SlideShare una empresa de Scribd logo

Ch 3: Web Application Technologies

Sam Bowne
Sam Bowne

This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.

Educación
1 de 88
Descargar para leer sin conexión
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 2-1-22
HTTP
Hypertext Transfer Protocol (HTTP) • Connectionless protoco l • Client sends an HTTP request to a Web serve r • Gets an HTTP respons e • No session formed, nothing remembered--no "state"
HTTP Requests • Verb: GET (also called "method" ) • URL: /css?family=Roboto:400,70 0 • Portion after ? is the query string containing parameter s • Version: HTTP/1.1
HTTP Requests • Referer: URL the request originated fro m • User-Agent: browser being use d • Host: Hostname of the serve r • Essential when multiple hosts run on the same I P • Required in HTTP/1.1
HTTP Requests • Cookie: additional parameters the server has issued to the client
HTTP Response • First lin e • HTTP versio n • Status code (200 in this case ) • Textual "reason phrase" describing the respons e • Ignored by browser
HTTP Response • Server: banner of server softwar e • Not always accurat e • Set-Cookie used to set cookie values
HTTP Response • Pragma: tells browser not to store response in its cach e • Expires: set to a date in the past to ensure that the content is freshly loaded
HTTP Response • Message Body after header contains data of type speci fi ed in Content-Type header
HTTP Methods: GET • GET retrieves resource s • Can send parameters in the URL query strin g • Users can bookmark the whole UR L • Whole URL may appear in server logs and in Referer header s • Also on the browser's scree n • Don't put sensitive information in the query string
HTTP Methods: POST • POST performs action s • Request parameters can be in URL query string and in the body of the messag e • Parameters in body aren't saved in bookmarks or most server log s • A better place for sensitive data
HTTP Methods: POST • POST requests perform actions, like buying somethin g • Clicking the browser's Back button displays a box like this
Other HTTP Methods • HEAD returns only the header, not the bod y • Can be used to check if a resource is available before GETing i t • OPTIONS shows allowed method s • PUT uploads to server (usually disabled)
URL (Uniform Resource Locator) • If protocol is absent, it defaults to HTT P • If port is absent, it uses the default port for the protoco l • 80 for HTTP, 443 for HTTPS, etc.
REST (Representational State Transfer) • RESTful URLs put parameters in the URL, not the query strin g • Becomes
A
HTTP Headers
Cookies • Cookies are resubmitted in each request to the same domain • Unlike other request parameters, such as the query string
Set-Cookie Header • Optional attribute s • expires - date when the cookie stops being vali d • If absent, cookie is used only in the current browser sessio n • domain - speci fi ed domain for which cookie is vali d • Must be the same or a parent of the domain from which the cookie is receive d • "Same-Origin Policy"
Set-Cookie Header • Optional attribute s • path - URL path for which the cookie is vali d • secure - transmit cookie only via HTTP S • HttpOnly - Cookie cannot be directly accessed via client-side JavaScript
Status Codes Groups
Important Status Codes • 200 OK - request succeeded, response body contains resul t • 301 Moved Permanently - redirects the browser, client should use new URL in the futur e • 302 Found - redirects browser temporarily. Client should revert to original URL in subsequent requests
Important Status Codes • 304 Not Modi fi ed - browser should use cached copy of resourc e • 400 Bad Request - invalid HTTP reques t • 401 Unauthorized - Server requires HTTP authentication. • WWW-Authenticate header speci fi es the type(s) of authentication supported
Important Status Codes • 403 Forbidden - no one is allowed to access resource, regardless of authenticatio n • 404 Not Found - requested resource does not exis t • 500 Internal Server Error - unhanded exception in an app, such as a PHP erro r • Next page: Link Ch 3l
HTTPS • HTTP over SSL (Secure Sockets Layer ) • Actually now TLS (Transport Layer Security ) • All versions of SSL are deprecate d • Protects data with encryptio n • Protects data in motion, but not at rest or in use
HTTP Proxies • Browser sends requests to proxy serve r • Proxy fetches resource and sends it to browse r • Proxies may provide caching, authentication, and access control
HTTPS and Man-in-the- Middle (MITM) Attacks • HTTPS connections use public-key cryptography and end-to-end encryptio n • Only the endpoints can decrypt traf fi c • Companies wishing to restrict HTTPS traf fi c have two choice s • Perform complete MITM with fake certi fi cates, or real root certi fi cates from trusted CA' s • Allow encrypted traf fi c to trusted domains without being able to inspect it
HTTPS and Proxies • Browser sends an HTTP request to the proxy using the CONNECT method and destination hostname and port numbe r • If proxy allows the request, it returns 200 status and keeps the TCP connection ope n • Thereafter acts as a pure TCP-level relay to the destination web server
HTTP Authentication • Basic: sends username and password in Base64-encodin g • NTLM: Uses Windows NTLM protocol (MD4 hashing ) • Digest: Challenge-response using MD5 hashin g • These are generally used in intranets, not on the Interne t • All are very weak cryptographically, and should be protected with HTTPS
B
Web Functionality
Server-Side Functionality • Static content - HTML pages and images that are the same for all user s • Dynamic content - response created in the fl y, can be customized for each use r • Created by scripts on the serve r • Customized based on parameters in the request
HTTP Parameters • May be sent in these ways:
Other Inputs • Server-side application may use any part of the HTTP request as an inpu t • Such as User-Agen t • Often used to display smartphone-friendly versions of pages
