Such scripts can also rewrite the content of the html

Info icon This preview shows pages 47–49. Sign up to view the full content.

View Full Document Right Arrow Icon
Such scripts can also rewrite the content of the HTML page. Cross-site scripting attacks can be stored or reflected. Stored attacks are those in which the malicious script is permanently stored on the compromised web server, for example in databases, message forums, visitor logs, and comment fields. When the user accesses the web server, the user’s browser runs the script. In reflected cross-site scripting attack attacks, a user is tricked into clicking a link or submitting a specially crafted form that contains malicious software. When the user clicks the link to submit the form data, the URL, which contains the malicious software, is 43
Image of page 47

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Microsoft Lync Server 2010 Security Guide sent to the web server along with the user’s data. When the website displays the user’s information back to the user, the information appears to originate from a trusted source. However, the information contains the malicious software, which is then run on the user’s computer. This security issue exists only in websites that do not properly validate user input. Lync Web App uses extensive user input validation to prevent this threat. Token Threats HTTP is a connectionless protocol, and each web page requires multiple server requests and responses to complete the page. Various methods are used to maintain session persistence between page requests during a session. One method used by the web server is to issue a token to the client browser making the request. This is the method used by Lync Web App. After the Lync Web App successfully authenticates an internal or external user, it issues a token into a session cookie, which is returned to the client. This cookie is used for access to the server for a single session. Therefore, clients must accept cookies from the Lync Web App to function correctly. An attacker could possibly steal and reuse this token. Lync Web App mitigates the token threat by issuing only a session cookie, using SSL (when enabled) to transport the token, clearing the token when the session ends, and causing the token to expire after a period of client inactivity. Token Ping In a token ping, also known as a token keep-alive, an authenticated user repeatedly sends a request to the web server to prevent the session, and therefore the session token, from expiring. A token ping attack can be considered a threat because it bypasses the time-out logic built into the server. However, the threat level is low, because the user must be authenticated first. Phishing (Password Harvesting Fishing) Phishing uses spoofing and is a type of man-in-the-middle attack. The unauthorized attacker tries to obtain information from users by posing as an entity authorized to have the information. The attacker typically does this by tricking the user into entering a password or account number into a fake website, web form, or email message. You should educate end users about the methods that attackers use to obtain personal information.
Image of page 48
Image of page 49
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern