Information on Browsers
1. Introduction
2. Browser Overview
3. Components Overview
4. Scripting
5. Resources
1. Introduction:-
The browser allows - multimedia capabilities such as graphics, sound, and movies, linked in a World Wide Web of hypertext. The text can be formatted in various fonts, styles, colors and sizes.
Pages can contain pictures, sounds, and movies (multimedia). Browser technology enables server-side programming with CGI, or client-side programming along with Java, and browser plugins, for Shockwave, etc. World Wide Web pages which were previously limited to text and static graphics. Can now render small sound and video files. This is accomplished by the server informing the browser of the MIME content type of the following object, the browser consults its internal tables to see if the MIME type is known to it. If so, it either displays the object inside the browser window, or it invokes a plugin application to handle the object. Essentially, a plug-in is a helper application that runs within the browser. Netscape plug-ins work in the same way as helper applications, but are much more tightly integrated into the browser software itself. Instead of say, invoking the Microsoft audio-visual player to handle .avi movie files, the browser could call a plug-in internally to play the movie directly within the browser window. The plug-ins themselves are software modules that can directly control the browser, but will not run as stand-alone applications. These plugins tend be known generically as components or objects From a security perspective how your Browser or Operating System achieve particular tasks can be broken down into two categories Components and Scripting. Components tend to be programs that are required to be downloaded from the Internet prior to execution on your machine. Components aka as Objects, are presently fashionable, their main claim is one of efficiency, i.e. they can run on the client side, and through software re-use prevent programmers from re-inventing the wheel. Examples of Componentware are Active-x and Java Applets. Scripting revolves around gaining direct access either to the Browser RunTime functions or the commands native to the machine on which the script will be run i.e. bat files on MS-DOS. There is a subtle distinction between both compiled and interpreted methods. Compiled generally means that the program contains machine code commands native to processor on which it will run. Interpreted means that the commands have to translated into machine code for the processor. In terms of safety both compiled and interpreted processes are highly dangerous for personal client security, and should always be disabled!
2. Browser Overview:-
Arachne
DOS Based, fast with an amiga look and feel interface.
Lynx
Is a fully-featured World Wide Web text based browser for users on Unix, VMS, and other platforms running cursor-addressable, character-cell terminals or emulators. That includes VT100 terminals, other character-cell displays, and VT100 emulators such as Kermit or Procomm running on PCs or Macs.
Microsoft Internet Explorer
Internet Explorer is built on innovative, standards-based technologies such as Active-X, SOAP, Dynamic HTML and the Channel Definition Format (CDF), making it the premier platform for creating fast, engaging, and interactive Web content.
Netscape
Netscape is one of the original Web browsers. This is what Microsoft designed Internet Explorer to compete against. Netscape and IE comprise the major portion of the browser market. Listed here are several versions - some fully loaded.
Opera
Opera is smaller and faster than most other browsers, yet it is full- featured. Fast, user-friendly, with keyboard interface, multiple windows, zoom functions, and more. Java and non Java-enabled versions available. Ideal for newcomers to the Internet, and as a front-end for CD-Rom and kiosks. This is recommended for on-topic surfing, since it has a small memory footprint. WebTV Used by many who don't own a PC. It is essentially a view only interface with a limited set of MIME content types available for rendering. i.e. jpeg, mpeg avi etc but not zip contents, there is a webtv2news gateway available. It is inherently insecure with numerous instances of e-mail hacking, a/c takeovers etc. But it can be an informative introduction to the Internet.
3. Components:-
Java:
Java is an obect oriented programming language used to create programs known as "Applets". These can be included in a web page through the use of the "object" tag, and downloaded on demand to be executed on a client machine. These Applets are nominally platform independent therefore should run on any machine architecture. Just as html files can be run on any platform, so Applets can be executed on any platform that has is a Java-capable browser. Java achieves this platform independence by generating "Bytecodes" instead of binary runtime commands specific to the platform processor. These Bytecodes are then interpreted using a Java Virtual Machine. The disadvantage of using bytecodes is is in execution speed, since Bytecodes must first be interpreted by the processor. Java is owned by Sun Microsystems. Running Java Applets on any machine is inherently unsafe since they are given free access to make operating system function calls to the underlying system. Which can mean executing Hard Disk commands, File read/write commands, and Modem commands, retrieve your ip number etc.
