BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

COMPUTER SYSTEM SECURITY

(KNC301)
UNIT -3

Secure architecture principles isolation and leas:

Access Control Concepts, Unix and windows access
control summary, Other issues in access control,
Introduction to browser isolation.
Web security landscape : Web security definitions goals
and threat models , HTTP content rendering .Browser
isolation .Security interface , Cookies frames and frame
busting, Major web server threats ,Cross site request
forgery ,Cross site scripting , Defenses and protections
against XSS , Finding vulnerabilities ,Secure
development.

1
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Access Control
1. Access control is a method of limiting access to a system,
physical or virtual resources.

2. It is a process by which users can access and are granted

certain prerogative to systems, resources or information.

3. Access control is a security technique that has control over

who can view different aspects, what can be viewed and
who can use resources in a computing environment.

4. It is a fundamental concept in security that reduces risk to

the business or organization

5. Access control systems perform identification,

authentication, and authorization of users and entities by
evaluating required login credentials that may include
passwords, pins, bio-metric scans or other authentication
factors.

6. There is multifactor authentication which requires two or

more authentication factors which is an important part of
the layered defines to protect access control systems.

2
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Different Models Of Access Control

Different access control models are:

1. Attribute-based Access Control (ABAC): In this

model, access is granted or declined by evaluating a set
of rules, policies, and relationships using the attributes of
users, systems and environmental conditions.

2. Discretionary Access Control (DAC): In DAC the

owner of data determines who can access specific
resources.

3. History-Based Access Control (HBAC): In this model,

access is granted or declined by evaluating the history of
activities of the inquiring party that includes behaviour,
the time between requests and content of requests.

4. Identity-Based Access Control (IBAC): By using this

model. Network administrators can more effectively
manage activity and access, based on individual
requirements.

5. Mandatory Access Control (MAC): A control model in

which access rights are regulated by a central authority
based on multiple levels of security. Security Enhanced
Linux is implemented using MAC on the Linux operating
system.

3
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

6. Organization-Based Access control (OBAC): This

model allows the policy designer to define a security
policy independently of the implementation.

7. Role-Based Access Control (RBAC): RBAC allows

access based on the job title. RBAC eliminates discretion
on a large scale when providing access to objects. For
example, there should not be permissions for human
resources specialist to create network accounts.

8. Rule-Based Access Control (RAC): RAC method is

largely context based. For example, this would be only
allowing students to use the labs during a certain time of day.

Implementation Of Access Control

Implementation of access control:

1. Administrative access control:

a. Administrative access control sets the access control

policies and procedures for the whole organization,
defines the implementation requirements of both physical
and technical access control, and what the consequences
of non-compliance will be.

b. Examples are supervisory structure, staff and contractor

controls, information classification, and training, auditing,
and testing.

4
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

2. Physical access control:

a. Physical access control is critical to an organizations

security and applies to the access or restriction of access
to a place such as property, building or room.

b. Examples are fences, gates, doors, turnstiles, etc., using

locks, badges, bio-metrics (facial recognition,
fingerprints), video surveillance cameras, security guards,
motion detectors, mantrap doors, etc., to allow access to
certain areas.

3 .Technical or logical access control :

a. Technical or logical access control limits connections to

computer networks, system files, and data.

b. It enforces restrictions on applications, protocols,

operating systems, encryptions mechanisms, etc.

c. Examples are access control lists, intrusion detection

systems, and antivirus software.

5
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Characteristics And Features Of Unix

Characteristics of UNIX:

1. Memory allocation: It keeps tracks of primary memory i.e.,

which part of it is in use or not and by whom, as well as it
allocates memory when a program request.

2. Processor management: It allocates the CPU for a process

or deallocates if not required.

3. Device management: It keeps tracks of all devices it decides

for how much time and to whom should be given the priority.

4. File management: It allocates and deallocates the resources,

it also decides to whom the resources should be given

5. Security: By means of password and some other techniques,

preventing unauthorized access to program and data.

