0
…and other stuff
that make the web work
Bits ‘bout Moi!
 Senor Bipin Upadhyay
    Developer, Directi Pvt. Ltd.
    Lead, NULL Open Security Group – Mumbai Chap...
I know Kung-fu…
If Only it was true…
Think about the possibilities…
I know Kung-fu
Me too..
Me three..
Sigh! But it ain’t true, yet!
Agenda




http://icanhascheezburger.files.wordpress.com/2009/02/funny-pictures-cat-has-naps-on-his-agenda.jpg
Agenda
 Intro: What & Why???

 OSI model: Back to the basics

 10000 feet view: How the web works

 RFC 2616: Anatomy
...
Agenda
 Intro: What & Why???

 OSI model: Back to the basics

 10000 feet view: How the web works

 RFC 2616: Anatomy
...
Bit of History
 Mar’89 – T.B. Lee presents “Information Management:
              A Proposal”
   Aug’91 – Announces WWW
...
Web 2.0, uh!




http://www.wagnerblog.com/images/AjaxDarkSide.jpg
HTTP: What is it?
 Part of the Application Layer of TCP/IP protocol suite
HTTP: What is it?
        Part of the Application Layer of TCP/IP protocol suite
        A set of grammatical rules for ...
HTTP: What is it?
 Part of the Application Layer of TCP/IP protocol suite
 A set of grammatical rules for a client and s...
…but




http://www.flickr.com/photos/quinnanya/4456123452/
Why should I bother?
        Because:
           web development sucks




http://www.flickr.com/photos/sneeu/1589152071/
Why should I bother?
 Because:
    web development sucks
    Even your grandmom knows, ‘tis all about fundamentals
Why should I bother?
 Also:
    facilitates debugging,
    improves understanding of security & performance
Why should I bother?
Agenda
 Intro: What & Why???

 OSI model: Back to the basics

 10000 feet view: How the web works

 RFC 2616: Anatomy
...
OSI & TCP/IP protocol suite
         OSI is a reference model




http://blog.uad.ac.id/imam_riadi/files/2009/01/osi-laye...
OSI & TCP/IP protocol suite…
        TCP/IP protocol suite is implementation of OSI




http://www.hill2dot0.com/wiki/ind...
OSI & TCP/IP protocol suite…
 Visual learning: Wireshark, baby
    http://www.wireshark.org/
Agenda
 Intro: What & Why???

 OSI model: Back to the basics

 10000 feet view: How the web works

 RFC 2616: Anatomy
...
The Communication
        My favorite interview question:




http://www.flickr.com/photos/terryhart/2890904949/
The Communication
 My favorite interview question:
   What all happens between the time when:


                        ...
Web      DB
Brower   Proxy   Internetz   LB
                                  Server   Server
Client                            Server (null.co.in)


                                               Web            DB
B...
Client                                       Server (null.co.in)


                                                       ...
Client                                             Server (null.co.in)


                                                 ...
Client                                       Server (null.co.in)


                                                       ...
Client                                      Server (null.co.in)


                                                        ...
Client                                        Server (null.co.in)


                                                      ...
Client                                       Server (null.co.in)


                                                       ...
Client                                        Server (null.co.in)


                                                      ...
Client                                        Server (null.co.in)


                                                      ...
Client                                     Server (null.co.in)


                                                        W...
Client                                      Server (null.co.in)


                                                        ...
Client                                       Server (null.co.in)


                                                       ...
The Communication
 …. or simply
The Communication
 Web 2.0 has shrunk the client and server distinction




 Conventionally, client sends an HTTP reques...
The Communication: HTTP Request
 Request Line
    Request Method
    Requested Resource
    HTTP Version used


 Head...
The Communication: HTTP Response
 Status Line
    HTTP version(s) understood by server
    Status code (3 digit numeric...
Agenda
        Intro: What & Why???

        OSI model: Back to the basics

        10000 feet view: How the web works
...
Anatomy
 HTTP Request and Response are comprised of various
 components:
   Request Methods
   Response Status Codes
  ...
Anatomy: Request Methods
 Humans can convey emotions in several ways
 Why should HTTP clients lag!!!
 HTTP methods desc...
Anatomy: Response Status Codes
 Indicate the server’s mood corresponding to a request
 Combination of a numerical code, ...
Anatomy: Request Headers
 Specific to an HTTP Request
 Carry information about the client, and the type of
  request
 F...
Anatomy: Response Headers
 Specific to an HTTP Response
 Carry information about the server, and the type of
 response

...
Anatomy: General Headers
 Carry information about the HTTP transaction
 Can be a part of request, as well as response


...
Anatomy: Entity Headers
 Carry information about the content
 Mainly a part of HTTP response




  Allow              Co...
Anatomy: Content
 IANA maintains a list of valid content types
 It is specified by the Content-Type Entity header
 Cate...
Agenda
 Intro: What & Why???

