Endless Ebook, One Click Away – Start Downloading at ebookname.

com

Security for Web Developers Using JavaScript HTML

and CSS Early Release Raw Unedited John Paul
Mueller

https://ebookname.com/product/security-for-web-developers-
using-javascript-html-and-css-early-release-raw-unedited-
john-paul-mueller/

OR CLICK HERE

DOWLOAD EBOOK

Browse and Get More Ebook Downloads Instantly at https://ebookname.com

Click here to visit ebookname.com and download ebook now
Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Start Programming Using HTML CSS and JavaScript 1st

Edition Iztok Fajfar (Author)

https://ebookname.com/product/start-programming-using-html-css-
and-javascript-1st-edition-iztok-fajfar-author/

Mining eBay Web Services John Paul Mueller

https://ebookname.com/product/mining-ebay-web-services-john-paul-
mueller/

HTML Your visual blueprint for designing effective Web

pages with HTML CSS and XHTML 1st Edition Paul
Whitehead

https://ebookname.com/product/html-your-visual-blueprint-for-
designing-effective-web-pages-with-html-css-and-xhtml-1st-
edition-paul-whitehead/

The Challenge of Received Tradition Dilemmas of

Interpretation in Radak s Biblical Commentaries 1st
Edition Naomi Grunhaus

https://ebookname.com/product/the-challenge-of-received-
tradition-dilemmas-of-interpretation-in-radak-s-biblical-
commentaries-1st-edition-naomi-grunhaus/
D D Lords of Madness 1st Edition Richard Baker

https://ebookname.com/product/d-d-lords-of-madness-1st-edition-
richard-baker/

Feeling Good The New Mood Therapy 2nd Edition David D.

Burns

https://ebookname.com/product/feeling-good-the-new-mood-
therapy-2nd-edition-david-d-burns-2/

History and the Construction of the Child in Early

British Children s Literature 1st Edition Jackie C.
Horne

https://ebookname.com/product/history-and-the-construction-of-
the-child-in-early-british-children-s-literature-1st-edition-
jackie-c-horne/

Roots of Sustainability in the Iberian Empires

Shipbuilding and Forestry 14th 19th Centuries 1st
Edition Koldo Trapaga Monchet

https://ebookname.com/product/roots-of-sustainability-in-the-
iberian-empires-shipbuilding-and-forestry-14th-19th-
centuries-1st-edition-koldo-trapaga-monchet/

The Neck An Issue of Oral and Maxillofacial Surgery

Clinics 1st Edition Eric Dierks

https://ebookname.com/product/the-neck-an-issue-of-oral-and-
maxillofacial-surgery-clinics-1st-edition-eric-dierks/
Resurrecting Pompeii 1st Edition Estelle Lazer

https://ebookname.com/product/resurrecting-pompeii-1st-edition-
estelle-lazer/
O’Reilly Media, Inc. 7/21/2015

I
Developing a Security Plan

1
O’Reilly Media, Inc. 7/21/2015

1
Defining the Application
Environment

Data is the most important resource that any business owns. It’s literally possible to
replace any part of a business except the data. When the data is modified, corrupted,
stolen, or deleted, a business can suffer serious loss. In fact, a business that has enough go
wrong with its data can simply cease to exist. The focus of security, therefore, is not
hackers, applications, networks, or anything else someone might have told you—it’s data.
Therefore, this book is about data security, which encompasses a broad range of other
topics, but it’s important to get right to the point of what you’re really looking to protect
when you read about these other topics.
Unfortunately, data isn’t much use sitting alone in the dark. No matter how fancy your
server is, no matter how capable the database that holds the data, the data isn’t worth
much until you do something with it. The need to manage data brings applications into
the picture and the use of applications to manage data is why this introductory chapter
talks about the application environment.
However, before you go any further, it’s important to decide precisely how applications
and data interact because the rest of the chapter isn’t very helpful without this inside. An
application performs just four operations on data, no matter how incredibly complex the
application might become. You can define these operations by the CRUD acronym:
• Create
• Read
• Update
• Delete
The sections that follow discuss data, applications, and CRUD as they relate to the web
environment. You discover how security affects all three aspects of web development,
keeping in mind that even though data is the focus, the application performs the required
CRUD tasks. Keeping your data safe means understanding the application environment
and therefore the threats to the data the application manages.

1
O’Reilly Media, Inc. 7/21/2015

Specifying Web Application Threats

You can find lists of web application threats all over the Internet. Some of the lists are
quite complete and don’t necessarily have a bias, some address what the author feels are
the most important threats, some lists tell you about the most commonly occurring
threats, and you can find all sorts of other lists out there. The problem with all these lists
is that the author doesn’t know your application. A SQL injection attack is only useful if
your application uses SQL in some way—perhaps it doesn’t.
Obviously, you need to get ideas on what to check from somewhere and these lists do
make a good starting place. However, you need to consider the list content in light of
your application. In addition, don’t rely on just one list—use multiple lists so that you
obtain better coverage of the threats that could possibly threaten your application. With
this need in mind, here is a list of the most common threats you see with web applications
today:
• Buffer Overflow: An attacker manages to send enough data in an input buffer to
overflow an application or output buffer. As a result, memory outside the buffer
becomes corrupted. Some forms of buffer overflow allow the attacker to perform
seemingly impossible tasks because the affected memory contains executable code.
The best way to overcome this problem is to perform range and size checks on any
data, input or output, that your application handles.
• Code Injection: An entity adds code to the data stream flowing between a server and
a client (such as a browser). The target often views the added code as part of the
original page, but it could contain anything. Of course, the target may not even see
the injected code. It might be lurking in the background ready to cause all sorts of
problems for your application. A good way to overcome this attack is to ensure you
use encrypted data streams, the HTTPS protocol, and code verification (when
possible). Providing a client feedback mechanism is also a good idea.

Code injection occurs more often than you might think. In some cases,
the code injection isn’t even part of an attack, but it might as well be. A
recent article (see http://www.infoworld.com/article/2925839/net-
neutrality/code-injection-new-low-isps.html) discusses how Internet
Service Providers (ISPs) are injecting JavaScript code into the data
stream in order to overlay ads on top of a page. In order to determine
what sort of ad to provide, the ISP also monitors the traffic.

• Cross-site Scripting (XSS): An attacker injects JavaScript or other executable code

into the output stream of your application. The recipient sees your application as the
source of the infection, even when it isn’t. In most cases, you don’t want to allow
users to send data directly to each other through your application without strict
verification. A moderated format for applications such as blogs is a must to ensure
your application doesn’t end up serving viruses or worse along with seemingly
benign data.

Few experts remind you to check your output data. However, you don’t
actually know that your own application is trustworthy. A hacker could
modify it to allow tainted output data. Verification checks should
include output data as well as input data.