Features of UNIX:

1. Portable: Unix can be installed on many hardware

platforms.

2 Multi-user: The Unix users allow multiple users to

concurrently share.

3. Hardware And Software: Multi-tasking: Unix allows a user

to run more than one program at a time. In fact, more than one
program are running at the background.

6
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

4. While User Is Working On The Foreground: Networking:

While Unix was developed to an interactive, multi-user, multi-
tasking system, networking is incorporated in the heart of the
operating system

5. Organized file system: Unix has organized file and

directory system that allows users to organize and maintain
files.

6. Device independence: Unix treats input output devices as

ordinary files. The destination of file input and output is easily
controlled through Unix design feature called redirection.

7. Utilities: Unix provides a rich library of utilities that can

increase user's productivity.

Differentiate between Unix and Windows

UNIX

1. It is an open source.

2. It has very high security system

3. It is a command-based operating system.

4. The file system is arranged in hierarchical manner

5. Unix is not user friendly.

7
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Windows

1. It is a close source.

2. It has low security system

3. It is a not command-based operating system.

4. The file system is arranged in a parallel manner.

5. It is user friendly

Browser Isolation
1. Browser isolation is a cyber security model for web
browsing that can be used to physically separate an
internet user's browsing activity from their local machine,
network and infrastructure.

2. With this model, individual browser sessions are

abstracted away from hardware and direct internet access,
trapping harmful activity inside the disposable
environment.

3. Browser isolation may also be referred to as remote

browser isolation, web isolation or remote browsing.

8
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

4. A major weakness in popular security tools is protection

from web or browser-based attacks, malware and
ransomware.

5. By separating browsing activity from endpoint hardware,

the device's attack surface is reduced, sensitive data is
protected and malware or other known and unknown
security threats are minimized.

6. This is an evolution of the cyber security concepts of

security through physical isolation and air-gapping.

Working Of Browser Isolation

1. Browser isolation works by providing users with a

disposable, non-persistent environment for browsing.

2 This can be executed through a variety of methods but

involves virtualization, containerization or cloud browsing.

3. When a user closes the browsing session or the session is

timed out, the isolated environment is reset or discarded.

4. Any malicious code or harmful traffic is discarded as well,

preventing it from ever reaching the endpoint device or
network.

5. The browser isolation method treats all websites, files and

content equally by labelling them as untrusted or blacklisted
unless otherwise specified.

9
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

6. Within the isolated environment, files can be rendered

remotely or sanitized without the need to download them.

7. This is different from other security methods that do not treat

information equally and filter content based on potential
threatening signs.

The Advantages And Disadvantages Of Browser

Isolation
Advantages of browser isolation:

1. The primary benefit to browser isolation is reducing the

spread of malware through web browsers.

2. It is more effective than other anti-virus application methods

since it does not need to be programmed to find specific threats
or risks.

Disadvantages of browser isolation:

1. The installation of browser isolation can be complex or

expensive.

2. Browser isolation may cause users to experience slight

delay or lag times when browsing.

10
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Web Security With Its Goals.

1. Web security is the process of securing confidential data

stored online from unauthorized access and modification.

2. This is accomplished by enforcing strict policy measures.

3. Websites are scanned for any possible vulnerabilities

and malware through website security software. This
software can scan for backdoor hacks, redirect hacks,
Trojans, and many other threats.

4. A website security software notifies the user if the

website has any issue and provides solutions to address
them.

5. It is the cumulative phrase for all of the methods and

measure that we can use and enforce to keep the files
behind our website and any data of our customers safe.

6. Security should be built into our website from beginning,

but certain systems, the likes of WordPress, allow us to
easily install security measures at any time at little or no
cost.

The goal of web security is to identify the following:

1. Critical assets of the organization

2. Genuine users who may access the data

11
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

3. Level of access provided to each user

4. Various vulnerabilities that may exist in the
application
5. Data criticality and risk analysis on data exposure.
6. Appropriate remediation measures.