 OSI model: Back to the basics

 10000 feet view: How the web works

 RFC 2616: Anatomy
...
Handling Statelessness
 HTTP is a stateless protocol
Handling Statelessness
 HTTP is a stateless protocol
   i.e., server’s got a bad memory
Handling Statelessness
        Cookies to rescue




http://www.flickr.com/photos/lij/283869088/
Handling Statelessness
 Cookies:
    are text files stored by client browser
    maintain session by storing informatio...
Handling Statelessness
 Cookie attributes:
    name=value
    expires=value
    domain=value
    path=value
    Secu...
Conclusion
  The single biggest problem in communication
     is the illusion… that it has taken place.
                  ...
Conclusion
   The single biggest problem in communication
      is the illusion… that it has taken place.
                ...
Q&A!!!
 Got queries? Raise your hands.
 Arigato! 


 Contact info:
    Om—At—[projectbee.org/null.co.in]
    http://projectbee.org/
    Twitter - @bipinu
 ...
Web Security – I: HTTP Protocol++
Upcoming SlideShare
Loading in...5
×

Web Security – I: HTTP Protocol++

1,279

Published on

Web Security – I: HTTP Protocol++ by Bipin Upadhyay @ null Mumbai Meet in August, 2010

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,279
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
65
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Web Security – I: HTTP Protocol++"

