Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTTP Protocol & Streams
Security and Introduction
Protocol
HTTP(S) – 80/443
The HTTP Protocol
• Standard for transferring documents on the
World Wide Web (RFC 2616 – 1.1)
• TCP/IP based communicatio...
Sample HTTP exchange
• Browser = client, Web server = server
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mo...
HTTP Request and Response
• Methods – GET, POST, HEAD
• New Methods in HTTP 1.1
• Header fields: Server, Host, Length, etc...
HTTP Methods - Common
• The GET method
• The HEAD method
• The POST method
The GET Method
• retrieves entity identified by the Request-URI
• can be used to submit form data
– URL-encodes form data ...
The POST method
• sends data block with request to server
• extra headers describe message body
• query length can be unli...
Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the...
Other methods in HTTP/1.1
• Trace
– echoes back the received request
• used with Via: and Max-Forwards for debugging
• Put...
HTTP Streams
Ajax
Ajax model
Transport layer
Browser
server-side systems
user interface
web server
Data stores,
backend processing,
legacy s...
Ajax introduction
DOM
• Dynamic HTML
• Browser loads Document Object Model
• DOM can be manipulated by scripts in the
browser
• Components
–...
XHR object
• No Sockets in browser
• XHR – XMLHttpRequest Object provides
socket to browser.
• It has event model and asyn...
XHR - Ajax
function getajax()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveX...
RIA
RIA
• Rich Internet Application can be created using
Flash technologies
• Various technologies through which
application c...
Example
Silverlight
• Microsoft came up with similar framework
and player like flash
• It helps in building RIA
• It runs on .NET ...
Web 2.0 Data
Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with bac...
JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Languag...
JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New Yor...
XML
• XML stream can be accessed by Ajax call
• It can be Web Services
• XML parsing done at browser end
• XHR object supp...
Script as data
• Developers are using script as data between
server and clients
• Information sent to the browser as varia...
Array serialization
• Array is another native JavaScript object
• It is possible to serialize this object over
application...
JS-Object serialization
• JS object are possible to serialize
• This way entire object can be sent to the
browser
• Object...
Conclusion
Upcoming SlideShare
Loading in …5
×

HTTP protocol and Streams Security

1,983 views

Published on

This presentation gives idea about HTTP protocol and various steams like JSON, XML, Ajax etc.

Published in: Technology
  • Be the first to comment

HTTP protocol and Streams Security

  1. 1. HTTP Protocol & Streams Security and Introduction
  2. 2. Protocol HTTP(S) – 80/443
  3. 3. The HTTP Protocol • Standard for transferring documents on the World Wide Web (RFC 2616 – 1.1) • TCP/IP based communications protocol • The protocol is – – connectionless – media-independent – stateless – mostly all text
  4. 4. Sample HTTP exchange • Browser = client, Web server = server GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 HTTP Request HTTP/1.1 200 OK Date: Thu, 14 Jul 2005 20:27:45 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8 HTTP ResponseClient Server
  5. 5. HTTP Request and Response • Methods – GET, POST, HEAD • New Methods in HTTP 1.1 • Header fields: Server, Host, Length, etc. • Response codes – 200, 404, 500, etc.
  6. 6. HTTP Methods - Common • The GET method • The HEAD method • The POST method
  7. 7. The GET Method • retrieves entity identified by the Request-URI • can be used to submit form data – URL-encodes form data and appends to Request- URI • query length is limited GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0
  8. 8. The POST method • sends data block with request to server • extra headers describe message body • query length can be unlimited POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 search=searchtext
  9. 9. Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  10. 10. Other methods in HTTP/1.1 • Trace – echoes back the received request • used with Via: and Max-Forwards for debugging • Put – uploads a representation of specified resource • Delete – deletes the specified resource • Options (Extensibility hook) – returns HTTP methods supported by the server
  11. 11. HTTP Streams
  12. 12. Ajax
  13. 13. Ajax model Transport layer Browser server-side systems user interface web server Data stores, backend processing, legacy systems HTTP request HTML + CSS data Browser server-side systems Ajax engine web and/or XMLserver Data stores, backend processing, legacy systems HTTP request XML Data user interface Classic web application model Ajax-enabled web application model JavaScript call HTML + CSS data
  14. 14. Ajax introduction
  15. 15. DOM • Dynamic HTML • Browser loads Document Object Model • DOM can be manipulated by scripts in the browser • Components – History – Location – Forms etc….
  16. 16. XHR object • No Sockets in browser • XHR – XMLHttpRequest Object provides socket to browser. • It has event model and async communication setup • XML easy data structures to access and consume in browser • JavaScript make a call and access it from server through XHR
  17. 17. XHR - Ajax function getajax() { var http; if(window.XMLHttpRequest){ http = new XMLHttpRequest(); }else if (window.ActiveXObject){ http=new ActiveXObject("Msxml2.XMLHTTP"); if (! http){ http=new ActiveXObject("Microsoft.XMLHTTP"); } } http.open("GET", "./ajax.txt", true); http.onreadystatechange = function() { if (http.readyState == 4) { response = http.responseText; document.getElementById('main').innerHTML = response; } } http.send(null); }
  18. 18. RIA
  19. 19. RIA • Rich Internet Application can be created using Flash technologies • Various technologies through which application can be created • Supports various libraries • Can make a call to Web Services or XML-RPC calls etc.
  20. 20. Example
  21. 21. Silverlight • Microsoft came up with similar framework and player like flash • It helps in building RIA • It runs on .NET framework • Easy to build applications and works across platforms • It may catch up down the line – still in very early stage
  22. 22. Web 2.0 Data
  23. 23. Data structures • Ajax is using various data streams • Developers are innovating this field • JavaScript can talk with back end sources • Mashups application can be leveraged • It is important to understand these streams • It has significant security impact
  24. 24. JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  25. 25. JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  26. 26. XML • XML stream can be accessed by Ajax call • It can be Web Services • XML parsing done at browser end • XHR object supports XML response handling • XML nodes are extracted and injected in the DOM • XML is becoming popular with Web 2.0 applications
  27. 27. Script as data • Developers are using script as data between server and clients • Information sent to the browser as variable set • These script get executed on the browser. • This is another way of updating DOM context • DOM manipulation needs eval()
  28. 28. Array serialization • Array is another native JavaScript object • It is possible to serialize this object over application • Browser extract the array from the server • Inject information to the DOM • DOM updates the browser • Array is popular and easy to exchange
  29. 29. JS-Object serialization • JS object are possible to serialize • This way entire object can be sent to the browser • Object can contain both data and methods • This is much easier for browser to process • It just inject object to the DOM • Once it is in the DOM it is easier to update the browser content
  30. 30. Conclusion

×