Threat Modelling

1. Threat modelling is a procedure for optimizing network

security by identifying objectives and vulnerabilities,
and then defining coulter measures to prevent, or
mitigate the effects of threats to the system.

2. In this context, a threat is a potential or actual adverse

event that may be malicious (such as a denial-of-service
attack) or incidental (such as the failure of a storage
device), and that can compromise the assets of an
enterprise.

3. The key to threat modelling is to determine where the

most effort should be applied to keep a system secure.

4. Threat modelling is an iterative process that consists of

defining enterprise assets, identifying what each
application does with respect to these assets, creating a
security profile for each application, identifying
potential threats, prioritizing potential threats, and
documenting adverse events and the actions taken in
each case.

12
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

5. Threat modelling is a structured approach to

identifying, quantifying, and addressing threats.

6. It allows system security staff to communicate the

potential damage of security flaws and prioritize
remediation efforts.

Purpose of Threat Modelling

1. The purpose of threat modelling is to identify,

communicate, and understand threats and mitigation to
the organisation's stakeholder's as early as possible.

2. Documentation from this process provides system

analyst and defenders with a complete analysis of
probable attacker profile.

Rendering
1. Rendering or image synthesis is the automatic process
of generating a photorealistic or non-photorealistic
image from a 2D or 3D model by means of computer
programs. Also, the result of displaying such a model is
called a render.

2. A rendering engine is often used interchangeably with

browser engines. It is responsible for the layout of our
website on our audience's screen.

13
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

3. A rendering engine is responsible for the paint, and

animations used on our website.

4. It creates the visuals on the screen or brightens the

pixels exactly how they are meant to be to give the feel
of the website like how it was made to be.

Steps for what happens when we surf the web:

1. We type an URL into address bar in our preferred browser.

2. The browser parses the URL to find the protocol, host,

port, and path. It forms a HTTP request.

3. To reach the host, it first needs to translate the human

readable host into an IP number, and it does this by doing
a DNS lookup on the host.

4. Then a socket needs to be opened from the user's computer

to that IP number, on the port specified (most often port
80).

5. When a connection is open, the HTTP request is sent to

the host.

6. The host forwards the request to the server software

configured to listen on the specified port.

14
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

7. The server inspects the request and launches the server

plugin needed to handle the request.

8. The plugin gets access to the full request, and starts to

prepare a HTTP response.

9. The plugin combines that data with some meta data and
sends the HTTP response back to the browser.

10. The browser receives the response, and parses the HTML
in the response, A DOM tree is built out of the broken
HTML.

11. New requests are made to the server for each new
resource that is found in the HTML source (typically
images, style sheets, and JavaScript files).

12. Stylesheets are parsed, and the rendering information in

each gets attached to the matching node in the DOM tree.

13. JavaScript is parsed and executed, and DOM nodes are

moved and style information is updated accordingly.

14. The browser renders the page on the screen according to

the DOM tree and the style information for each node.

15. We see the page on the screen.

15
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

List Of Rendering Engines Produced By Major Web

Browser Vendors:

1. Blink: It is used in Google Chrome, and Opera browsers.

2. WebKit: It is used in Safari browsers.

3. Gecko: It is used in Mozilla Firefox browsers.

4. Trident: It is used in Internet Explorer browsers.

5. EdgeHTML: It is used in Edge browsers.

6. Presto: Legacy rendering engine for Opera.

Security Interface Framework

1. The Security Interface Framework is a set of Objective-C

classes that provide user interface elements for programs
that implement security features such as authorization,
access to digital certificates, and access to items in
keychains.

2. User Interface (UD) defines the way humans interact with

the information systems.

3. User Interface (UD) is a series of pages, screens, buttons,

forms and other visual elements that are used to interact
16
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

with the device. Every app and every website has a user
interface.