  1. 1. …and other stuff that make the web work
  2. 2. Bits ‘bout Moi!  Senor Bipin Upadhyay  Developer, Directi Pvt. Ltd.  Lead, NULL Open Security Group – Mumbai Chapter  OWASP ESAPI-PHP Committer  Part of IHP (Honeynet Project)  Amateur Photographer
  3. 3. I know Kung-fu…
  4. 4. If Only it was true…
  5. 5. Think about the possibilities…
  6. 6. I know Kung-fu
  7. 7. Me too..
  8. 8. Me three..
  9. 9. Sigh! But it ain’t true, yet!
  10. 10. Agenda http://icanhascheezburger.files.wordpress.com/2009/02/funny-pictures-cat-has-naps-on-his-agenda.jpg
  11. 11. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  12. 12. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  13. 13. Bit of History  Mar’89 – T.B. Lee presents “Information Management: A Proposal”  Aug’91 – Announces WWW  Mar’93 – Mosaic announced  Mar’94 – Netscape found  Oct’94 – W3C found by T.B. Lee
  14. 14. Web 2.0, uh! http://www.wagnerblog.com/images/AjaxDarkSide.jpg
  15. 15. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite
  16. 16. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite  A set of grammatical rules for a client and server to communicate http://www.flickr.com/photos/joshfassbind/4584323789/
  17. 17. HTTP: What is it?  Part of the Application Layer of TCP/IP protocol suite  A set of grammatical rules for a client and server to communicate  HTTP is what powers the WWW
  18. 18. …but http://www.flickr.com/photos/quinnanya/4456123452/
  19. 19. Why should I bother?  Because:  web development sucks http://www.flickr.com/photos/sneeu/1589152071/
  20. 20. Why should I bother?  Because:  web development sucks  Even your grandmom knows, ‘tis all about fundamentals
  21. 21. Why should I bother?  Also:  facilitates debugging,  improves understanding of security & performance
  22. 22. Why should I bother?
  23. 23. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2985: Handling Statelessness http://www.flickr.com/photos/stephenpoff/2312981944/
  24. 24. OSI & TCP/IP protocol suite  OSI is a reference model http://blog.uad.ac.id/imam_riadi/files/2009/01/osi-layer.jpg
  25. 25. OSI & TCP/IP protocol suite…  TCP/IP protocol suite is implementation of OSI http://www.hill2dot0.com/wiki/index.php?title=Image:G0209_TCPIP_vs_OSI.jpg
  26. 26. OSI & TCP/IP protocol suite…  Visual learning: Wireshark, baby  http://www.wireshark.org/
  27. 27. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  28. 28. The Communication  My favorite interview question: http://www.flickr.com/photos/terryhart/2890904949/
  29. 29. The Communication  My favorite interview question:  What all happens between the time when: and the page is we click on a completely hyperlink rendered in a browser
  30. 30. Web DB Brower Proxy Internetz LB Server Server
  31. 31. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server
  32. 32. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server null.co.in Browser cache/ hosts file/ DNS server
  33. 33. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server null.co.in 74.53.228.212 Browser cache/ hosts file/ DNS server
  34. 34. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN TCP Connection: There, bro?
  35. 35. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN SYN-ACK TCP Connection: Yo!
  36. 36. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server SYN SYN-ACK ACK TCP Connection: Cool!
  37. 37. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / HTTP: Got this file?
  38. 38. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html HTTP: Yup! Here ‘tis.
  39. 39. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html GET /js.js GET /pic.jpg HTTP: Can I have these as well?
  40. 40. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server GET / 200 OK index.html GET /js.js GET /pic.jpg 200 OK more content… HTTP: Sure!
  41. 41. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server FIN TCP Connection: Arigato, am done.
  42. 42. Client Server (null.co.in) Web DB Brower Proxy Internetz LB Server Server FIN FIN-ACK TCP Connection: Sayonara!
  43. 43. The Communication  …. or simply
  44. 44. The Communication  Web 2.0 has shrunk the client and server distinction  Conventionally, client sends an HTTP request  Server responds with an HTTP response
  45. 45. The Communication: HTTP Request  Request Line  Request Method  Requested Resource  HTTP Version used  Headers  General Headers  Request Headers  Entity Headers  Content (Optional)
  46. 46. The Communication: HTTP Response  Status Line  HTTP version(s) understood by server  Status code (3 digit numerical value)  Status description  Headers  General Headers  Response Headers  Entity Headers  Content (Optional)
  47. 47. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness http://www.saynotocrack.com/wp-content/uploads/2007/06/flinstones-anatomy.jpg
  48. 48. Anatomy  HTTP Request and Response are comprised of various components:  Request Methods  Response Status Codes  Request Headers  Response Headers  General Headers  Entity Headers  Content (MIME Media Types)
  49. 49. Anatomy: Request Methods  Humans can convey emotions in several ways  Why should HTTP clients lag!!!  HTTP methods describe the type of communication GET POST HEAD OPTIONS TRACE PUT DELETE CONNECT
  50. 50. Anatomy: Response Status Codes  Indicate the server’s mood corresponding to a request  Combination of a numerical code, and a short description  Cab be categorized in 5 categories:  1xx -- Informational  2xx -- Successful  3xx -- Redirection  4xx -- Client Error  5xx -- Server Error
  51. 51. Anatomy: Request Headers  Specific to an HTTP Request  Carry information about the client, and the type of request  Facilitates better understanding between client and server Host Accept-Language If-Modified-Since Referer User-Agent Authorization If-None-Match Expect Accept Proxy- If-Range From Authorization Accept-Charset Max-Forwards If-Unmodified- TE Since Accept-Encoding If-Match Range
  52. 52. Anatomy: Response Headers  Specific to an HTTP Response  Carry information about the server, and the type of response Accept-Ranges ETag Retry-After WWW-Authenticate Age Location Server Proxy-Authenticate Vary
  53. 53. Anatomy: General Headers  Carry information about the HTTP transaction  Can be a part of request, as well as response Cache-Control Keep-Alive Pragma Via Connection Upgrade Trailer Warning Transfer-Encoding Date
  54. 54. Anatomy: Entity Headers  Carry information about the content  Mainly a part of HTTP response Allow Content-Language Content-Location Content-Range Content-Encoding Content-Length Content-MD5 Content-Type Expires Last-Modified
  55. 55. Anatomy: Content  IANA maintains a list of valid content types  It is specified by the Content-Type Entity header  Categorized in 9 MIME Media types: application audio example image message model multipart text video
  56. 56. Agenda  Intro: What & Why???  OSI model: Back to the basics  10000 feet view: How the web works  RFC 2616: Anatomy  RFC 2965: Handling Statelessness
  57. 57. Handling Statelessness  HTTP is a stateless protocol
  58. 58. Handling Statelessness  HTTP is a stateless protocol  i.e., server’s got a bad memory
  59. 59. Handling Statelessness  Cookies to rescue http://www.flickr.com/photos/lij/283869088/
  60. 60. Handling Statelessness  Cookies:  are text files stored by client browser  maintain session by storing information  are non-executable
  61. 61. Handling Statelessness  Cookie attributes:  name=value  expires=value  domain=value  path=value  Secure  HttpOnly --not a part of spec
  62. 62. Conclusion The single biggest problem in communication is the illusion… that it has taken place. --George Bernard Shaw
  63. 63. Conclusion The single biggest problem in communication is the illusion… that it has taken place. --George Bernard Shaw  Think about it 
  64. 64. Q&A!!!  Got queries? Raise your hands.
  65. 65.  Arigato!   Contact info:  Om—At—[projectbee.org/null.co.in]  http://projectbee.org/  Twitter - @bipinu  Flickr -- projectbee
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×