2
O’Reilly Media, Inc. 7/21/2015

• File Uploads: Every file upload, even those that might seem otherwise innocuous, is
suspect. If possible, disallow file uploads to your server. Of course, it isn’t always
possible to provide this level of security, so you need to allow just certain types of
file and then scan the file for problems. Authenticating the file as much as is possible
is always a good idea. For example, some files contain a signature at the beginning
that you can use to ensure the file is legitimate. Don’t rely on file extension
exclusion alone—hackers often make one file look like another type in order to
bypass server security.
• Hard Coded Authentication: Developers often place authentication information in
application initialization files for testing purposes. It’s essential to remove these hard
coded authentication entries and rely on a centralized data store for security
information instead. Keeping the data store in a secure location, off the server used
for web applications, is essential to ensuring that hackers can’t simply view the
credentials used to access the application in certain ways. If you do need
initialization files for the application, make sure these files reside outside the
webroot directory to ensure that hackers can’t discover them accidentally.
• Hidden or Restricted File/Directory Discovery: When your application allows input
of special characters such as the forward slash (/) or backslash (\), it’s possible for a
hacker to discover hidden or restricted files and directories. These locations can
contain all sorts of information that a hacker can find useful in attacking your
system. Disallowing use of special characters whenever possible is a great idea. In
addition, store critical files outside the webroot directory in locations that the
operating system can control directly.
• Missing or Incorrect Authentication: It’s important to know whom you’re dealing
with, especially when working with sensitive data. Many web applications rely on
common accounts for some tasks, which means it’s impossible to know who has
accessed the account. Avoid using guest accounts for any purpose and assign each
user a specific account to use.
• Missing or Incorrect Authorization: Even if you know the person you’re dealing
with, it’s important to provide only the level of authorization needed to perform a
given task. In addition, the authorization should reflect the user’s method of access.
A desktop system accessing the application from the local network is likely more
secure than a smartphone accessing the application from the local coffee shop.
Relying on security promotion to assist in sensitive tasks lets you maintain minimal
rights the rest of the time. Anything you can do to reduce what the user is authorized
to do helps maintain a secure environment.
• Missing or Incorrect Encryption: Use encryption to transmit data of any sort between
two endpoints to help keep hackers from listening in on your communication. It’s
important to keep track of the latest encryption techniques and rely on the best
encryption supported by the user’s environment. For example, Triple Data
Encryption Standard (3DES) isn’t secure any longer, yet some organizations
continue to use it. The current Advanced Encryption Standard (AES) remains mostly
secure, but you want to use the largest key possible to help make it harder to crack.
• Operating System Command Injection: An attacker modifies an operating system
command your application uses to perform specific tasks. Your web-based
application probably shouldn’t use operating system calls in the first place. However,
if you absolutely must make operating system calls, make sure the application runs
in a sandbox.

3
O’Reilly Media, Inc. 7/21/2015

Some experts will emphasize validating input data for some uses and
leave the requirement off for other uses. Always validate any data you
receive from anywhere. You have no way of knowing what vehicle a
hacker will use to obtain access to your system or cause damage in
other ways. Input data is always suspect, even when the data comes
from your own server. Being paranoid is a good thing when you’re
performing security-related tasks.

• Parameter Manipulation: Hackers can experiment with parameters passed as part of

the request header or URL. For example, when working with Google, you can
change the URL and the results of your search. Make sure you encrypt any
parameters you pass between the browser and the server. In addition, use secure web
page protocols, such as HTTPS, when passing parameters.
• Remote Code Inclusion: Most web applications today rely on included libraries,
frameworks, and APIs. In many cases, the include statement contains a relative path
or uses a variable containing a hard coded path to make it easier to change the
location of the remote code later. When a hacker is able to gain access to the path
information and change it, it’s possible to point the remote code inclusion to any
code the hacker wants, giving the hacker full access to the application. The best way
to avoid this particular problem is to use hard coded full paths whenever possible,
even though this action makes it harder to maintain the code.

Many experts will recommend that you use vetted libraries and
frameworks to perform dangerous tasks. However, these add-ons are
simply more code. Hackers find methods for corrupting and
circumventing library and framework code on a regular basis. You still
have a need to ensure your application and any code it relies upon
interacts with outside elements safely, which means performing
extensive testing. Using libraries and frameworks does reduce your
support costs and ensures that you get timely fixes for bugs, but the
bugs still exist and you still need to be on guard. There is no security
silver bullet. Chapter 6 contains more information about working with
libraries and frameworks.

• Session Hijacking: Every time someone logs into your web server, the server gives
that user a unique session. A session hijacker jumps into the session and intercepts
data transferred between the user and the server. The three common places to look
for information used to hijack a session are: cookies, URL rewriting, and hidden
fields. Hackers look for session information in these places. By keeping the session
information encrypted, you can reduce the risk of someone intercepting it. For
example, make sure you rely on the HTTPS protocol for logins. You also want to
avoid doing things like making your session IDs predictable.
• SQL Injection: An attacker modifies a query that your application creates as the
result of user or other input. In many cases, the application requests query input data,
but it receives SQL elements instead. Other forms of SQL injection attack involve
the use of escape or other unexpected characters or character sequences. A good way
to avoid SQL injection attacks is to avoid dynamically generated queries.
This may look like a lot of different threats, but if you search long enough online, you
could easily triple the size of this list and not even begin to scratch the surface of the

4
O’Reilly Media, Inc. 7/21/2015

ways in which a hacker can make your life interesting. As this book progresses, you’ll
encounter a much larger number of threat types and start to discover ways to overcome
them. Don’t worry, in most cases the fixes end up being common sense and a single fix
can resolve more than one problem. For example, look through the list again and you’ll
find that simply using HTTPS solves a number of these problems.

Considering the Privacy Aspect of Security

When delving into security, an organization tends to focus first on its own data
security. After all, if the organization’s data becomes lost, corrupted, modified,
or otherwise unusable, the organization could go out of business. The next level
of scrutiny usually resides with third parties, such as partners. Often, the security
of user data comes last and many organizations don’t think too much about
customer data security at all. The problem is that many users and customers see
the safety of their data as paramount. The whole issue of privacy comes down to
the protection of user data such that no one misuses or exposes the information
without the user’s knowledge and consent. In short, when building an
application, you must also consider the privacy of user data as a security issue
and an important one at that.
A recent article points out that users and customers view the tech industry as
poor trustees of their data (http://www.infoworld.com/article/2925292/internet-
privacy/feds-vs-silicon-valley-who-do-you-trust-less.html). In fact, the tech
industry has actually fallen behind the government—people trust the
government to safeguard their information more often. Many tech companies
publicly support enhanced security policies for other entities (such as the
government) and privately build more ways to thwart any notion of privacy that
the user or customer might have. This duality makes the situation even worse
than it might otherwise be if the tech industry were open about the
encroachment on user and customer data.
In order to create a truly secure application, you must be willing to secure every
aspect of it, including user and customer data. This act requires that the
application only obtain and manage the data necessary to perform its task and
that it discard that data when no longer needed. Trust is something that your
application can gain only when it adheres to the same set of rules for working
with all data, no matter its source.