Web Application Technologies
The Java Platform • Standard for large-scale enterprise application s • Lends itself to multitiered and load-balanced architecture s • Well-suited to modular development and code reus e • Runs on Windows, Linux, and Solaris
Java Platform Terms • Enterprise Java Bean (EJB ) • Heavyweight software component to encapsulate business logic, such as transactional integrity • Plain Old Java Object (POJO ) • User-de fi ned, lightweight object, distinct from a special object such as an EJB • Java Servle t • Object on an application server that receives HTTP requests from client and returns HTTP responses
Java Platform Terms • Java web containe r • Platform or engine that provides a runtime environment for Java-based web applications • Ex: Apache Tomcat, BEA WebLogic, JBoss
Common Components • Third-party or open-source components that are often used alongside custom-built code
ASP.NET • Microsoft's web application framewor k • Competitor to Java platfor m • Uses .NET Framework, which provides a virtual machine (the Common Language Runtime) and a set of powerful APIs (Application Program Interfaces ) • Applications can be written in any .NET language, such as C# or VB.NET
Visual Studio • Powerful development environment for ASP.NET application s • Easy for developers to make a web application, even with limited programming skill s • ASP.NET helps protect against some common vulnerabilities, such as cross-site scripting, without requiring any effort from the developer
PHP • Originally "Personal Home Page", now "PHP Hypertext Processor " • Often used on LAMP server s • Linux, Apache, MySQL, and PH P • Free and easy to use, but many security problem s • Both in PHP itself and in custom code using it
Common PHP Applications
Ruby on Rails • Allows rapid development of application s • Can autogenerate much of the code if developer follows the Rails coding style and naming convention s • Has vulnerabilities like PHP
SQL (Structured Query Language) • Used to access data in relational databases, such as Oracle, MS-SQL, and MySQ L • Data stored in tables, each containing rows and column s • SQL queries are used to read, add, update, or delete dat a • SQL injection vulnerabilities are very severe
XML (eXtensible Markup Language) • A speci fi cation to encode data in machine- readable for m • Markup uses tags
Web Services and SOAP (Simple Object Access Protocol) • SOAP uses HTTP and XML to exchange data
• Link Ch 3b
SOAP • If user-supplied data is incorporated into SOAP requests, it can have code injection vulnerabilitie s • Server usually publishes available services and parameters using Web Services Description Language (WSDL ) • soapUI and other tools can generate requests based on WSDL fi le
C
Client-Side Functionality (in browser)
HTML Hypertext Markup Language • HTML used for formatting "markup " • XHTML is based on XML and is stricter than old versions of HTML
Hyperlinks • Clickable text that go to URL s • Clicking this link : • Makes this request
HTML Forms
HTTP Request
multipart/form-data • Browser generates random boundary tex t • Link Ch 3c
HTTP Request
CSS Cascading Style Sheets • Speci fi es format of document element s • Separates content from presentatio n • Has vulnerabilities, and can be used for attacks
Javascript • Scripts that run in the client's browse r • Used to validate user-entered data before submitting it to the serve r • Dynamically modify UI in response to user action, such as in drop-down menu s • Using Document Object Model (DOM) to control the browser's behavior
VBScript • Microsoft's alternative to JavaScrip t • Only supported in Internet Explorer (now obsolete ) • Edge does not support VBScrip t • Links Ch 3d, 3e
Document Object Model DOM
• Link Ch 3g Using the DOM
Ajax Asynchronous JavaScript and XML • Client-side scripts can fetch data without reloading the entire pag e • Allow you to drag Google Maps around
Ajax Example • Google Maps AP I • Links Ch 3h, 3i
JSON JavaScript Object Notation • Client-side JavaScript uses the XMLHttpRequest API to request data from a serve r • Data is returned in JSON format:
Updating Data with JSON
Same-Origin Policy • Prevents content from different origins interfering with each other in a browse r • Content from one website can only read and modify data from the same websit e • Ex: scripts on Facebook can't read or write to data on your online banking pag e • When this process fails, you get Cross-Site Scripting, Cross-Site Request Forgery, and other attacks
Same-Origin Policy
HTML5
Web 2.0
Browser Extensions • Many security problem s • More and more restricted in modern browsers
State and Sessions • Stateful data required to supplement stateless HTT P • This data is held in a server-side structure called a session • The session contains data such as items added to a shopping car t • Some state data is stored on the client, often HTTP cookies or hidden form fi elds
Encoding Schemes
URL Encoding • URLs may contain only printable ASCII character s • 0x20 to 0x7e, inclusiv e • To transfer other characters, or problematic ASCII characters, over HTTP, they must be URL- encided
Unicode Encoding • Supports all the world's writing system s • 16 bits per character, starting with %u
UTF-8 Encoding • Variable lengt h • Uses % character before each byt e • Unicode and UTF-8 are often used to bypass fi lters in attacks
HTML Encoding
• HTML-encoding user data before sending it to another user is used to prevent Cross-Site Scripting attacks
Base64 Encoding • Represents binary data using 64 ASCII character s • Six bits at a tim e • Used to encode email attachments so they can be sent via SMT P • Uses this character set
Hex Encoding • Hexadecimal numbers corresponding to each ASCII characte r • ABC encodes to 414243
Remoting and Serialization Frameworks • Allows client-side code to use server-side APIs as if they were local
D

