isecpartners.com, can be allowed to invoke an
ActiveX control, whereby all servers in the isecpartners.com domain can invoke COM
objects on the user??™s system. SiteLock can ensure that ActiveX objects are not exposed to
the world once a user downloads them and installs them via the web browser.
Unfortunately, cross-site scripting (XSS) and Domain Name System (DNS) attacks
can still subvert this control. If a XSS attack were present on any web application on
*.isecpartners.com, an attacker can target a user??™s browsers by bouncing the attack off a
vulnerable web server in the isecpartners.com domain. Hence, when using SiteLock, the
domains that are deemed trusted should be secure from common web application attacks
such as XSS. Furthermore, SiteLock relies on DNS names, but DNS was not designed to
offer strong security. A successful attack against DNS can render SiteLock ineffective if
Chapter 8: ActiveX Security 203
SiteLock is not forced to use SSL. For example, if SiteLock is set up to force the use of
HTTPS with *.isecpartners.com, you can protect against DNS attacks. However, if HTTP
is used with *.isecpartners.com, DNS attacks are possible, even if you use SiteLock.
Pages:
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364