Servlets:
Java Servelets are web server plug-ins that allow dynamic web content to be created using java on the SERVER side, note the distinction java applets execute and run on the client side i.e. your pc, servlets execute and run on the server at which the request was received. Servlets have one advantage over cgi in that they are started in separate threads, whereas cgi starts an operating system process for each client request. Relatively safe.
Active-x:
Active-x is a part of microsoft's component object model, that encompasses OLE (Object, Linking & Embedding) and COM (Component Object Model) and is microsoft's answer to Java Applets. Microsoft have redesigned window's so that it now uses COM components extensively, and most of the .NET platform is based on this and XML. The use of C/C++, Visual Basic and other languages allow the creation of Active-x objects. These can be declared as components inside an html web page through the use of the "object" tag. These can be executed locally, i.e. on your PC, or remotely, i.e. on another PC as a separate process, sharing the output. This is achieved by the use of Remote Procedure Calls (RPC), and is sometimes named DCOM or (Distributed COM). Although specific to intel type machines variants are available for unix clones.Running Active-x components on any PC is inherently unsafe since they are given free access to make WIN32 function calls to the windows operating system. Which can mean executing Hard Disk commands, Registry commands, Modem commands etc. Also DCOM can subvert firewall security since DCOM components can communicate directly on dynamic ports. Another subtle aspect of OLE, COM & DCOM is that each component has a unique id or number known as a GUID, which is stored both within the registry and the object example: {32BB8323-B41B-11CF-A6BB-0080C7B2D682}. Although its probable that microsoft never had any ulterior motive for designing these in, the existence of an GUID stored in your system registry can identify you to others. This is the basis for Adware, Spyware and LEA tracking programs,
DLL's
DLL's are executable libraries that can act as web server plug-ins allowing dynamic web content to be created on the SERVER side, note the distinction Active-x components execute and run on the client side i.e. your pc, dll's typically execute and run on the server at which the request was received. This distinction is sometimes called "Out of Process" behavior to distinguish it from Active-x components which share the same process and are "In Process" a good example of this would Internet Explorer 5 running 2 or 3 Active-x objects in its Browser Namespace but making calls via cgi to some Dll library that has been tasked to supply html content for these Active-x controls.
4. Scripting:-
CGI:
CGI (Common Gateway Interface) is a means, through the use of scripts, by which web servers interface with other application programs and thereby extend the services provided by the web server. Common examples are Chat Boards, Stock Ticker Prices, Database Tables formatted for display. The most common language for a CGI program is perl, others can be used i.e. c/c++, Java, JavaScript, Visual Basic, etc. A typical request might look like this Web Browser ---> Web Server ---> CGI ---> ChatBoard, which might return a chat page to the Web Browser refreshed with updated content. With all the processing taking place at the server side this makes CGI scripting relatively safe.
BAT:
BAT files are ASCII text files that contain MS/DOS and Windows system commands. They are interpreted directly by MS/DOS or from inside a Virtual DOS Window under Windows. BAT files allow repetitive sequences of commands or tasks to be executed. Unless sanctioned by the PC Owner running of bat scripts is highly unsafe. As is the amending of the standard .bat files in windows. They should all have READ ONLY status.
JavaScript:
JavaScript: Unlike Java which is an interpreted language, JavaScript is a scripting language developed by Sun Microsystems. It is highly interactive with HTML and is written directly into the web page for which it is associated. The syntax and command structure for JavaScript is similar to Java. JavaScript can be viewed in the html web page by viewing the web page as a text document. Allowing a machine to execute JavaScript is very unsafe. Since it can make calls on components, execute MS/DOS commands i.e. del C:\*.*, format C:, retrieve your ip address, read and write Cookies etc.
VBScript:
VBScript is a scripting language developed by Microsoft, and is a subset of Visual Basic. It is highly interactive with HTML and is written directly into the web page for which it is associated. Allowing a machine to execute VBScript is very unsafe. Since it can make calls to execute other programs, run MS/DOS commands i.e. del C:\*.*, format C:, retrieve your ip address, read and write Cookies etc.
Windows Scripting Host (WSH)
This is only required by some programmers and users with special software. Because WSH is exploited by widely distributed email viruses and subtle trojans most users will probably benefit by removing WSH from their computer. Follow the instructions below to remove WSH from your computer
Shell Scripts:
Shell Scripts are ASCII text files that contain Unix and shell commands. Some unix commands are the same as DOS commands, Shell commands are those commands that are interpreted directly by the shell you specify. These are like a mini programming language allowing branching, looping, decision making etc, makin Shell scripts a scripting language. Shell Scripts serve the same purpose as EXEC in CMS, CMD files in OS/2, or BAT files in MS/DOS. Again it is inherently unsafe since it allows the script invoker access to multiple processes via shell commands.
