We have already looked at how to construct a simple access with
a server. However, the use of such approaches cannot always be safe. Let us
consider some scenarios.
Let us assume you have a bank account and you can work with
this account through the Internet in a browser. To work with the bank
web-application you authenticate on a bank web-site and a server places record
about it in your cookie. Actually, this record in cookie distinguishes you from
other a non-authenticated user. Now let us assume that there is a violator who
wishes to get access to your bank account. The violator can create Silverlight
application which works in your browser. Feature of such applications is that
at the accessing to a server they can also use earlier set cookie for this
web-site. All the violator needs is to force you to start this application.
This application can be hidden in a naive joke displaying a funny card. But
actually this application will access to the bank web-application, using your
data, to transfer money for another account. It is possible to present this
situation in a following scheme.
Figure 2: Multiple access to a server
Let us consider another dangerous scenario.
Let us assume that web-service is located on a server, which
carries out labour-consuming operations. For example, for each operation the
essential quantity of processor time or any other expensive resources is
required. In this case a violator can place the application on the server to
generate some accesses to this operation simultaneously. Then he can make a
great number of people enter the site and thus arrange massed DoS attack on the
application. Such attacks are especially dangerous, because such accesses occur
from different computers. Therefore it is impossible just to block a range of
IP-addresses for attack prevention.