4. User Interface (UD design is the creation of graphics,

illustrations, and use of photographic artwork and
typography to enhance the display and layout of a digital
product within its various device views.

5. Interface elements consist of input controls (buttons, drop-

down menus, data fields), navigational components
(search fields, slider, icons, tags), informational
components (progres8s bars, notifications, message
boxes).

Cookies and Frame Busting

Cookies:
1. These are small text files that the web browser stores on
the computer.

2. The first time we visit a page on the internet, a new cookie

is created, which collects the information that can be
accessed by the website operator.

3. However, some browsers store all cookies in a single file.

4. The information in this text file is in turn subdivided into

attributes that are included individually.
17
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Frame busting:

1. Frame busting refers to code or annotation provided by a

web page intended to prevent the web page from being
loaded in a sub-frame.

2. Frame busting is the recommended Défense against click-

jacking and is also required to secure image-based
authentication such as the sign-in seal used by Yahoo.

3. Sign-in seal displays a user-selected image that

authenticates the Yahoo login page to the user.

4. Without frame busting, the correct image is displayed to

the user, even though the top page is not the real Yahoo
login page.

5. New advancements in click jacking techniques using drag

and drop to extract and inject data into frames makes
frame busting even more critical.

18
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Major Web Server Threats

1. Injection flaws:

a. Injection flaws, such as SQL, OS injection occur when

untrusted data is sent to an interpreter as part of a command or
query.

b. The attacker's hostile data can trick the interpreter into

executing unintended commands or accessing data without
proper authorization.

2.Broken Authentication: Application functions related to

authentication and session management are often not
implemented correctly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users identities.

3. Sensitive Data Exposure

a. Many web applications and APIs do not properly protect

sensitive data such as financial, healthcare.

b. Attackers may steal or modify such weakly protected data to

conduct credit card fraud, identity theft, or other crimes.

c. Sensitive data may be compromised without extra protection,

such as encryption at rest or in transit, and requires special
precautions when exchanged with the browser.

19
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

4. XML External Entities :

a. Many older or poorly configured XML processors evaluate

external entity references within XML documents.

b. External entities can be used to disclose internal files using

the file URI handler, internal file shares, internal port scanning,
remote code execution, and denial-of-service attacks.

5. Broken access control:

a. Restrictions on what authenticated users are allowed to do

are often not properly enforced.

b. Attackers can exploit these flaws to access unauthorized

functionality and/or data, such as access other users accounts,
view sensitive files, modify other users, data, change access
rights, etc

6. Security misconfiguration:

a. Exploits application stack vulnerabilities such as unpatched

software zero-day threats, and undeleted default accounts.

b. Also exploits misconfigured HTTP headers and verbose

error messages that contain sensitive information.

7. Cross-Site Scripting (XSS):

20
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

a. Injects malicious code from a trusted source to execute

scripts in the victim's browser that can hijack user sessions or
redirect the user to malicious sites.

b. Cross-site scripting is a common vector that inserts malicious

code into a web application found to be vulnerable. Unlike
other web attack types, such as SQL, its objective is not our
web application. Rather, it targets its users, resulting in harm to
our clients and the reputation of our organization.

8. Reflected XSS:

a. Reflected XSS use a malicious script to reflect traffic to a

visitor's browser from web application.

b. Initiated via a link, a request is directed to a vulnerable

website.

c. Web application is then manipulated to activate harmful

scripts.

9. Cross-Site Request Forgery (CSRF):

a .It is also known as XSRF, Sea Surf, or session riding, cross-

site request forgery deceives the user's browser-logged into our
application-to run an unauthorized action.

b. A CSRF can transfer funds in an authorized manner and

change passwords, in addition to stealing session cookies and
business data.