Recomendados

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 

Recomendados

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functionsMazin Alwaaly
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Api presentation
Api presentationApi presentation
Api presentationTiago Cardoso
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 

Más contenido relacionado

La actualidad más candente

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security TestingSmartBear
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersRyanISI
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functionsMazin Alwaaly
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 

La actualidad más candente (20)

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Api presentation
Api presentationApi presentation
Api presentation
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 

Similar a Ch 3: Web Application Technologies

CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with ODataMahek Merchant
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxAASTHAJAJOO
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldGil Fink
 
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.pptweb-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt20521742
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1Ben Abdallah Helmi
 
Httpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-convertedHttpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-convertedcomputerorganization
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdfZani10
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.pptkstalin2
 

Similar a Ch 3: Web Application Technologies (20)

CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Web technology Unit I Part C
Web technology Unit I Part CWeb technology Unit I Part C
Web technology Unit I Part C
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Unit v
Unit v Unit v
Unit v
 
Browser
BrowserBrowser
Browser
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with OData
 
Ch-1_.ppt
Ch-1_.pptCh-1_.ppt
Ch-1_.ppt
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.pptweb-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
 
SCWCD : The web client model
SCWCD : The web client modelSCWCD : The web client model
SCWCD : The web client model
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1
 
Httpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-convertedHttpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-converted
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
 
Servlet1.ppt
Servlet1.pptServlet1.ppt
Servlet1.ppt
 

Más de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Más de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Último

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfssuserdda66b
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 

Último (20)

Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 

Ch 3: Web Application Technologies

  • 1. CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 2-1-22
  • 3. Hypertext Transfer Protocol (HTTP) • Connectionless protoco l • Client sends an HTTP request to a Web serve r • Gets an HTTP respons e • No session formed, nothing remembered--no "state"
  • 4. HTTP Requests • Verb: GET (also called "method" ) • URL: /css?family=Roboto:400,70 0 • Portion after ? is the query string containing parameter s • Version: HTTP/1.1
  • 5. HTTP Requests • Referer: URL the request originated fro m • User-Agent: browser being use d • Host: Hostname of the serve r • Essential when multiple hosts run on the same I P • Required in HTTP/1.1
  • 6. HTTP Requests • Cookie: additional parameters the server has issued to the client
  • 7. HTTP Response • First lin e • HTTP versio n • Status code (200 in this case ) • Textual "reason phrase" describing the respons e • Ignored by browser
  • 8. HTTP Response • Server: banner of server softwar e • Not always accurat e • Set-Cookie used to set cookie values
  • 9. HTTP Response • Pragma: tells browser not to store response in its cach e • Expires: set to a date in the past to ensure that the content is freshly loaded
  • 10. HTTP Response • Message Body after header contains data of type speci fi ed in Content-Type header
  • 11. HTTP Methods: GET • GET retrieves resource s • Can send parameters in the URL query strin g • Users can bookmark the whole UR L • Whole URL may appear in server logs and in Referer header s • Also on the browser's scree n • Don't put sensitive information in the query string
  • 12. HTTP Methods: POST • POST performs action s • Request parameters can be in URL query string and in the body of the messag e • Parameters in body aren't saved in bookmarks or most server log s • A better place for sensitive data
  • 13. HTTP Methods: POST • POST requests perform actions, like buying somethin g • Clicking the browser's Back button displays a box like this
  • 14. Other HTTP Methods • HEAD returns only the header, not the bod y • Can be used to check if a resource is available before GETing i t • OPTIONS shows allowed method s • PUT uploads to server (usually disabled)
  • 15. URL (Uniform Resource Locator) • If protocol is absent, it defaults to HTT P • If port is absent, it uses the default port for the protoco l • 80 for HTTP, 443 for HTTPS, etc.
  • 16. REST (Representational State Transfer) • RESTful URLs put parameters in the URL, not the query strin g • Becomes
  • 17. A
  • 19.
  • 20.
  • 21.
  • 22. Cookies • Cookies are resubmitted in each request to the same domain • Unlike other request parameters, such as the query string
  • 23. Set-Cookie Header • Optional attribute s • expires - date when the cookie stops being vali d • If absent, cookie is used only in the current browser sessio n • domain - speci fi ed domain for which cookie is vali d • Must be the same or a parent of the domain from which the cookie is receive d • "Same-Origin Policy"
  • 24. Set-Cookie Header • Optional attribute s • path - URL path for which the cookie is vali d • secure - transmit cookie only via HTTP S • HttpOnly - Cookie cannot be directly accessed via client-side JavaScript
  • 26. Important Status Codes • 200 OK - request succeeded, response body contains resul t • 301 Moved Permanently - redirects the browser, client should use new URL in the futur e • 302 Found - redirects browser temporarily. Client should revert to original URL in subsequent requests
  • 27. Important Status Codes • 304 Not Modi fi ed - browser should use cached copy of resourc e • 400 Bad Request - invalid HTTP reques t • 401 Unauthorized - Server requires HTTP authentication. • WWW-Authenticate header speci fi es the type(s) of authentication supported
  • 28. Important Status Codes • 403 Forbidden - no one is allowed to access resource, regardless of authenticatio n • 404 Not Found - requested resource does not exis t • 500 Internal Server Error - unhanded exception in an app, such as a PHP erro r • Next page: Link Ch 3l
