1.
HTTP Protocol & Streams
Security and Introduction

2.
Protocol
HTTP(S) – 80/443

3.
The HTTP Protocol
• Standard for transferring documents on the
World Wide Web (RFC 2616 – 1.1)
• TCP/IP based communications protocol
• The protocol is –
– connectionless
– media-independent
– stateless
– mostly all text

4.
Sample HTTP exchange
• Browser = client, Web server = server
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
HTTP Request
HTTP/1.1 200 OK
Date: Thu, 14 Jul 2005 20:27:45 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Accept-Ranges: bytes Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
HTTP ResponseClient
Server

5.
HTTP Request and Response
• Methods – GET, POST, HEAD
• New Methods in HTTP 1.1
• Header fields: Server, Host, Length, etc.
• Response codes – 200, 404, 500, etc.

6.
HTTP Methods - Common
• The GET method
• The HEAD method
• The POST method

7.
The GET Method
• retrieves entity identified by the Request-URI
• can be used to submit form data
– URL-encodes form data and appends to Request-
URI
• query length is limited
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0

8.
The POST method
• sends data block with request to server
• extra headers describe message body
• query length can be unlimited
POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0;
rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml,
text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
search=searchtext

9.
Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.

10.
Other methods in HTTP/1.1
• Trace
– echoes back the received request
• used with Via: and Max-Forwards for debugging
• Put
– uploads a representation of specified resource
• Delete
– deletes the specified resource
• Options (Extensibility hook)
– returns HTTP methods supported by the server

11.
HTTP Streams

12.
Ajax

13.
Ajax model
Transport layer
Browser
server-side systems
user interface
web server
Data stores,
backend processing,
legacy systems
HTTP request
HTML + CSS data
Browser
server-side systems
Ajax engine
web and/or XMLserver
Data stores,
backend processing,
legacy systems
HTTP request
XML Data
user interface
Classic web application model Ajax-enabled web application model
JavaScript call
HTML + CSS data

14.
Ajax introduction

15.
DOM
• Dynamic HTML
• Browser loads Document Object Model
• DOM can be manipulated by scripts in the
browser
• Components
– History
– Location
– Forms etc….

16.
XHR object
• No Sockets in browser
• XHR – XMLHttpRequest Object provides
socket to browser.
• It has event model and async communication
setup
• XML easy data structures to access and
consume in browser
• JavaScript make a call and access it from
server through XHR

17.
XHR - Ajax
function getajax()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveXObject){
http=new ActiveXObject("Msxml2.XMLHTTP");
if (! http){
http=new ActiveXObject("Microsoft.XMLHTTP");
}
}
http.open("GET", "./ajax.txt", true);
http.onreadystatechange = function()
{
if (http.readyState == 4) {
response = http.responseText;
document.getElementById('main').innerHTML = response;
}
}
http.send(null);
}

18.
RIA

19.
RIA
• Rich Internet Application can be created using
Flash technologies
• Various technologies through which
application can be created
• Supports various libraries
• Can make a call to Web Services or XML-RPC
calls etc.

20.
Example

21.
Silverlight
• Microsoft came up with similar framework
and player like flash
• It helps in building RIA
• It runs on .NET framework
• Easy to build applications and works across
platforms
• It may catch up down the line – still in very
early stage

22.
Web 2.0 Data

23.
Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with back end sources
• Mashups application can be leveraged
• It is important to understand these streams
• It has significant security impact

24.
JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.

25.
JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New York", "state": "NY", "postalCode":
10021 }, "phoneNumbers": [ "212 732-1234", "646
123-4567" ] }

26.
XML
• XML stream can be accessed by Ajax call
• It can be Web Services
• XML parsing done at browser end
• XHR object supports XML response handling
• XML nodes are extracted and injected in the
DOM
• XML is becoming popular with Web 2.0
applications

27.
Script as data
• Developers are using script as data between
server and clients
• Information sent to the browser as variable
set
• These script get executed on the browser.
• This is another way of updating DOM context
• DOM manipulation needs eval()

28.
Array serialization
• Array is another native JavaScript object
• It is possible to serialize this object over
application
• Browser extract the array from the server
• Inject information to the DOM
• DOM updates the browser
• Array is popular and easy to exchange

29.
JS-Object serialization
• JS object are possible to serialize
• This way entire object can be sent to the
browser
• Object can contain both data and methods
• This is much easier for browser to process
• It just inject object to the DOM
• Once it is in the DOM it is easier to update the
browser content

30.
Conclusion