21
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

10. Man in the Middle Attack (MITM):

a. A man in the middle attack can occur when a bad actor

positions himself between application and an unsuspecting
user.

b. MITM can be used for eavesdropping or impersonation.

c. Meanwhile, account credentials, credit card numbers, and

other personal information can easily be harvested by the
attacker.

11. Phishing attack:

a. Phishing can be set up to steal user data, such as credit card

and login information.

b. The perpetrator, posing as a trustworthy entity, fools their

prey into opening an email, text memo, or instant message.

c. Then attract to click a link that hides a payload.

d Such an action can cause malware to be covert installed.

e. It is also possible for ransomware to freeze the user's PC, or

for sensitive data to be passed.

12. Remote File inclusion (RFI):

a. Remote File Inclusion (RFI) exploits weaknesses in those

web applications that dynamically call external scripts.

22
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

b. Taking advantage of that function, an RFI attack uploads

malware and takes over the system.

13. Insecure deserialization:

a. Insecure deserialization often leads to remote code

execution.

b. Even if deserialization flaws do not result in remote code

execution, they can be used to perform attacks, including replay
attacks, injection attacks, and privilege escalation attacks.

14. Using components with known vulnerabilities :

It occurs when attackers are able to take control of and exploit

vulnerable libraries, frameworks, and other modules running
with full privileges.

15. Insufficient logging and monitoring:

a. Insufficient logging and monitoring, allows attackers to

attack systems, maintain persistence, pivot to more systems,
and tamper, extract, or destroy data.

16. Backdoor attack:

a.Being a form of malware, a backdoor circumvents login

authentication to enter a system.

b. Many organizations offer employees and partners remote

access to application resources, including file servers and
databases.

23
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

c. This enables bad actors to trigger system commands in the

compromised system and keep their malware updated.

d. The attacker's files are usually heavily cloaked, making

detection problematic.

Cross-Site Request Forgery

1. Cross-site request forgery (CSRF) is an attack that forces
an end user to execute unwanted actions on a web
application in which they are currently authenticated.

2. CSRF attacks specifically target state-changing requests,

not theft of data, since the attacker has no way to see the
response to the forged request.

3. With the help of social engineering (such as sending a link

via email or chat), an attacker may trick the users of a web
application into executing actions of the attacker's
choosing.

24
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

4. If the victim is a normal user, a successful CSRF attack

can force the user to perform state changing requests like
transferring funds, changing their email address, and so
forth.

5. If the victim is an administrative account, CSRF can

compromise the entire web application.

6. Cross-Site Request Forgery (CSRF) is an attack vector

that tricks a web browser into executing an unwanted
action in an application to which a user is logged in.

7. A successful CSRF attack can be devastating for both the

business and user. It can result in damaged client

25
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

relationships, unauthorized fund transfers, changed

passwords and data theft-including stolen session cookies.

8. As the unsuspecting user is authenticated by their

application at the time of the attack, it is impossible to
distinguish a legitimate request from a forged one.

Prevent CSRF Attack

Prevent CSRF Attack in two ways :

1. On User Side : User side prevention is very inefficient in

terms of browsing experience, prevention can be done by
browsing only a single tab at a time and not using the
remember-me functionality.

2. On Server Side:

a. There are many proposed ways to implement CSRF

protection on server side , among which the use of CSRF
tokens is most popular.

b. A CSRF token is a string that is tied to a user's session but is

not submitted automatically.

c. A website proceeds only when it receives a valid CSRF token

along with the cookies, since there is no way for an attacker to
know a user specific token, the attacker cannot perform actions
on user's behalf.

26
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Cross-Site Scripting
1. Cross-site scripting (XSS) is vulnerability in a web
application that allows a third party to execute a script in the
user's browser on behalf of the web application.

2. Cross-site scripting is one of the most prevalent

vulnerabilities present on the web.

3. The exploitation of XSS against a user can lead to various

consequences such as account compromise, account deletion,
privilege escalation, malware infection and many more.

4. It allows an attacker to masquerade as a victim user, to carry

out any actions that the user is able to perform and to access
any of the user's data.

