Step 4:
Inventorying Web Resources
Once Steps 1, 2, and 3 are completed we are
left with a pile of essential information. The last step in the process is to
make a complete inventory of the Web resources found on the server. Of the many
ways to categorize Web resources, we choose to divide Web resources into the
following categories.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
Static contentlang=EN-GB>: Basically, all HTML/XML/TXT content that doesn't change with every
HTTP request and doesn't depend on any parameter being passed from the browser
falls in this category. Such pages are plain resources and are the least
vulnerable to any kind of attack because of their passive nature.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
Server-side scriptslang=EN-GB>: This category of pages includes active server pages, CGI scripts,
Perl scripts, and the like. Server-side scripts that accept input from the Web
browser or from the URL parameters require special attention to determine
whether they're vulnerable to input validation attacks, among others.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
Plug-in application
engines: Application servers and Web application
language interpreters such as ColdFusion, PHP, and Weblogic that plug into a
front-end Web server fall in this category. In lang=EN-GB style='color:#003399'>Chapter 6 we
described how such application servers work and can be identified. The same
techniques can be utilized to identify Web resources that fall in this
category.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
Applets and objectslang=EN-GB>: Any Java applets or other objects embedded in HTML that execute on
the browser fall in this category.
style='font-size:10.0pt;font-family:Symbol'>�
Client-side scriptslang=EN-GB>: This category includes all code that lies between the
<SCRIPT> � </SCRIPT> tags that executes within the browser.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
Cookieslang=EN-GB>: HTTP cookies received from Web resources fall in this category. Here
the Web resources that send cookies back to the Web browser are counted.
lang=EN-GB style='font-size:10.0pt;font-family:Symbol'>�
HTML formslang=EN-GB>: All Web resources containing HTML forms can be placed in this
category. The forms can be seen in detail, and HTML forms that are specifically
used for processing logins or that contain hidden fields even can be
classified.
We can now go back to our gathered data and
classify resources and other elements to form a summary table:
Types of Resources style='font-size:10.5pt;font-family:Arial;color:black'>
Number of Resources style='font-size:10.5pt;font-family:Arial;color:black'>
Static pages
3
Server-side scripts
5
Application server pages
2
Applet and object
1
Client-side scripts
6
Resources-serving cookies
2
Number of cookies
7
Resources containing HTML forms
4
Number of HTML forms
5
Number of hidden fields
10
No comments:
Post a Comment