Understanding Software Security Assurance

(SSA)
The purpose of software is to interact with data. However, software itself is a kind of
data. In fact, data comes in many forms that you might not otherwise consider and the
effect of data is wider ranging that you might normally think. With the Internet of Things
(IoT), it’s now possible for data to have both abstract and physical effects in ways that no
one could imagine even a few years ago. A hacker gaining access to the right application
can do things like damage the electrical grid or poison the water system. On a more
personal level, the same hacker could potentially raise the temperature of your home to
some terrifying level, turn off all the lights, spy on you through your webcam, or do any
of a number of other things. The point of SSA is that software needs some type of
regulation to ensure it doesn’t cause the loss, inaccuracy, alteration, unavailability, or

5
O’Reilly Media, Inc. 7/21/2015

misuse of the data and resources that it uses, controls, and protects. This requirement
appears as part of SSA. The following sections discuss SSA in more detail.

SSA isn’t an actual standard at this time. It’s a concept that many
organizations quantify and put into writing based on that organization’s
needs. The same basic patterns appear in many of these documents and
the term SSA refers to the practice of ensuring software remains secure.
You can see how SSA affects many organizations, such as Oracle
(http://www.oracle.com/us/support/assurance/overview/index.html) and
Microsoft
(https://msdn.microsoft.com/library/windows/desktop/84aed186-1d75-
4366-8e61-8d258746bopq.aspx) by reviewing that organizations SSA
documentation online. In fact, many large organizations now have
some form of SSA in place.

Considering the OSSAP

One of the main sites you need to know about in order to make SSA a reality in web
applications is the Open Web Application Security Project (OWASP)
(https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process)
(see Figure 1-1). The site breaks down the process required to make the OWASP Security
Software Assurance Process (OSSAP) part of the Software Development Lifecycle
(SDLC). Yes, that’s a whole bunch of alphabet soup, but you need to know about this
group in order to create a process for your application that matches the work done by
other organizations. In addition, the information on this site helps you develop a security
process for your application that actually works, is part of the development process, and
won’t cost you a lot of time in creating your own process.

6
O’Reilly Media, Inc. 7/21/2015

Figure 1-1. The OWASP site tells you about SSA for web applications.

Even though OSSAP does provide a great framework for ensuring your
application meets SSA requirements, there is no requirement that you
interact with this group in any way. The group does license its approach
to SSA. However, at this time, the group is just getting underway and
you’ll find a lot of TBDs on the site will the group plans to fill in as
time passes. Of course, you need a plan for today, so OWASP and its
OSSAP present a place for you to research solutions for now and
possibly get additional help later.

The whole reason to apply SSA to your application as part of the SDLC is to ensure that
the software is as reliable and error free as you can make it. When talking with some
people, the implication is that SSA will fix every potential security problem that you
might encounter, but this simply isn’t the case. SSA will improve your software, but you
can’t find any pieces of software anywhere that are error free. Assuming that you did
manage to create a piece of error free software, you still have user, environment, network,
and all software of other security issues to consider. Consequently, SSA is simply one
piece of a much larger security picture and implementing SSA will only fix so many
security issues. The best thing to do is to continue seeing security as an ongoing process.

7
O’Reilly Media, Inc. 7/21/2015

Defining SSA Requirements

The initial step in implementing SSA as part of your application is to define the SSA
requirements. These requirements help you determine the current state of your software,
the issues that require resolution, and the severity of those issues. After the issues are
defined, you can determine the remediation process and any other requirements needed to
ensure that the software remains secure. In fact, you can break SSA down into eight
steps:
1. Evaluate the software and develop a plan to remediate it.
2. Define the risks that the security issues represent to the data and categorize these
risks to remediate the worst risks first.
3. Perform a complete code review.
4. Implement the required changes.
5. Test the fixes you create and verify that they actually do work on the production
system.
6. Define a defense for protecting application access and therefore the data that the
application manages.
7. Measure the effectiveness of the changes you have made.
8. Educate management, users, and developers in the proper methods to ensure good
application security.

Categorizing Data and Resources

This process involves identifying the various pieces of data that your application touches
in some way, including its own code and configuration information. Once you identify
every piece of data, you categorize it to identify the level of security required to protect
that data. Data can have many levels of categorization and the way in which you
categorize the data depends on your organization’s needs and the orientation of the data.
For example, some data may simply inconvenience the organization, while other data
could potentially cause harm to humans. The definition of how data security breaches
affects the security environment as a whole is essential.
After the data categorization process is complete, it’s possible to begin using the
information to perform a variety of tasks. For example, you can consider how to reduce
vulnerabilities by:
• Creating coding standards
• Implementing mandatory developer training
• Hiring security leaders within development groups
• Using automated testing procedures that specifically locate security issues
All of these methods point to resources that the organization interacts with and relies
upon to ensure the application manages data correctly. Categorizing resources means
determining how much emphasis to place on a particular resource. For example, denying
developers training will have a bigger impact than denying individual application users
training because the developers work with the application as a whole. Of course, training
is essential for everyone. In this case, categorizing resources of all sorts helps you

8
O’Reilly Media, Inc. 7/21/2015

determine where and how to spend money in order to obtain the best Return on
Investment (ROI), while still meeting application security goals.

Performing the Required Analysis

As part of SSA, you need to perform an analysis on your application. It’s important to
know precisely what sorts of weaknesses your code could contain. The operative word
here is “could.” Until you perform analysis in depth, you have no way of knowing the
actual security problems in your code. Web applications are especially adept at hiding
issues because, unlike desktop applications, the code can appear in numerous places and
scripts tend to hide problems that compiled applications don’t have because the code is
interpreted at runtime, rather than compile time.

It’s important to understand that security isn’t just about the code—it’s
also about the tools required to create the code and the skill of the
developers employing those tools. When an organization chooses the
wrong tools for the job, the risk of a security breach becomes much
higher because the tools may not create code that performs precisely as
expected. Likewise, when developers using the tool don’t have the
required skills, it’s hardly surprising that the software has security holes
that a more skilled developer would avoid.
Some experts claim that there are companies that actually allow
substandard work. In most cases, the excuse for allowing such work is
that the application development process is behind schedule or that the
organization lacks required tools or expertise. The fact that an
organization may employ software designed to help address security
issues (such as a firewall), doesn’t alieve the developer of the
responsibility to create secure code. Organizations need to maintain
coding standards to ensure a good result.

