What Went Wrong: Dots and Slashes in Java

Drawer Quick Response Code in Java What Went Wrong: Dots and Slashes
What Went Wrong: Dots and Slashes
QR Code JIS X 0510 Decoder In Java
Using Barcode Control SDK for Java Control to generate, create, read, scan barcode image in Java applications.
If a bad guy wants to pass off a piece of code as trusted (in systems before JDK 1.0.2), two steps must be carried out: 1) Get the malicious code onto the victim's disk, and 2) Trick the victim's browser into loading it. The first part, getting code onto the victim's disk, isn't as difficult as it sounds. For example, some machines have public FTP directories, where anyone can put a file. Alternatively, if the victim is using a shared, public machine, the attacker could get an account on that machine and put the file in that account's home directory. Perhaps the most effective way to inject code is to take advantage of the browser's cache. Most Web browsers keep on-disk copies of recently accessed files. This allows repeated accesses to the same Web documents without continually downloading the documents. Unfortunately, it also gives a malicious applet a way to get a file onto the victim's machine. The applet could load the file across the Net, pretending that it was an image or a sound file. Once this was done, the file would be on the victim's disk in the cache. If the applet knew how the browser organized its cache, it would know where on the victim's disk the file resided. This sneaky trick makes a second appearance in the Cache Cramming attack as well (see page 171). Once the file is on the victim's disk, the attacker tricks the victim's browser into loading the file. Since the browser only looks up classnames in relation to the current directory, the attacker would have to place a
Making Quick Response Code In Java
Using Barcode printer for Java Control to generate, create QR Code image in Java applications.
file into the victim's working directory. Filename lookup is relative because Java classnames cannot start with a dot; therefore, the translated name cannot start with a backslash. David Hopwood discovered that Java 1.0.1 and Netscape Navigator 2.01 erroneously allowed a classname to start with a backslash. Such a classname could reference any file on the system, not just those files associated with the browser. For example, a class named \programs.browser.cache.file407 would be looked up on the local disk as \programs\browser\cache\file407. This trick could be used to cause any file on the local disk to be loaded as Java code. Because code loaded from the local disk was trusted (pre-JDK 1.0.2), it could proceed to illegally access the local system. This attack allows full system penetration-the bad guy can do anything at all on the victim's machine.
QR Reader In Java
Using Barcode recognizer for Java Control to read, scan read, scan image in Java applications.
The Fix
Creating Barcode In Java
Using Barcode creation for Java Control to generate, create barcode image in Java applications.
This problem was fixed in Netscape Navigator 2.02 and in all Java-enabled versions of Microsoft Internet Explorer. The fix was simple: Prohibit classnames from starting with backslashes (or slashes, as the case may be). It is no longer possible to execute impostor code using the Slash and Burn attack.
Scan Bar Code In Java
Using Barcode recognizer for Java Control to read, scan read, scan image in Java applications.
Search the Book
Painting QR Code In C#
Using Barcode printer for VS .NET Control to generate, create QR-Code image in .NET applications.
Previous Page
QR Code ISO/IEC18004 Drawer In .NET
Using Barcode creator for ASP.NET Control to generate, create QR Code image in ASP.NET applications.
Search Help
QR Code Creator In VS .NET
Using Barcode generation for .NET framework Control to generate, create Quick Response Code image in VS .NET applications.
Next Page
Generating QR Code In VB.NET
Using Barcode creation for VS .NET Control to generate, create QR Code JIS X 0510 image in .NET applications.
... Preface -- 1 -- 2 -- 3 -- 4 -- 5 -- 6 -- 7 -- 8 -- 9 -- A -- B -- C -- Refs Front -- Contents -- Help
Drawing Universal Product Code Version A In Java
Using Barcode encoder for Java Control to generate, create UPC-A image in Java applications.
Copyright 1999 Gary McGraw and Edward Felten. All rights reserved. Published by John Wiley & Sons, Inc.
Data Matrix ECC200 Encoder In Java
Using Barcode creator for Java Control to generate, create Data Matrix 2d barcode image in Java applications.
Attack Applets: Exploiting Holes in the Security Model
Printing EAN13 In Java
Using Barcode generation for Java Control to generate, create EAN / UCC - 13 image in Java applications.
Previous Page
USS ITF 2/5 Creation In Java
Using Barcode generator for Java Control to generate, create Uniform Symbology Specification ITF image in Java applications.
CHAPTER SECTIONS: 1 / 2 / 3 / 4 / 5 / 6 / 7 / 8 / 9 / 10 / 11 / 12 / 13 / 14 / 15 / 16 / 17 / 18 / 19 / 20
Painting Data Matrix In Visual Studio .NET
Using Barcode encoder for Visual Studio .NET Control to generate, create Data Matrix ECC200 image in Visual Studio .NET applications.
Next Page
Paint Bar Code In C#.NET
Using Barcode creator for Visual Studio .NET Control to generate, create barcode image in .NET applications.
Section 5 -- Jumping the Firewall
Code 128A Recognizer In VS .NET
Using Barcode reader for VS .NET Control to read, scan read, scan image in VS .NET applications.
In the first problem, an attack applet launches network security attacks on other machines. This is something that an attacker could already do before Java came along. The twist is that by embedding the attack into an applet, the bad guy makes the attack come from the machine of an innocent bystander. Example: You're sitting at your desk, happily browsing the Web, and without realizing it, your machine is trying to penetrate the security of a machine down the hall. This kind of confusion is reason enough to use Java as the penetration vehicle, but the culprit has an even better reason for using Java. Many corporate networks protect themselves from Internet intrusion through the use of a firewall. (See Figure 5.1.) If your firewall is well configured, it prevents the mischievous cracker from making direct use of the network to probe the defenses of your machines. The firewall does this by blocking certain types of network traffic from entering the corporate network.
EAN-13 Supplement 5 Maker In .NET Framework
Using Barcode maker for .NET Control to generate, create GS1 - 13 image in VS .NET applications.
Scan UPC - 13 In Visual Studio .NET
Using Barcode decoder for .NET framework Control to read, scan read, scan image in .NET applications.
Make Code 128 Code Set B In .NET
Using Barcode drawer for ASP.NET Control to generate, create Code 128 Code Set A image in ASP.NET applications.