5. If the victim user has privileged access within the application

then the attacker might be able to gain full control over all of
the applications functionality and data.

Types Of Cross Site Scripting (XSS).

There are 2 types :

1.REFLECTED XSS :

i. If the input has to be provided each time to execute ,

such XSS is called reflected.

ii. These attacks are mostly carried out by delivering a

payload directly to the victim.
27
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

iii. Victim requests a page with a request containing the

payload & the payload embedded in the response as a
script.

iv. An example, of reflected XSS is XSS in the Search

Field.

2. STORED XSS :

i. When the response containing the payload is stored on

the server in such a way that the script gets executed on
every visit without submission of payload, then it is
identified as stored XSS.

ii. An example of stored is XSS in the Comment thread.

28
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

Different Ways Used To Prevent XSS.

Different ways used to prevent XSS are :

1. Escaping:

a. The first method used to prevent XSS vulnerabilities from

appearing in our applications is by escaping user input.

b. Escaping data means taking the data an application has

received and ensuring it is secure before rendering it for
the end user.

c. By escaping user input, key characters in the data received

by a web page will be prevented from being interpreted in
any malicious way.

d. In essence, we are censoring the data our web page

receives in a way that will disallow the characters
especially <and> characters from being rendered, which
otherwise could cause harm to the application and/or
users.

2.Validating input:

a. Validating input is the process of ensuring an application

is rendering the correct data and preventing malicious data
from doing harm to the site, database, and users.

29
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

b. While whitelisting and input validation are more

commonly associated with SQL injection, they can also be
used as an additional method of prevention for XSS.

с. Whereas blacklisting, or disallowing certain, predetermined

characters in user input, disallows only known bad characters
whitelisting only allows known good characters and is a better
method for preventing XSS attacks as well as others.

d.Input validation is especially helpful and good at preventing

XSS in forms, as it prevents a user from adding special
characters into the fields, instead refusing the request.

e. However, input validation is not a primary prevention

method for vulnerabilities such as XSS and SQL injection, but
instead helps to reduce the effects should an attacker discover
such vulnerability.

3. Sanitizing:

a. A third way to prevent cross-site scripting attacks is to

sanitize user input.

b. Sanitizing data is a strong defense, but should not be used

alone to battle XSS attacks.

c. Sanitizing user input is especially helpful on sites that

allow HTML markup, to ensure data received can do no

30
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

harm to users as well as our database by scrubbing the data

clean of potentially harmful markup, changing
unacceptable user input to an acceptable format.

XSS vulnerabilities
Following are XSS vulnerabilities:

1. Stored XSS vulnerabilities:

a. Stored attacks are those where the injected script is

permanently stored on the target servers, such as in a database,
in a message forum, visitor log, comment field, etc.

b. The victim then retrieves the malicious script from the server
when it requests the stored information. Stored XSS is also
referred to as
Persistent or Type-I XSS.

2. Reflected XSS vulnerabilities:

a. Reflected attacks are those where the injected script is

reflected off the web server, such as in an error message, search
result, or any other response that includes some or all of the
input sent to the server as part of the request.

b. Reflected attacks are delivered to victims via another route,

such as in an e-mail message, or on some other website.

c. When a user is tricked into clicking on a malicious link,

submitting a specially crafted form, or even just browsing to a

31
BBDITM-054 COMPUTER SYSTEM SECURITY UNIT - 3

malicious site, the injected code travels to the vulnerable web

site, which reflects the attack back to the user's browser.

d.The browser then executes the code because it came from a

trusted server.

e.Reflected XSS is also referred to as Non-Persistent or Type

II XSS

3.Server-side versus DOM-based vulnerabilities:

a. XSS vulnerabilities were first found in applications that

performed all data processing on the server side.

b. User input (including an XSS vector) would be sent to the

server, and then sent back to the user as a web page.

32