Logic
Interacting with an application and the data it manages is a process. Even though users
might perform tasks in a seemingly random fashion, specific tasks follow patterns that
occur because the user must follow a procedure in order to obtain a good result. By
documenting and understanding these procedures, you can analyze application logic from
a practical perspective. Users rely on a particular procedure because of the way in which
developers design the application. Changing the design will necessarily change the
procedure.
The point of the analysis is to look for security holes in the procedure. For example, the
application may allow the user to remain logged in, even if it doesn’t detect activity for
an extended period. The problem is that the user might not even be present—someone
else could access the application using the users credentials and no one would be the
wiser because everyone would think that the user is logged in using the same system as
always.
However, data holes can take other forms. A part number might consist of various
quantifiable elements. In order to obtain a good part number, the application could ask for
the elements, rather than the part number as a whole, and build the part number from
those elements. The idea is to make the procedure cleaner, clearer, and less error prone so
that the database doesn’t end up containing a lot of bad information.

9
O’Reilly Media, Inc. 7/21/2015

Data
It may not seem like you can perform much analysis on data from a security perspective,
but there really are a lot of issues to consider. In fact, data analysis is one of the areas
where organizations fall down most because the emphasis is on how to manage and use
the data, rather than on how to secure the data (it’s reasonable to assume you need to
address all three issues). When analyzing the data, you must consider these issues:
• Who can access the data
• What format is used to store the data
• When the data is accessible
• Where the data is stored
• Why each data item is made available as part of the application
• How the data is broken into components and the result of combining the data for
application use
For example, some applications fail to practice data hiding, which is an essential feature
of any good application. Data hiding means giving the user only the amount of
information actually needed to perform any given task.
Applications also format some data incorrectly. For example, storing passwords as text
will almost certainly cause problems should someone break in. A better route is to store
the password hash. The hash isn’t at all valuable to someone who has broken in because
the application needs the password on which the hash is based.
Making all data accessible all the time is also a bad idea. Sensitive data should only
appear on screen when someone is available to monitor its use and react immediately
should the user do something unexpected.
Storing sensitive data in the cloud is a particularly bad idea. Yes, using cloud storage
makes the data more readily available and faster to access as well, but it also makes the
data vulnerable. Store sensitive data on local servers when you have direct access to all
the security features used to keep the data safe.
Application developers also have a propensity for making too much information
available. You use data hiding to keep manager-specific data hidden from other kinds of
users. However, some data has no place in the application at all. If no one actually needs
a piece of data to perform a task, then don’t add the data to the application.
Many data items today are an aggregation of other data elements. It’s possible for a
hacker to learn a lot about your organization by detecting the form of aggregation used
and taking the data item apart to discover the constituent parts. It’s important to consider
how the data is put together and to add safeguards that make it harder to discover the
source of that data.
Interface
A big problem with software today is the inclusion of gratuitous features. An application
is supposed to meet a specific set of goals, perform a specific set of tasks. Invariably,
someone gets the idea that the software might be somehow better if it had certain features
that have nothing to do with the core goals the software is supposed to meet. The term
feature bloat has been around for a long time. You normally see it discussed in a
monetary sense—as the source of application speed problems, the elevator of user

10
O’Reilly Media, Inc. 7/21/2015

training costs, and the wrecker of development schedules. However, application interface
issues, those that are often most affected by feature bloat, have a significant impact on
security in the form of increased attack surface. Every time you increase the attack
surface, you provide more opportunities for a hacker to obtain access to your
organization. Getting rid of gratuitous features or moving them to an entirely different
application, will reduce the attack surface—making your application a lot more secure.
Of course, you’ll save money too.
Another potential problem is the hint interface—one that actually gives the security
features of the application away by providing a potential hacker with too much
information or too many features. Even though the password used to help a user retrieve a
lost password is necessary, some implementations actually make it possible for a hacker
to retrieve the user’s password and become that user. The hacker might even lock the real
user out of the account by changing the password (although, this action would be
counterproductive because an administrator could restore the user’s access quite easily).
A better system is to ensure that the user actually made the request before doing anything
and then ensuring that the administrator sends the login information in a secure manner.
Constraint
A constraint is simply a method of ensuring that actions meet specific criteria before the
action is allowed. For example, disallowing access to data elements unless the user has a
right to access them is a kind of constraint. However, constraints have other forms that
are more important. The most important constraint is determining how any given user can
manage data. Most users only require read access to data, yet applications commonly
provide read/write access, which opens a huge security hole.
Data has constraints to consider as well. When working with data, you must define
precisely what makes the data unique and ensure the application doesn’t break any rules
regarding that uniqueness. With this in mind, you generally need to consider these kinds
of constraints:
• Ensure the data is the right type
• Define the range of values the data can accept
• Specify the maximum and minimum data lengths
• List any unacceptable data values

Delving into Language-specific Issues

The application environment is defined by the languages use to create the application.
Just as every language has functionality that makes it perform certain tasks well; every
language also has potential problems that make it a security risk. Even low-level
languages, despite their flexibility, have problems induced by complexity. Of course,
web-based applications commonly rely on three particular languages: HTML, CSS, and
JavaScript. The following sections describe some of the language specific issues related
to these particular languages.

Defining the Key HTML Issues

HTML5 has become extremely popular because it supports an incredibly broad range of
platforms. The same application can work well on a user’s desktop, tablet, and

11
O’Reilly Media, Inc. 7/21/2015

smartphone without any special coding on the part of the developer. Often, libraries,
APIs, and microservices provide content in a form that matches the host system
automatically, without any developer intervention. However, the flexibility that HTML5
provides can also be problematic. The following list describes some key security issues
you experience when working with HTML5.
• Code Injection: HTML5 provides a large number of ways in which a hacker could
inject malicious code, including sources you might not usually consider suspicious,
such as a YouTube video or streamed music.
• User Tracking: Because your application uses code from multiple sources in most
cases, you might find that a library, API, or microservice actually performs some
type of user tracking that a hacker could use to learn more about your organization.
Every piece of information you give a hacker makes the process of overcoming your
security easier.
• Tainted Inputs: Unless you provide your own input checking, HTML5 lets any input
the user wants to provide through. You may only need a numeric value, but the user
could provide a script instead. Trying to check inputs thoroughly to ensure you really
are getting what you requested is nearly impossible on the client side, so you need to
ensure you have robust server-side checking as well.

