Hacklog Volume 1 Anonymity: it security & Ethical Hacking Handbook



Download 2,32 Mb.
Pdf ko'rish
bet28/57
Sana01.01.2022
Hajmi2,32 Mb.
#289651
1   ...   24   25   26   27   28   29   30   31   ...   57
Bog'liq
Hacklog Volume 1 Anonymity IT Security Ethical Hacking Handbook

6.4 “Special” Cookies
In  addition  to  the  list  of  regular  cookie  types  in  the  web,  other  types  are
emerging  from  time  to  time,  namely  the  proprietary  cookies.  Adobe,  for
example,  created  the  “Local  Stored  Objects”  (also  known  as  “Flash  Cookies”)
which  are  embedded  in  Flash  Player;  Mozilla  integrated  the  latest  versions  of
Firefox with the DOM storage, allowing a faster rendering of web element.
6.4.1 “Special” Cookies impact over security
See “Cookies impact over security”.
6.4.2 How to block Flash Cookies
If  you  just  can’t  live  without  Flash  –  we  will  explain  why  it  should  be
disabled  later  –  you  can  deactivate  the  Local  Shared  Objects.  To  do  this,  you
must  set  a  value  of  “0”  for  the  space  that  can  be  used  by  the  LSOs.  For  more
info, refer to the Adobe official guide
[67]
.
Once again: you’d better forget about Flash. If you can’t help downloading a
video,  just  use  some  browser  add-on,  or  a  download  manager  like
JDownloader
[68]
and whatnot.
6.4.3 How to block DOM Storage
Disabling  the  DOM  Storage  on  Firefox  is  quite  an  easy  task.  Type
“about:config”  on  the  browser  address  box,  search  “storage”  by  filtering  the
results;  then  click  with  the  right  mouse  button  on  “dom.storage.enabled”  and
double-click to set it on “false”. You can also block Firefox DOM Storage using
FireGloves (we will cover it in the Browser Fingerprint chapter).
6.5 Javascript
The  JavaScript  is  one  of  the  authorities  of  the  web  world.  It  is  a  scripting
language,  mainly  used  to  fetch  client  events,  or  user  actions  (like  hovering  the
mouse  over  a  button,  a  live  notification,  a  scroll,  etc.),  performing  some
operations the HTML alone won’t be able to execute.
Remember that JavaScript IS NOT Java: they are two discrete programming
languages, and are used and work in a totally different manner. Without it, today

we  wouldn’t  have  any  dynamic  websites  with  live  notifications  and  many
features  making  the  web  faster  and  more  attractive.  Also  consider  that  –
according to a W3Techs
[69]
research – 93.5% of websites use JavaScript, to date.
A huge thing indeed.
6.5.1 JavaScript impact over security
Nevertheless,  JavaScript  can  interact  with  user  activities,  i.e.  it  can  gather
what  they  type  on  a  web  page,  working  as  an  actual  keylogger.  Many
analytics/advertisement  companies,  in  example,  use  the  JavaScript  to  analyze
websites keywords and sell the most visited or interesting pages to their clients.
JavaScript  allows  to  (partially)  check  if  the  user  is  using  TOR  and  VPN,
shows  the  browser  plug-ins  list,  the  installed  font,  your  Time  Zone  (revealing
your  nationality),  your  user-agent  (even  if  spoofed  using  a  cross-check  of
pseudo-classes  with  CSS),  pages  history,  some  installed  programs  (like
OpenOffice,  Adobe  Reader,  Microsoft  Silverlight  and  others)  and  other
information.
Last but not least, the JavaScript can also be used as a “controller” after an
attack  defined  as  XSS  (Cross  Site  Scripting)  which  allows  an  intruder  to  take
possession  of  a  web  page  and  automatize  some  client-side  operations  (ex.
copying cookies and sending them to another page) or reroute it to a fake login
and fetch the access data.

6.5.2 Controlling JavaScript
We  can  identify  the  best  choice  for  each  browser.  As  usual,  we  will  only
cover the extensions/add-ons for the most popular browser:
-
Mozilla Firefox: the most important extension for the red panda browser is
NoScript. Such extension bocks JavaScript, as well as Flash, Java and any other
external  application.  NoScript  can  intercept  and  block  XSS  and  Clickjacking
attacks as well.
-
Google Chrome: unfortunately, the Google’s counterpart cannot rely on the
excellent  NoScript  suite;  however,  a  really  valuable  alternative  is  available,
uMatrix
, which is to some extent even more complete
-
Opera Web Browser: once again, you can use the excellent uMatrix
-
Safari: on the macOS/OSX browser, you can disable the JavaScript directly
from Preferences -> Security -> Enable JavaScript
-
     
Microsoft  Edge:  you  can  disable  the  JavaScript  changing  the  Group
Policies  by  using  this  path:  User  configuration  ->  Administrative  Templates  ->
Windows Components -> Microsoft Edge.

Download 2,32 Mb.

Do'stlaringiz bilan baham:
1   ...   24   25   26   27   28   29   30   31   ...   57



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish