拒绝服务 I'm read小y.I'm Waiting you. 口SYN洪水攻击 SYN)Hello.I'm 1.1.1.1 8 I'm waiting...... I'm waiting,.… I'm waiting...... 入侵者 服务器 Sorry.I'm busy. (SYN)Hello.I'm here 8 I'm waiting...... I'm waiting...... I'm waiting...... 用户 服务器
拒绝服务 SYN洪水攻击
分布式拒绝服务攻击 攻击者 主控机 主控机 4小 主控机 代理主机 44 代理主机 代理主机 代理主机 代理主机 被攻击者
分布式拒绝服务攻击 攻击者 主控机 代理主机 被攻击者 主控机 …… …… 主控机 代理主机 …… 代理主机 代理主机 …… 代理主机
来自移动代码的威胁 口Cookie ▣ 脚本 口活动代码 √JavaScript √ActiveX控件 口根据类型自动执行 ▣蠕虫
来自移动代码的威胁 Cookie 脚本 活动代码 JavaScript ActiveX控件 根据类型自动执行 蠕虫
Mobile Code(移动代码) What is mobile code? Executable program -Sent via a computer network Executed at the destination Examples -JavaScript -ActiveX Java Plugins Integrated Java Virtual Machines 10/16/2016 Web Security
Mobile Code(移动代码) • What is mobile code? – Executable program – Sent via a computer network – Executed at the destination • Examples – JavaScript – ActiveX – Java Plugins – Integrated Java Virtual Machines 10/16/2016 Web Security 9
JavaScript Scripting language interpreted by the browser Code enclosed within <script>...</script>tags Defining functions: <script type="text/javascript"> function hello()alert("Hello world!"); </script> Event handlers embedded in HTML <img src="picture.gif"onMouseOver="javascript:hello()"> Built-in functions can change content of window window.open("http://brown.edu") Click-jacking attack <a onMouseUp="window.open('http://www.evilsite.com')" href="http://www.trustedsite.com/">Trust me!</a> 10/16/2016 Web Security 10
JavaScript 10/16/2016 Web Security 10 • Scripting language interpreted by the browser • Code enclosed within <script> … </script> tags • Defining functions: <script type="text/javascript"> function hello() { alert("Hello world!"); } </script> • Event handlers embedded in HTML <img src="picture.gif" onMouseOver="javascript:hello()"> • Built-in functions can change content of window window.open("http://brown.edu") • Click-jacking attack <a onMouseUp="window.open(′http://www.evilsite.com′)" href="http://www.trustedsite.com/">Trust me!</a>