Defining the Key CSS Issues

Applications rely heavily on CSS3 to create great looking presentations without hard
coding the information for every device. Libraries of pre-existing CSS3 code makes it
easy to create professional looking applications that a user can change to meet any need.
For example, a user may need a different presentation for a particular device or require
the presentation use a specific format to meet a special need. The following list describes
some key security issues you experience when working with CSS3.
• Overwhelming the Design: A major reason that CSS3 code causes security issues is
that the design is overwhelmed. The standards committee originally designed CSS to
control the appearance of HTML elements, not to affect the presentation of an entire
web page. As a result, the designers never thought to include security for certain
issues because CSS wasn’t supposed to work in those areas. The problem is that the
cascade part of CSS doesn’t allow CSS3 to know about anything other than its parent
elements. As a result, a hacker can create a presentation that purports to do one thing,
when it actually does another. Some libraries, such as jQuery, can actually help you
overcome this issue.
• Uploaded CSS: In some cases, an application designer will allow a user to upload a
CSS file to achieve a particular application appearance or make it work better with a
specific platform. However, the uploaded CSS can also contain code that makes it
easier for a hacker to overwhelm any security you have in place or to hide dirty
dealings from view. For example, a hacker could include URLs in the CSS that
redirect the application to unsecure servers.
• CSS Shaders: A special use of CSS can present some extreme problems by allowing
access to the user agent data and cross-domain data. Later chapters in the book will
discuss this issue in greater detail, but you can get a quick overview of the topic at
http://www.w3.org/Graphics/fx/wiki/CSS_Shaders_Security. The big thing is that
sometimes the act of rendering data on screen opens potential security holes you
might not have considered initially.

12
O’Reilly Media, Inc. 7/21/2015

Defining the Key JavaScript Issues

The combination of JavaScript with HTML5 has created the whole web application
phenomenon. Without the combination of the two languages, it wouldn’t be possible to
create applications that run well anywhere on any device. Users couldn’t even think about
asking for that sort of application in the past because it just wasn’t possible to provide it.
Today, a user can perform work anywhere using a device that’s appropriate for the
location. However, JavaScript is a scripted language that can have some serious security
holes. The following list describes some key security issues you experience when
working with JavaScript.
• Cross-site Scripting (XSS): This issue appears earlier in the chapter because it’s
incredibly serious. Any time you run JavaScript outside a sandboxed environment, it
becomes possible for a hacker to perform all sorts of nasty tricks on your application.
• Cross-site Request Forgery (CSRF): A script can use the user’s credentials that are
stored in a cookie to gain access to other sites. While on these sites, the hacker can
perform all sorts of tasks that the application was never designed to perform. For
example, a hacker can perform account tampering, data theft, fraud, any many other
illegal activities, all in the user’s name.
• Browser and Browser Plug-in Vulnerabilities: Many hackers rely on known browser
and browser-plug in vulnerabilities to force an application to perform tasks that it
wasn’t designed to do. For example, a user’s system could suddenly become a
zombie transmitting virus code to other systems. The extent of what a hacker can do
is limited by the vulnerabilities in question. In general, you want to ensure that you
install any updates and that you remain aware of how vulnerabilities can affect your
application’s operation.

Considering Endpoint Defense Essentials

An endpoint is a destination for network traffic, such as a service or a browser. When
packets reach the endpoint, the data they contain is unpacked and provided to the
application for further processing. Endpoint security is essential because endpoints
represent a major point of entry for networks. Unless the endpoint is secure, the network
will receive bad data transmissions. In addition, broken endpoint security can cause harm
to other nodes on the network. The following sections discuss three phases of endpoint
security: prevention, detection, and remediation.

It’s important not to underestimate the effect of endpoint security on

applications and network infrastructure. Some endpoint scenarios
become quite complex and their consequences hard to detect or even
understand. For example, a recent article discusses a router attack that
depends on the attacker directing an unsuspecting user to a special site:
http://www.infoworld.com/article/2926221/security/large-scale-attack-
hijacks-routers-through-users-browsers.html. The attack focuses on the
router that the user depends upon to make Domain Name System
(DNS) requests. By obtaining full control over the router, the attacker
can redirect the user to locations that the attacker controls.

