ITSK3413, ITSK3423 Ecommerce

1
ITSK3413, ITSK3423E-commerce

• Lecture 5
• ASP ASP.NET
• Java Security

2
View of Client-Server Processing
3
Client-Side Processing

• Weve got compiled items
• ActiveX
• Plug-Ins
• Java Applets/Applications
• Weve got scripted (in HTML) items
• JavaScript
• VBScript

4
Client-Side Processing

• Consider the security of the client
• Can the code be trusted?
• What access to the client do each of the
  technologies grant?

5
Server-Side Processing

• Weve got compiled items
• CGI (Perl, C, etc.)
• ISAPI (persistent servicing program Internet
  Server API aka DLL)
• Weve got scripted items
• SSI
• ASP
• These are included in the html and pre-processed
• Hybrid ASP.NET (C and VB.NET)

6
Request/Response Cycle
Client requests file
Network
7
Request/Response Cycle
Client requests file
Network
Server receives request
8
Request/Response Cycle
Client requests file
Network
Server receives request
ASP.DLL
ASP Provider
9
Request/Response Cycle
Client requests file
Network
Server receives request
ASP.DLL
Response to Client
ASP Provider
10
ASP

• Implemented via asp.dll (ISAPI)
• Process ASP files before sending to client
• Uses VBScript or JavaScript
• Embed code data (BAD!)
• Mixes content with code
• Optionally include

11
ASP (cont)

• Limits access to controls
• Ad Rotator
• FileSystemObject
• ADO (ActiveX Data Object) DB Connections
• Can purchase 3rd party components or develop COM
  wrappers to access Win32 API

12
Sample ASP Code

• lt option explicit gt
• lthtmlgt
• ltheadgt
• lttitlegtVerifying User Informaitonlt/titlegt
• lt dim objConn, objRS, strSQL, strUser, strPass,
  strBID, strBook
• set objConn Server.CreateObject("ADODB.Connectio
  n")
• objConn.Open "ITLibrary", user", nothing"
• strUser Request.Form("User")
• strPass Request.Form("Pass")
• strSQL"SELECT SID FROM Student WHERE SEMAIL'"
  strUser "' and SPASS'" strPass "'"
• set objRSobjConn.Execute(strSQL)
• gt
• lt/headgt

13
Sample ASP Code (cont)

• ltbodygt
• lt if objRS.EOF then gt
• ltPgtUsername or Password is not correct or not
  foundltPgt
• lta href"default.asp"gtClick here to try againlt/agt
• lt else gt
• lt Session("UID") objRS("SID") gt
• ltScript Language"VBScript"gt
• Navigate("booklist.asp")
• lt/Scriptgt
• lt end if gt
• lt/bodygt
• lt/htmlgt

14
Sample ASP DB Table

• ltTABLE border'1'gt
• ltTRgt
• ltTHgtFirst Namelt/THgt
• ltTHgtLast Namelt/THgt
• ltTHgtPhonelt/THgt
• lt/TRgt
• lt do until rs.EOF
• Response.Write "ltTRgt"
• Response.Write "ltTDgt" rs("au_fname")
  "lt/TDgt
• Response.Write "ltTDgt" rs("au_lname")
  "lt/TDgt
• Response.Write "ltTDgt" rs("phone")
  "lt/TDgt
• Response.Write "lt/TRgt
• rs.MoveNext
• loop gt
• lt/TABLEgt

15
ASP.NET

• Implemented via ISAPI aspnet_isapi.dll
• Processes ASPX files before sending to client
• Uses the CLR (common language runtime)
• Can program ASP.NET in ANY CRL language (C
  VB.NET most popular)

16
ASP.NET

• Full access to the .NET Class Library (immense!)
• Session information shared across multiple
  servers (server farm scalability)
• Configuration easy via .config files