Perl:
Perl is a compiled scripting language, with c style syntax. Perl is an interpreted language optimized for scanning arbitrary text files, extracting information, and printing reports based on that information. Perl is an excellent choice for web application development particularly in conjunction with cgi. Perl allows access to the system commands via specialized perl libraries.
5. Resources:-
Java:
Code:
| Code: |
| http://www.gamelan.com news:comp.lang.java |
Active-x:
CGI:
Code:
| Code: |
| news:comp.infosystems.www.authoring.cgi |
Bat:
JavaScript:
Code:
| Code: |
news:comp.lang.javascript
http://www.home.netscape.com/eng/mozilla/gold/handbook/javascript
/http://www.1 avenue.com/darkfaq/index.htmll |
Visual Basic:
Code:
| Code: |
http://www.microsoft.com/vbasic/ http://www.apexsc.com/vb/
http://www.vbxtras.com http://www.inquirey.com/techtips/thevbpro/ |
VBScript:
Code:
| Code: |
http://www.microsoft.com/vbscript http://www.vbonline.com
http://www.netins.net/showcase/legend/vb/ |
Shell Script:
Code:
| Code: |
http://www.hyperion.com/~coreth/uncgi.html
http://physics.ucsc.edu/tutor/shell.html
http://www.ccpo.odu.edu/ug/shell_help.html
http://theory.uwinnipeg.ca/UNIXhelp/scrpt/ |
Perl:
Code:
| Code: |
http://www.cis.ufl.edu/perl
http://www.perl.com
http://www.eecs.nwu.edu/perl/perl.htm
http://www.perl.org
news:comp.lang.perl |
Windows Scripting
Windows Script 5.5 Released Microsoft JScript 5.5 and VBScript 5.5 are now available for download. This release of Windows Script includes enhancements for ECMA-262 Version 3 Standard (ECMAScript) for JScript. VBScript's regular expression support has also been improved to match JScript. For more information, and to download, click here.
Remote Scripting 1.0 b Released
This new release updates the samples so that they work on Internet Information Services (IIS) version 5 in Windows 2000 and allows you to create VBScript Class-based Active Server Pages to be used via Remote Scripting. For more information go to the Scripting Clinic about Remote Scripting. here
Microsoft Script Debugger
Update Due to a known issue with the Script Debugger version 1.0a, Microsoft has re-released version 1.0 for users of Windows 95 and Windows 98. Users running Windows NT or Windows 2000 with Internet Explorer 5 should still download version 1.0a, and do not need to reinstall version 1.0. Both versions of the Script Debugger can be downloaded from the Script Debugger download page.
Windows Script Component Wizard
Released Version 1.0 of the Windows Script Component Wizard provides an easy to use wizard for creating Windows Script Components. The released version has been updated to take advantage of the new XML definition in the final release of Windows Script Components. here
Windows Script Encoder 1.0
Released The Windows Script Encoder allows you to encode your scripts in HTML pages, ASP pages, and Windows Script Host files so that it is difficult for users to read your code. here
Removing Windows Scripting Host
Note: If programs don't work as intended after removal of WSH, reinstall WSH. Remember that these steps may need to be repeated if upgrades to programs, such as Internet Explorer, are installed on a machine; these often include WSH in the install.
Windows 2000 & Windows ME
Open My Computer from the desktop or from within Windows Explorer.
Select Folder Options from the Tools menu.
Click on the File Types tab.
Scroll down to the VBS extension and click on it when found.
Click on Delete and delete the VBS extension from your system.
Windows 98
Click on the Start button and select Control Panel from the Settings menu.
Open the Add/Remove Programs control panel.
Click on the Windows Setup tab.
Double-click on Accessories.
Scroll down to the Windows Scripting Host checkbox and remove the checkmark if one is present.
Click on "OK" until all "Add/Remove Software" windows are closed, uninstalling WSH.
Windows 95 & NT 4.X
Open My Computer from the desktop or from within Windows Explorer.
Select Options from the View menu.
Click on the File Types tab.
Scroll down to the VBScript Script File file type and click on it when found.
Click on Remove and delete the VBScript Script file from your system.