13
Discovering Diverse Content Through
Random Scribd Documents
The Little Dream. By John Galsworthy.
The Fugitive. By John Galsworthy.
The Mob. By John Galsworthy.
The Pigeon. By John Galsworthy.
A Bit o’ Love. By John Galsworthy.
Love’s Comedy. By Henrik Ibsen. (Cloth binding only.)
The Divine Gift. By Henry Arthur Jones. With an Introduction and a
Portrait. (5s. net. Cloth binding only.)
The Widowing of Mrs Holroyd. A Drama. By D. H. Lawrence. With an
Introduction. (Cloth only, 5s. net.)
Peter’s Chance. A Play. By Edith Lyttelton.
Three Little Dramas. By Maurice Maeterlinck. (Cloth binding only.)
The Heatherfield. By Edward Martyn.
Maeve. By Edward Martyn.
The Dream Physician. By Edward Martyn.
St Francis of Assisi. A Play in Five Acts. By J.-A. Peladan. (Cloth only, 3s.
6d. net.)
The Mother. A Play. By Eden Phillpotts.
The Shadow. A Play. By Eden Phillpotts.
The Secret Woman. A Drama. By Eden Phillpotts.
The Farmer’s Wife. A Comedy. By Eden Phillpotts.
St George and the Dragon. A Play. By Eden Phillpotts.
Curtain Raisers. One Act Plays. By Eden Phillpotts.
Creditors. Pariah. Two Plays. By August Strindberg. (Cloth binding only.)
There are Crimes and Crimes. By August Strindberg. (Cloth binding only.)
Five Little Plays. By Alfred Sutro.
The Two Virtues. A Play. By Alfred Sutro.
Freedom. A Play. By Alfred Sutro.
The Choice. A Play. By Alfred Sutro.
The Dawn (Les Aubes). By Emile Verhaeren. Translated by Arthur Symons.
(Cloth binding only.)
The Princess of Hanover. By Margaret L. Woods. (Cloth binding only.)
Plays. By Leonid Andreyef. Translated from the Russian, with an
Introduction by F. N. Scott and C. L. Meader. Cr. 8vo, cloth gilt. 7s.
6d. net. Postage 6d.
Plays. (First Series.) By Björnstjerne Björnson. (The Gauntlet, Beyond our
Power, The New System.) With an Introduction and Bibliography. In
one vol. Cr. 8vo. 7s. 6d. net. Postage 6d.
Plays. (Second Series.) By Björnstjerne Björnson. (Love and Geography,
Beyond Human Might, Laboremus.) With an Introduction by Edwin
Björkman. In one vol. Cr. 8vo. 7s. 6d. net. Postage 6d.
Modern Plays—continued [Postage 6d. unless otherwise stated]
Three Plays. By Mrs W. K. Clifford (Hamilton’s Second Marriage, Thomas
and the Princess, The Modern Way.) Sq. cr. 8vo. 7s. 6d. net.
Plays (First Series). By John Galsworthy. Three Plays (Joy, Strife, The
Silver Box). Sq. cr. 8vo. 7s. net.
Plays (Second Series). By John Galsworthy. Three Plays (Justice, The
Little Dream, The Eldest Son). Sq. cr. 8vo. 7s. net.
Plays (Third Series). By John Galsworthy. Three Plays (The Pigeon, The
Fugitive, The Mob). Cr. 8vo. 7s. net.
Plays (Fourth Series). By John Galsworthy. Three Plays (A Bit o’ Love, The
Skin Game, Foundations). Sq. cr. 8vo. 7s. net.
Plays (Fifth Series). By John Galsworthy. Three Plays (A Family Man,
Loyalties, Windows). Sq. cr. 8vo. 7s. net.
Six Short Plays. By John Galsworthy. (The Little Man, The First and the
Last, Hall Marked, Defeat, The Sun, Punch and Go.) Sq. cr. 8vo. 5s.
net. Postage 5d.
Plays. By Gwen John. (Outlaws, Corinna, Sealing the Compact, Edge o’
Dark, The Case of Theresa, In the Rector’s Study.) With an
Introduction. Cr. 8vo. 7s. 6d. net.
Four Tragedies. By Allan Monkhouse. (The Hayling Family, The Stricklands,
Resentment, Reaping the Whirlwind.) Cr. 8vo. cloth gilt. 7s. 6d. net.
Plays. By Eden Phillpots. (The Mother, The Shadow, The Secret Woman.)
Cr. 8vo. 7s. 6d. net.
Plays. (First Series.) By August Strindberg. (The Dream Play, The Link,
The Dance of Death, Part I.; The Dance of Death, Part II.) Cr. 8vo.
7s. 6d. net.
 Plays. (Second Series.) By August Strindberg (Creditors, Pariah, There are
Crimes and Crimes, Miss Julia, The Stronger.) 7s. 6d. net.
Plays. (Third Series.) By August Strindberg. (Advent, Simoom, Swan
White, Debit and Credit, The Thunder Storm, After the Fire.) Cr. 8vo.
7s. 6d. net.
Plays. (Fourth Series.) By August Strindberg. (The Bridal Crown, The
Spook Sonata, The First Warning, Gustavus Vasa.) Cr. 8vo. 7s. 6d.
net.
Plays. (First Series.) By Anton Tchekoff. (Uncle Vanya, Ivanoff, The
Seagull, The Swan Song.) With an Introduction. Cr. 8vo. 7s. 6d. net.
Plays. (Second Series.) By Anton Tchekoff. (The Cherry Orchard, The
Three Sisters, The Bear, The Proposal, The Marriage, The
Anniversary, A Tragedian.) With an Introduction. Completing in two
volumes the Dramatic Works of Tchekoff. Cr. 8vo. 7s. 6d. net.

THE READERS’ LIBRARY

A new series of Copyright Works of Individual Merit and Permanent Value—the
work of Authors of Repute.
Library style. Cr. 8vo. Blue cloth gilt, round backs. 5s. net a volume; postage 5d.

Avril. By Hilaire Belloc. Essays on the Poetry of the French Renaissance.

Caliban’s Guide to Letters—Lambkins Remains. By Hilaire Belloc.
Men, Women, and Books: Res Judicatæ. By Augustine Birrell. Complete in
one vol.
Obiter Dicta. By Augustine Birrell. First and Second Series in one volume.
Memoirs of a Surrey Labourer. By George Bourne.
The Bettesworth Book. By George Bourne.
Lucy Bettesworth. By George Bourne.
Change in the Village. By George Bourne.
Studies in Poetry. By Stopford A. Brooke, LL.D. Essays on Blake, Scott,
Shelley, Keats, etc.
Comparative Studies in Nursery Rhymes. By Lina Eckenstein. Essays in a
branch of Folk-lore.
Italian Poets since Dante. Critical Essays. By W. Everett.
Villa Rubein, and other Stories. By John Galsworthy.
Faith, and other Sketches. By R. B. Cunninghame Graham.
Hope, and other Sketches. By R. B. Cunninghame Graham.
Brought Forward. By R. B. Cunninghame Graham.
A Hatchment. By R. B. Cunninghame Graham.
Success, and other Sketches. By R. B. Cunninghame Graham.
Twenty-Six Men and a Girl, and other Stories. By Maxim Gorky. Translated
from the Russian.
El Ombu. By W. H. Hudson.
Green Mansions. A Romance of the Tropical Forest. By W. H. Hudson.
The Purple Land. By W. H. Hudson.
A Crystal Age: a Romance of the Future. By W. H. Hudson.
The Critical Attitude. By Ford Madox Hueffer.
The Heart of the Country. By Ford Madox Hueffer.
The Spirit of the People. By Ford Madox Hueffer.
After London—Wild England. By Richard Jefferies.
Amaryllis at the Fair. By Richard Jefferies.
Bevis. The Story of a Boy. By Richard Jefferies.
Russian Literature. By Prince Kropotkin. New and revised edition.
St Augustine and his Age. An Interpretation. By Joseph McCabe.
Yvette, and other Stories. By Guy de Maupassant. Translated by Mrs John
Galsworthy. With a Preface by Joseph Conrad.
Between the Acts. By H. W. Nevinson.
Principle in Art: Religio Poetæ. By Coventry Patmore.
Parallel Paths. A Study in Biology, Ethics, and Art. By T. W. Rolleston.
The Strenuous Life, and other Essays. By Theodore Roosevelt.
English Literature and Society in the Eighteenth Century. By Sir Leslie
Stephen.
Studies of a Biographer. First Series. Two Volumes. By Sir Leslie Stephen.
The Black Monk, and other Tales. By Anton Tchekoff.
The Kiss, and other Stories. By Anton Tchekoff.
Interludes. By Sir Geo. Trevelyan.
 A Wiltshire Village. By Alfred Williams.
Village’s White Horse. By Alfred Williams.
Life in a Railway Factory. By Alfred Williams.

THE ROADMENDER SERIES.

The additional volumes in the series are books with the same tendency as Michael
Fairless’s remarkable work, from which the series gets its name: books which
express a deep feeling for Nature, and render the value of simplicity in life.
Fcap. 8vo, with designed end papers. 3s. 6d. net. Postage 4d. * Coloured
Frontispiece 4s. 6d.

The Brow of Courage. By Gertrude Bone.