17
Sample ASP.NET DB Table

• lt_at_ Import Namespace"System.Data" gt
• lt_at_ Import Namespace"System.Data.SqlClient" gt
• Sub Page_Load(Src As Object, E As EventArgs)
• Dim DS As DataSet
• Dim MyConnection As SQLConnection
• Dim MyCommand As SQLDataAdapter
• MyConnection New SQLConnection("serverlocalho
  stuidsapwddatabasepubs")
• MyCommand New SQLDataAdapter("select au_fname
  as 'First Name', au_lname as 'Last Name', Phone
  from Authors", MyConnection)
• DS new DataSet()
• MyCommand.Fill(ds, "Authors")
• grdAuthors.DataSourceds.Tables("Authors").Defau
  ltView
• grdAuthors.DataBind()
• End Sub

18
Adding the DataGrid Object to HTML

• Utilize the DataGrid System control
• ltbodygt
• lth1gtAuthorslt/h1gt
• ltaspDataGrid runatserver idgrdAuthors/gt
• Information is current as of
• lt Response.Write(Now.ToString) gt
• lt/bodygt

19
Java and the Java Virtual Machine
20
Java

• Begun in 1991 at Sun
• Purpose was
• Platform independence
• Small code
• For use in various appliances
• Network download of code

21
The Java Model
BytecodeVerifier
VM
Sandbox
FromWeb
ClassLoader
Java Security Manager
Disk
Console
22
Putting It All Together

• Class Loader - verifies that the classes conform
  to the run-time system
• Bytecode Verifier - determines that the code is
  legitimate (not hacked)
• Sandbox - restricts the programs access to the
  client machine
• Security Manager - allows security policy to be
  set on a per-program level

23
Java Security Weak Links

• For Java security to work, you must have correct
  implementation of
• Security Manager
• Bytecode Verifier
• Sandbox

24
The Devils in the Details

• Implementation can be flawed
• The Java VM specification is not perfect either

25
Security Issues with the Java VM

• The Microsoft VM is a virtual machine for the
  Win32 operating environment. It runs atop
  Microsoft Windows 95, 98 or Windows NT. It
  ships as part of each operating system, and also
  as part of Microsoft Internet Explorer. The
  version of the Microsoft VM that ships with
  Microsoft Internet Explorer 4.0 and Internet
  Explorer 5.0 contains a security vulnerability
  that could allow a Java applet to operate outside
  the bounds set by the sandbox and take any
  desired action on the user's computer. If such an
  applet were hosted on a web site, it could act
  against the computer of any user who visited the
  site.

26
Its Not Just Microsoft

• Yes, MSs implementation of the Java VM proved
  flawed
• But Suns own VM was shown to have flaws too
  (April 99)
• Netscape Navigator 4.04 4.74 IE (2000) allows
  for all client-side files to be viewed (Black
  Orifice)

27
Identity
JavaApplet
28
JavaScript

• Created by Netscape
• Allows HTML to command the browser
• Open new windows
• Display alert boxes
• Customize status title bar
• Built-in time/date for clocks/calendars
• Validate input before sending to server
• Provides interactivity

29
Security Issues with JavaScript

• Tighter than strict Java
• No access to the local machines files
• No access to network
• But

30
Script Security Problems

• The Office Script vulnerability allows any file
  to be saved to a users local hard drive when the
  user is viewing a web page that contains script
  code referencing an Excel 2000 or PowerPoint
  file. By judicious selection of the format and
  location in which the file was saved, a malicious
  web site operator could cause the file to open
  automatically at some later time. If this
  happened, any code within the file would run.

31
Security Issues with the Client-side

• Code-signing (Authenticode)
• Identifies publisher
• Validates code
• Doesnt prevent bugs or malicious operation
• Sandbox - code isolated inside VM
• Doesnt prevent bugs
• Limits exposure of client resources
• Requires correct implementation

32
Configuring the Java VM in IE
33
Which Raises Another Issue

• Who is signed?
• Who did the signing?
• Can you trust this?
• Consider the 1996 incident of Internet Exploder
  signed by the author himself