  • 29.
  • 30. HTTPS • HTTP over SSL (Secure Sockets Layer ) • Actually now TLS (Transport Layer Security ) • All versions of SSL are deprecate d • Protects data with encryptio n • Protects data in motion, but not at rest or in use
  • 31. HTTP Proxies • Browser sends requests to proxy serve r • Proxy fetches resource and sends it to browse r • Proxies may provide caching, authentication, and access control
  • 32. HTTPS and Man-in-the- Middle (MITM) Attacks • HTTPS connections use public-key cryptography and end-to-end encryptio n • Only the endpoints can decrypt traf fi c • Companies wishing to restrict HTTPS traf fi c have two choice s • Perform complete MITM with fake certi fi cates, or real root certi fi cates from trusted CA' s • Allow encrypted traf fi c to trusted domains without being able to inspect it
  • 33. HTTPS and Proxies • Browser sends an HTTP request to the proxy using the CONNECT method and destination hostname and port numbe r • If proxy allows the request, it returns 200 status and keeps the TCP connection ope n • Thereafter acts as a pure TCP-level relay to the destination web server
  • 34. HTTP Authentication • Basic: sends username and password in Base64-encodin g • NTLM: Uses Windows NTLM protocol (MD4 hashing ) • Digest: Challenge-response using MD5 hashin g • These are generally used in intranets, not on the Interne t • All are very weak cryptographically, and should be protected with HTTPS
  • 35. B
  • 37. Server-Side Functionality • Static content - HTML pages and images that are the same for all user s • Dynamic content - response created in the fl y, can be customized for each use r • Created by scripts on the serve r • Customized based on parameters in the request
  • 38. HTTP Parameters • May be sent in these ways:
  • 39. Other Inputs • Server-side application may use any part of the HTTP request as an inpu t • Such as User-Agen t • Often used to display smartphone-friendly versions of pages
  • 41. The Java Platform • Standard for large-scale enterprise application s • Lends itself to multitiered and load-balanced architecture s • Well-suited to modular development and code reus e • Runs on Windows, Linux, and Solaris
  • 42. Java Platform Terms • Enterprise Java Bean (EJB ) • Heavyweight software component to encapsulate business logic, such as transactional integrity • Plain Old Java Object (POJO ) • User-de fi ned, lightweight object, distinct from a special object such as an EJB • Java Servle t • Object on an application server that receives HTTP requests from client and returns HTTP responses
  • 43. Java Platform Terms • Java web containe r • Platform or engine that provides a runtime environment for Java-based web applications • Ex: Apache Tomcat, BEA WebLogic, JBoss
  • 44. Common Components • Third-party or open-source components that are often used alongside custom-built code
  • 45. ASP.NET • Microsoft's web application framewor k • Competitor to Java platfor m • Uses .NET Framework, which provides a virtual machine (the Common Language Runtime) and a set of powerful APIs (Application Program Interfaces ) • Applications can be written in any .NET language, such as C# or VB.NET
  • 46. Visual Studio • Powerful development environment for ASP.NET application s • Easy for developers to make a web application, even with limited programming skill s • ASP.NET helps protect against some common vulnerabilities, such as cross-site scripting, without requiring any effort from the developer
  • 47. PHP • Originally "Personal Home Page", now "PHP Hypertext Processor " • Often used on LAMP server s • Linux, Apache, MySQL, and PH P • Free and easy to use, but many security problem s • Both in PHP itself and in custom code using it
  • 49. Ruby on Rails • Allows rapid development of application s • Can autogenerate much of the code if developer follows the Rails coding style and naming convention s • Has vulnerabilities like PHP