Women of the Country. By Gertrude Bone.
The Sea Charm of Venice. By Stopford A. Brooke.
Magic Casements. By Arthur S. Cripps.
A Martyr’s Servant. By Arthur S. Cripps.
A Martyr’s Heir. By Arthur S. Cripps.
* The Roadmender. By Michael Fairless. Also in limp lambskin, 7s. 6d. net.
Illustrated Edition with Illustrations in colour from oil paintings by E.
W. Waite, 7s. 6d. net. In Velvet Persian, 8s. 6d. net. Crown 4to, with
20 photographs by Will F. Taylor, 21s. net.
* The Gathering of Brother Hilarius. By Michael Fairless.
* The Grey Brethren. By Michael Fairless. Also limp lambskin, 7s. 6d. net.
Michael Fairless: Life and Writings. By W. Scott Palmer and A. M. Haggard.
The Roadmender Book of Days. A Year of Thoughts from the Roadmender
Series. Selected and arranged by Mildred Gentle.
A Modern Mystic’s Way. By Wm. Scott Palmer.
From the Forest. By Wm. Scott Palmer.
Pilgrim Man. By Wm. Scott Palmer.
Winter and Spring. By Wm. Scott Palmer.
Thoughts of Leonardo da Vinci. Selected by Edward McCurdy.
The Plea of Pan. By H. W. Nevinson, author of “Essays in Freedom,”
“Between the Acts.”
Bedesman 4. By Mary J. H. Skrine.
 Vagrom Men. By A. T. Story.
Light and Twilight. By Edward Thomas.
Rest and Unrest. By Edward Thomas.
Rose Acre Papers: Horæ Solitariæ. By Edward Thomas.

STUDIES IN THEOLOGY
A New Series of Handbooks, being aids to interpretation in Biblical Criticism for the
use of the Clergy, Divinity Students, and Laymen. Cr. 8vo. 5s. net a volume.
Postage 5d.

An Introduction to the Study of Some Living Religions of the East. By Sidney

Cave, D.D., Principal of Cheshunt Lodge, Cambridge.
Christianity and Ethics. By Archibald B. D. Alexander, M.A., D.D., author of
“A Short History of Philosophy,” “The Ethics of St Paul.”
The Environment of Early Christianity. By Samuel Angus, Professor of New
Testament Historical Theology in St Andrew’s College, University of
Sydney. Cr. 8vo. 2s. 6d. net.
History of the Study of Theology. By the late Charles Augustus Briggs,
D.D., D.Litt., of the Union Theological Seminary, New York. Two
Volumes.
The Christian Hope. A Study in the Doctrine of the Last Things. By W.
Adams Brown, Ph.D., D.D., Professor of Theology in the Union
College, New York.
Christianity and Social Questions. By William Cunningham, D.D., F.B.A.,
Fellow of Trinity College, Cambridge, Hon. Fellow of Gonville and
Caius College, Cambridge, Archdeacon of Ely, formerly Lecturer on
Economic History to Harvard University.
The Justification of God. By P. T. Forsyth, M.A., D.D., Principal of the
Hackney Theological College, University of London.
A Handbook of Christian Apologetics. By A. E. Garvie, M.A., Hon. D.D.,
Glasgow University, Principal of New College, Hampstead.
A Critical Introduction to the Old Testament. By George Buchanan Gray,
M.A., D.Litt., Professor of Hebrew and Old Testament Exegesis in
Mansfield College, Oxford.
Gospel Origins. A Study in the Synoptic Problem. By William West
Holdsworth, M.A., Tutor in New Testament Language and Literature,
 Handsworth College; author of “The Christ of the Gospels,” “The Life
of Faith,” etc.
Faith and its Psychology. By William R. Inge, D.D., Dean of St Paul’s, Lady
Margaret Professor of Divinity, Cambridge, and Bampton Lecturer,
Oxford, 1899.
The Theology of the Epistles. By H. A. A. Kennedy, D.D., D.Sc., Professor of
New Testament Exegesis and Theology, New College, Edinburgh.
Christianity and Sin. By Robert Mackintosh, M.A., D.D., Professor of
Apologetics in Lancashire Independent College; Lecturer in the
University of Manchester.
Originality of Christian Message. By H. R. Mackintosh, of New College,
Edinburgh.
Protestant Thought before Kant. By A. C. McGiffert, Ph.D., D.D., of the
Union Theological Seminary, New York.
The Theology of the Gospels. By James Moffat, B.D., D.D., of the U.F.
Church of Scotland, sometime Jowett Lecturer, London, author of
“The Historical New Testament.”
A History of Christian Thought since Kant. By Edward Caldwell Moore,
D.D., Parkman Professor of Theology in the University of Harvard,
U.S.A., author of “The New Testament in the Christian Church,” etc.
The Doctrine of the Atonement. By J. K. Mosley, M.A., Fellow and Tutor of
Pembroke College, Cambridge.
Revelation and Inspiration. By James Orr, D.D., Professor of Apologetics in
the Theological College of the United Free Church, Glasgow.
A Critical Introduction to the New Testament. By Arthur Samuel Peake,
D.D., Professor of Biblical Exegesis and Dean of the Faculty of
Theology, Victoria University, Manchester; sometime Fellow of
Merton College, Oxford.
Philosophy and Religion. By Hastings Rashdall, D.Litt. (Oxon.), D.C.L.
(Durham), F.B.A., Dean of Carlisle.
The Holy Spirit. By Thomas Rees, M.A. (Lond.), Principal of Bala and
Bangor College.
Pharisees and Jesus. By A. T. Robertson, Professor of Interpretation of the
New Testament in the Southern Baptist Theological Seminary.
The Religious Ideas of the Old Testament. By H. Wheeler Robinson, M.A.,
Tutor in Rawdon College; sometime Senior Kennicott Scholar in
Oxford University.
Text and Canon of the New Testament. By Alexander Souter, M.A., D.Litt.,
Professor of Humanity at Aberdeen University.
Christian Thought to the Reformation. By Herbert B. Workman, M.A.,
D.Litt., Principal of the Westminster Training College.

Duckworth & Co.’s Two Shilling Net Series

Stiff Covers, Crown 8vo. Postage 3d.

Broken Stowage. By David W. Bone.

The House in Marylebone. By Mrs W. K. Clifford.
Wrack: a Tale of the Sea. By Maurice Drake.
The Exploits of Danby Croker. By R. Austin Freeman.
The Price of Things. By Elinor Glyn.
Beyond the Rocks. By Elinor Glyn.
Halcyone. By Elinor Glyn.
The Reason Why. By Elinor Glyn.
The Reflections of Ambrosine. By Elinor Glyn.
The Visits of Elizabeth. By Elinor Glyn.
Guinevere’s Lover (The Sequence). By Elinor Glyn.
The Vicissitudes of Evangeline. By Elinor Glyn.
When the Hour Came. By Elinor Glyn.
Three Weeks. By Elinor Glyn.
The Career of Katherine Bush. By Elinor Glyn.
Elizabeth Visits America. By Elinor Glyn.
The Contrast and other Stories. By Elinor Glyn.
The Man and the Moment. By Elinor Glyn.
Where Bonds are Loosed. By Grant Watson.
The Oilskin Packet. By Reginald Berkeley and James Dixon.

