Your SlideShare is downloading. ×
0
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Web Security – I: HTTP Protocol++
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web Security – I: HTTP Protocol++

1,273

Published on

Web Security – I: HTTP Protocol++ by Bipin Upadhyay @ null Mumbai Meet in August, 2010

Web Security – I: HTTP Protocol++ by Bipin Upadhyay @ null Mumbai Meet in August, 2010

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,273
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
65
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. …and other stuff that make the web work
  2. Bits ‘bout Moi!  Senor Bipin Upadhyay  Developer, Directi Pvt. Ltd.  Lead, NULL Open Security Group – Mumbai Chapter  OWASP ESAPI-PHP Committer  Part of IHP (Honeynet Project)  Amateur Photographer
  3. I know Kung-fu…
  4. If Only it was true…
  5. Think about the possibilities…
  6. I know Kung-fu
  7. Me too..
  8. Me three..
  9. Sigh! But it ain’t true, yet!
  10. Agenda http://icanhascheezburger.files.wordpress.com/2009/02/funny-pictures-cat-has-naps-on-his-agenda.jpg
  11. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  12. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  13. Bit of History  Mar’89 – T.B. Lee presents “Information Management: A Proposal”  Aug’91 – Announces WWW  Mar’93 – Mosaic announced  Mar’94 – Netscape found  Oct’94 – W3C found by T.B. Lee
  14. Web 2.0, uh! http://www.wagnerblog.com/images/AjaxDarkSide.jpg
  15. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite
  16. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite  A set of grammatical rules for a client and server to communicate http://www.flickr.com/photos/joshfassbind/4584323789/
  17. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite  A set of grammatical rules for a client and server to communicate  HTTP is what powers the WWW
  18. …but http://www.flickr.com/photos/quinnanya/4456123452/
  19. Why should I bother?  Because:  web development sucks http://www.flickr.com/photos/sneeu/1589152071/
  20. Why should I bother?  Because:  web development sucks  Even your grandmom knows, ‘tis all about fundamentals
  21. Why should I bother?  Also:  facilitates debugging,  improves understanding of security & performance
  22. Why should I bother?
  23. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2985: Handling Statelessness http://www.flickr.com/photos/stephenpoff/2312981944/
  24. OSI & TCP/IP protocol suite  OSI is a reference model http://blog.uad.ac.id/imam_riadi/files/2009/01/osi-layer.jpg
  25. OSI & TCP/IP protocol suite…  TCP/IP protocol suite is implementation of OSI http://www.hill2dot0.com/wiki/index.php?title=Image:G0209_TCPIP_vs_OSI.jpg
  26. OSI & TCP/IP protocol suite…  Visual learning: Wireshark, baby  http://www.wireshark.org/
  27. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  28. The Communication  My favorite interview question: http://www.flickr.com/photos/terryhart/2890904949/
  29. The Communication  My favorite interview question:  What all happens between the time when: and the page is we click on a completely hyperlink rendered in a browser
  30. Web DB Brower Proxy Internetz LB Server Server
  31. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server
  32. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server null.co.in Browser cache/ hosts file/ DNS server
  33. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server null.co.in 74.53.228.212 Browser cache/ hosts file/ DNS server
  34. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN TCP Connection: There, bro?
  35. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN SYN-ACK TCP Connection: Yo!
  36. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN SYN-ACK ACK TCP Connection: Cool!
  37. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / HTTP: Got this file?
  38. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html HTTP: Yup! Here ‘tis.
  39. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html GET /js.js GET /pic.jpg HTTP: Can I have these as well?
  40. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html GET /js.js GET /pic.jpg 200 OK more content… HTTP: Sure!
  41. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server FIN TCP Connection: Arigato, am done.
  42. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server FIN FIN-ACK TCP Connection: Sayonara!
  43. The Communication  …. or simply
  44. The Communication  Web 2.0 has shrunk the client and server distinction  Conventionally, client sends an HTTP request  Server responds with an HTTP response
  45. The Communication: HTTP Request  Request Line  Request Method  Requested Resource  HTTP Version used  Headers  General Headers  Request Headers  Entity Headers  Content (Optional)
  46. The Communication: HTTP Response  Status Line  HTTP version(s) understood by server  Status code (3 digit numerical value)  Status description  Headers  General Headers  Response Headers  Entity Headers  Content (Optional)
  47. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness http://www.saynotocrack.com/wp-content/uploads/2007/06/flinstones-anatomy.jpg
  48. Anatomy  HTTP Request and Response are comprised of various components:  Request Methods  Response Status Codes  Request Headers  Response Headers  General Headers  Entity Headers  Content (MIME Media Types)
  49. Anatomy: Request Methods  Humans can convey emotions in several ways  Why should HTTP clients lag!!!  HTTP methods describe the type of communication GET POST HEAD OPTIONS TRACE PUT DELETE CONNECT
  50. Anatomy: Response Status Codes  Indicate the server’s mood corresponding to a request  Combination of a numerical code, and a short description  Cab be categorized in 5 categories:  1xx -- Informational  2xx -- Successful  3xx -- Redirection  4xx -- Client Error  5xx -- Server Error
  51. Anatomy: Request Headers  Specific to an HTTP Request  Carry information about the client, and the type of request  Facilitates better understanding between client and server Host Accept-Language If-Modified-Since Referer User-Agent Authorization If-None-Match Expect Accept Proxy- If-Range From Authorization Accept-Charset Max-Forwards If-Unmodified- TE Since Accept-Encoding If-Match Range
  52. Anatomy: Response Headers  Specific to an HTTP Response  Carry information about the server, and the type of response Accept-Ranges ETag Retry-After WWW-Authenticate Age Location Server Proxy-Authenticate Vary
  53. Anatomy: General Headers  Carry information about the HTTP transaction  Can be a part of request, as well as response Cache-Control Keep-Alive Pragma Via Connection Upgrade Trailer Warning Transfer-Encoding Date
  54. Anatomy: Entity Headers  Carry information about the content  Mainly a part of HTTP response Allow Content-Language Content-Location Content-Range Content-Encoding Content-Length Content-MD5 Content-Type Expires Last-Modified
  55. Anatomy: Content  IANA maintains a list of valid content types  It is specified by the Content-Type Entity header  Categorized in 9 MIME Media types: application audio example image message model multipart text video
  56. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  57. Handling Statelessness  HTTP is a stateless protocol
  58. Handling Statelessness  HTTP is a stateless protocol  i.e., server’s got a bad memory
  59. Handling Statelessness  Cookies to rescue http://www.flickr.com/photos/lij/283869088/
  60. Handling Statelessness  Cookies:  are text files stored by client browser  maintain session by storing information  are non-executable
  61. Handling Statelessness  Cookie attributes:  name=value  expires=value  domain=value  path=value  Secure  HttpOnly --not a part of spec
  62. Conclusion The single biggest problem in communication is the illusion… that it has taken place. --George Bernard Shaw
  63. Conclusion The single biggest problem in communication is the illusion… that it has taken place. --George Bernard Shaw  Think about it 
  64. Q&A!!!  Got queries? Raise your hands.
  65.  Arigato!   Contact info:  Om—At—[projectbee.org/null.co.in]  http://projectbee.org/  Twitter - @bipinu  Flickr -- projectbee

×