  • 50. SQL (Structured Query Language) • Used to access data in relational databases, such as Oracle, MS-SQL, and MySQ L • Data stored in tables, each containing rows and column s • SQL queries are used to read, add, update, or delete dat a • SQL injection vulnerabilities are very severe
  • 51. XML (eXtensible Markup Language) • A speci fi cation to encode data in machine- readable for m • Markup uses tags
  • 52. Web Services and SOAP (Simple Object Access Protocol) • SOAP uses HTTP and XML to exchange data
  • 54. SOAP • If user-supplied data is incorporated into SOAP requests, it can have code injection vulnerabilitie s • Server usually publishes available services and parameters using Web Services Description Language (WSDL ) • soapUI and other tools can generate requests based on WSDL fi le
  • 55. C
  • 57. HTML Hypertext Markup Language • HTML used for formatting "markup " • XHTML is based on XML and is stricter than old versions of HTML
  • 58. Hyperlinks • Clickable text that go to URL s • Clicking this link : • Makes this request
  • 61. multipart/form-data • Browser generates random boundary tex t • Link Ch 3c
  • 63. CSS Cascading Style Sheets • Speci fi es format of document element s • Separates content from presentatio n • Has vulnerabilities, and can be used for attacks
  • 64. Javascript • Scripts that run in the client's browse r • Used to validate user-entered data before submitting it to the serve r • Dynamically modify UI in response to user action, such as in drop-down menu s • Using Document Object Model (DOM) to control the browser's behavior
  • 65. VBScript • Microsoft's alternative to JavaScrip t • Only supported in Internet Explorer (now obsolete ) • Edge does not support VBScrip t • Links Ch 3d, 3e
  • 67. • Link Ch 3g Using the DOM
  • 68. Ajax Asynchronous JavaScript and XML • Client-side scripts can fetch data without reloading the entire pag e • Allow you to drag Google Maps around
  • 69. Ajax Example • Google Maps AP I • Links Ch 3h, 3i
  • 70. JSON JavaScript Object Notation • Client-side JavaScript uses the XMLHttpRequest API to request data from a serve r • Data is returned in JSON format:
  • 72. Same-Origin Policy • Prevents content from different origins interfering with each other in a browse r • Content from one website can only read and modify data from the same websit e • Ex: scripts on Facebook can't read or write to data on your online banking pag e • When this process fails, you get Cross-Site Scripting, Cross-Site Request Forgery, and other attacks
  • 74. HTML5
  • 76. Browser Extensions • Many security problem s • More and more restricted in modern browsers
  • 77. State and Sessions • Stateful data required to supplement stateless HTT P • This data is held in a server-side structure called a session • The session contains data such as items added to a shopping car t • Some state data is stored on the client, often HTTP cookies or hidden form fi elds
  • 79. URL Encoding • URLs may contain only printable ASCII character s • 0x20 to 0x7e, inclusiv e • To transfer other characters, or problematic ASCII characters, over HTTP, they must be URL- encided
  • 80.
  • 81. Unicode Encoding • Supports all the world's writing system s • 16 bits per character, starting with %u
  • 82. UTF-8 Encoding • Variable lengt h • Uses % character before each byt e • Unicode and UTF-8 are often used to bypass fi lters in attacks
  • 84. • HTML-encoding user data before sending it to another user is used to prevent Cross-Site Scripting attacks
  • 85. Base64 Encoding • Represents binary data using 64 ASCII character s • Six bits at a tim e • Used to encode email attachments so they can be sent via SMT P • Uses this character set
  • 86. Hex Encoding • Hexadecimal numbers corresponding to each ASCII characte r • ABC encodes to 414243
  • 87. Remoting and Serialization Frameworks • Allows client-side code to use server-side APIs as if they were local
  • 88. D