Hostile Web Pages and Scripting

The dangers of Trojans and viruses are well known. However, many computer users are completely unaware of the dangers involved in viewing Web pages. Through scripting languages, Web page operators can upload and download files to your device (PC/PDA). They can also install mini-programs or grab information from you that can be used to destroy or take over your computer.

Every time you go to a Web page, you actually download the full document to your computer. This includes all text, pictures, and even any code that is required for the Web page to interact or to display properly. After the download is complete, the Web page or programs that have downloaded can run in the background without your knowledge. You might get forced downloads, or the computer from which you requested the Web page could be spying on you. Although this sounds frightening, it is part of normal Web browsing.

A Web page is made up of one or more of the following elements: HTML, XHTML, WML (in the case of wireless browsers), JavaScript or another scripting language, and small programs like Flash and Java Applets. Each of these plays an important part in your Internet experience.

HTML and its relative XHTML are the main languages of Web pages. For the most part, a Web page is nothing more than super-formatted text. For example, if you wanted to embolden a font, you would simply type <b>the word</b> , which would look like the word . The <b> tells the browser to start displaying in bold, while the backslash in </b> tells the browser to cease the bolding.

Although the above example is still valid, most developers are using another type of formatting that reduces the amount of overhead and duplicate tags. Using Cascading Style Sheets (CSS), a Web developer has only to define a style once and then she may apply that style to an object in a Web page. For example, using basic HTML, a Web developer may have to format 30 objects in a page with lengthy font formatting definitions. Now, however, she can create a single style value that defines the font and then simply assign that style to any text. Not only does this reduce the amount of time required to create a Web page, but it also helps to make a Web page more organized by separating the actual content from the formatting. In addition, if a Web developer wants to change the color for all the text on a page, she only has to update the CSS, rather than every piece of text in the document.

Scripting languages are either built into the HTML or they run separately on the server. They receive input from you and react accordingly . For example, one of the most common scripts used in Web pages is called a rollover . This can be seen when you move your mouse over an image or word and it changes color or shape. This trick is done though the use of scripting. Other examples include mouse trailers , form submissions, and protecting Web pages from the right-click of a mouse.

Programs comprise an important part of Web pages. There are many different types, but some of the most popular include Flash and Shockwave. These are mainly graphical programs; nevertheless, entire games can be created in Flash and played on the Internet. Other examples are ActiveX components , Java Applets, and even VRML (a virtual reality language).

A complex Web page with database connectivity and user interaction will have code imbedded in the HTML. For example, code can be used to create online shopping carts, dynamic image galleries, and even Web-based applications.

Although these different aspects of a Web page have many excellent uses, they unfortunately create vulnerabilities. These vulnerabilities are actually mistakes, or more accurately, oversights in the programming languages used to make the Web page. These holes are usually well known to those who keep an eye on Internet security issues.

Worse, there are vulnerabilities that can enable a malicious Web site operator to download any file from your computer. This includes password files and program files. For example, it would be easy to create a Web page that requested the name of your computer. In fact, this is standard practice, and is not illegal in any way. However, many people name their computers after themselves . This information, combined with the knowledge that Quicken will store its financial files at c:\program files\Quicken\ , can give a hacker all the knowledge she needs to steal your financial information. A Web site operator merely has to query the computer name and to code a Web page to download c:\programfiles\Quicken\ YourName .dbf . Once a hacker has this file, she has your whole financial history. The next chapter will detail how Web developers can cause you grief using malicious code. It will explain the code that runs behind the scenes and will provide you with examples of how this code works.

Is There a Way to Prevent Scripting Vulnerabilities?

The answer is a "catch-22." The Internet would not be as useful or powerful if it were not for the extras most people have come to expect and even to demand while they surf online. For example, without scripting languages and Web-based programming, user experiences such as online shopping, online games, Web-based email and more would not exist. However, in order to fully protect yourself from hackers, you would have to disable these extras.

For example, many online stores use a combination of cookies, JavaScript, and some type of server based programming. If you locked down your computer to the safest level, your browser would not run the JavaScript required to validate the entries you made; the cookies used to keep track of your movements through the Web site would be rejected, which would not allow the server side program to function properly. In other words, your shopping experience would not result in a purchase.

Fortunately, most browsers make it easy to regulate and balance the level of security with the amount of functionality. For example, Internet Explorer provides its users with an easy way to control these settings by clicking on the Tools Internet Options Security tab. In this properties sheet, you can quickly determine what to allow and what to restrict. You can even use preset options to quickly apply high, medium, and low settings.

Keep in mind that the level of security you set on your browser or firewall corresponds to the level of functionality you will have when surfing the Internet. Most Web sites are safe. If you stick to the main roads and avoid the "red light district " of the Internet, you reduce your risk of being molested. Also, if you are asked to download a program or plug-in when you enter a Web site, make sure that you really need the program.

If at any time you suspect a rogue script on your computer, you can view the offending Web page's code with your browser. The viewing method depends on the browser you are using: In Internet Explorer, you can usually right-click on any blank part of a Web page and select the View Source option from the menu. In Netscape, you can find the same option under the Edit menu at the top of the browser.