THE
STUDENT SERIES
is designed to give, within a small compass, and at a low price, an outline of the
ideas resulting from modern study and research.
Cr. 8vo. Paper Covers. 2s. net per volume.

LIST OF VOLUMES

1. SYNDICALISM
J. A. R. Marriott, M.P. (Late Fellow of Worcester College, Oxford)
2. BRITISH ASPECTS OF WAR AND PEACE
Spenser Wilkinson
3. AN INTRODUCTION TO THE READING OF SHAKESPEARE
Frederick S. Boas, M.A., LL.D.
4. THE BODLEIAN LIBRARY AT OXFORD
Falconer Madan (Hon. Fellow of Brasenose College, Oxford)
5. TREATISE ON LAW
Edward Jenks
6. *THE STUDY OF ROMAN HISTORY
Bernard W. Henderson (Fellow and Tutor of Exeter College, Oxford)
7. THE LATIN CULTURE
E. A. Burroughs (Fellow and Tutor of Hertford College,
Oxford)
8. *OUTLINE-HISTORY OF GREEK RELIGION
L. R. Farnell (Rector of Exeter College, Oxford)
9. ENGLISH HISTORY, 499-1914
Arthur Hassall (Student of Christ Church, Oxford)

* These are also issued reset, on good paper, bound in cloth, at 6s. net each.
DUCKWORTH & CO., 3 Henrietta Street, London, W.C.2

Turnbull & Spears

Printers, Edinburgh
 Transcriber’s Notes

The original spelling was mostly preserved. A few obvious

typographical errors were silently corrected. Further careful
corrections, some after consulting other editions, are listed here
(before/after):

... regarded her not with the adoration on half-pitying ...

... regarded her not with the adoration or half-pitying ...
... of the atmosphere—the interest of boredom ...
... of the atmosphere—the interest or boredom ...
... gleam she had caught in the deep wehrmütig ...
... gleam she had caught in the deep wehmütig ...
... of life into the humble bésogne de la pensée. ...
... of life into the humble besogne de la pensée. ...
... reflectively. As if it had just occurred to her. ...
... she murmured reflectively. As if it had just occurred to her. ...
... blue; unseeing; contradictng her matronly ...
... blue; unseeing; contradicting her matronly ...
... ironmongery in my rücksack and off we’ll ...
... ironmongery in my rucksack and off we’ll ...
... they become foreigners in England were nothing. ...
... they became foreigners in England were nothing. ...
... tryanny was her real apology, a curse for the ...
... tyranny was her real apology, a curse for the ...
*** END OF THE PROJECT GUTENBERG EBOOK REVOLVING
LIGHTS: PILGRIMAGE, VOLUME 7 ***

Updated editions will replace the previous one—the old editions

will be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States
copyright in these works, so the Foundation (and you!) can copy
and distribute it in the United States without permission and
without paying copyright royalties. Special rules, set forth in the
General Terms of Use part of this license, apply to copying and
distributing Project Gutenberg™ electronic works to protect the
PROJECT GUTENBERG™ concept and trademark. Project
Gutenberg is a registered trademark, and may not be used if
you charge for an eBook, except by following the terms of the
trademark license, including paying royalties for use of the
Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such
as creation of derivative works, reports, performances and
research. Project Gutenberg eBooks may be modified and
printed and given away—you may do practically ANYTHING in
the United States with eBooks not protected by U.S. copyright
law. Redistribution is subject to the trademark license, especially
commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the

free distribution of electronic works, by using or distributing this
work (or any other work associated in any way with the phrase
“Project Gutenberg”), you agree to comply with all the terms of
the Full Project Gutenberg™ License available with this file or
online at www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand,
agree to and accept all the terms of this license and intellectual
property (trademark/copyright) agreement. If you do not agree
to abide by all the terms of this agreement, you must cease
using and return or destroy all copies of Project Gutenberg™
electronic works in your possession. If you paid a fee for
obtaining a copy of or access to a Project Gutenberg™
electronic work and you do not agree to be bound by the terms
of this agreement, you may obtain a refund from the person or
entity to whom you paid the fee as set forth in paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only

be used on or associated in any way with an electronic work by
people who agree to be bound by the terms of this agreement.
There are a few things that you can do with most Project
Gutenberg™ electronic works even without complying with the
full terms of this agreement. See paragraph 1.C below. There
are a lot of things you can do with Project Gutenberg™
electronic works if you follow the terms of this agreement and
help preserve free future access to Project Gutenberg™
electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright
law in the United States and you are located in the United
States, we do not claim a right to prevent you from copying,
distributing, performing, displaying or creating derivative works
based on the work as long as all references to Project
Gutenberg are removed. Of course, we hope that you will
support the Project Gutenberg™ mission of promoting free
access to electronic works by freely sharing Project Gutenberg™
works in compliance with the terms of this agreement for
keeping the Project Gutenberg™ name associated with the
work. You can easily comply with the terms of this agreement
by keeping this work in the same format with its attached full
Project Gutenberg™ License when you share it without charge
with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.

1.E. Unless you have removed all references to Project

Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project
Gutenberg™ work (any work on which the phrase “Project
Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:

This eBook is for the use of anyone anywhere in the United

States and most other parts of the world at no cost and
with almost no restrictions whatsoever. You may copy it,
give it away or re-use it under the terms of the Project
Gutenberg License included with this eBook or online at
www.gutenberg.org. If you are not located in the United
States, you will have to check the laws of the country
where you are located before using this eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is

derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of
the copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is

posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files
 containing a part of this work or any other work associated with
Project Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute

this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must,
at no additional cost, fee or expense to the user, provide a copy,
a means of exporting a copy, or a means of obtaining a copy
upon request, of the work in its original “Plain Vanilla ASCII” or
other form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
 payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite these
efforts, Project Gutenberg™ electronic works, and the medium
on which they may be stored, may contain “Defects,” such as,
but not limited to, incomplete, inaccurate or corrupt data,
transcription errors, a copyright or other intellectual property
infringement, a defective or damaged disk or other medium, a
computer virus, or computer codes that damage or cannot be
read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU AGREE
THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT
LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT
EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE
THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person
or entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you
do or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission

of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status
by the Internal Revenue Service. The Foundation’s EIN or
federal tax identification number is 64-6221541. Contributions
to the Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
 Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or determine
the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About

Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookname.com