just developed Java as a platform-independent programming language, Netscape created LiveScript as a compliment to both HTML and Java that would allow developers to create scripts that run within the HTML code to create content dynamically. In late 1995 they officially changed the name to JavaScript to hitch a ride on the coattails of popularity surrounding Sun’s Java programming language.
Using JavaScript you could take user input, perform calculations, display the current date and time and a slew of other things that make the page change over time or unique from user to user. This sort of dynamic content or content that was unique to the user made the World Wide Web much more interesting than simply viewing static pages.
To compete with JavaScript Microsoft came up with their own scripting language based off of their popular Visual Basic programming language: VBScript. Over time VBScript has morphed into ActiveX, although VBScript is still commonly used on many sites as well. To this day there is plenty of debate over which is better. They each have their pros and cons and developers tend to be fairly adamant on which they feel is better. Check out some of the links next to this article for more information on the debate.
The concept and functionality of scripting languages has grown since these two initial scripting languages were introduced. Always the goal has been to find more and better ways to dynamically update the web page with information that is new or unique to the user. To do this the scripting languages had to be able to pull information from the client computer or sometimes from databases housed on the server. The scripts are small programs that execute within the HTML code.
And therein lies the problem. If a legitimate web site or web developer can use active scripting like JavaScript, VBScript or ActiveX to dynamically gather information from your computer to aid in displaying custom data, then a malicious developer can use that same functionality against you. It didn’t take too long for malicious developers to figure out that they could create active scripting programs within web sites that would plant Trojan horse files or viruses on your computer or copy your personal information back to them.
It is an unfortunate fact that many of the features developed to make computing easier, more functional or more entertaining can be turned around and exploited for malicious purposes. Some sites that you visit may actually require active scripting to function properly. When using a web browser like Internet Explorer you can change the settings so that by default active scripting is not allowed. You can then add sites that require active scripting and that you feel are safe to your Trusted Sites security zone (See How To Configure Internet Explorer Security).
Another facet of dynamic content creating security issues is through cross site scripting (XSS). Sites that allow users to input data and don’t properly check for malicious script tags may be vulnerable to XSS attacks. Using XSS an attacker could get the server to redirect your connection to another web site entirely which could contain other malicious active scripting programs.
Typically the XSS attack is instigated by getting the targeted user to click on a link which contains malicious code. If the web site does not validate the script code or check it for malicious content the script will be executed and the attacker could cause all sorts of problems including stealing passwords or executing other programs on the target machine.
Cross site scripting vulnerabilities are not associated with any particular browser or web server. It doesn’t matter if the web site is hosted on Microsoft Internet Information Server (IIS) or Apache. It doesn’t matter whether you browse with Internet Explorer, Netscape or Opera. The problems that create XSS vulnerabilities lie in the way dynamic pages are generated and not having the proper checks and balances in place to validate the code before sending the output to the user.
Computer Security 101: Lesson 5