HTTP Protocol & Streams
Security and Introduction

Protocol
HTTP(S) – 80/443

The HTTP Protocol
• Standard for transferring documents on the
World Wide Web (RFC 2616 – 1.1)
• TCP/IP based communications protocol
• The protocol is –
– connectionless
– media-independent
– stateless
– mostly all text

Sample HTTP exchange
• Browser = client, Web server = server
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
HTTP Request
HTTP/1.1 200 OK
Date: Thu, 14 Jul 2005 20:27:45 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Accept-Ranges: bytes Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
HTTP ResponseClient
Server

HTTP Request and Response
• Methods – GET, POST, HEAD
• New Methods in HTTP 1.1
• Header fields: Server, Host, Length, etc.
• Response codes – 200, 404, 500, etc.

HTTP Methods - Common
• The GET method
• The HEAD method
• The POST method

The GET Method
• retrieves entity identified by the Request-URI
• can be used to submit form data
– URL-encodes form data and appends to Request-
URI
• query length is limited
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0

The POST method
• sends data block with request to server
• extra headers describe message body
• query length can be unlimited
POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0;
rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml,
text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
search=searchtext

Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.

Other methods in HTTP/1.1
• Trace
– echoes back the received request
• used with Via: and Max-Forwards for debugging
• Put
– uploads a representation of specified resource
• Delete
– deletes the specified resource
• Options (Extensibility hook)
– returns HTTP methods supported by the server

HTTP Streams

Ajax

Ajax model
Transport layer
Browser
server-side systems
user interface
web server
Data stores,
backend processing,
legacy systems
HTTP request
HTML + CSS data
Browser
server-side systems
Ajax engine
web and/or XMLserver
Data stores,
backend processing,
legacy systems
HTTP request
XML Data
user interface
Classic web application model Ajax-enabled web application model
JavaScript call
HTML + CSS data

Ajax introduction

DOM
• Dynamic HTML
• Browser loads Document Object Model
• DOM can be manipulated by scripts in the
browser
• Components
– History
– Location
– Forms etc….

XHR object
• No Sockets in browser
• XHR – XMLHttpRequest Object provides
socket to browser.
• It has event model and async communication
setup
• XML easy data structures to access and
consume in browser
• JavaScript make a call and access it from
server through XHR

XHR - Ajax
function getajax()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveXObject){
http=new ActiveXObject("Msxml2.XMLHTTP");
if (! http){
http=new ActiveXObject("Microsoft.XMLHTTP");
}
}
http.open("GET", "./ajax.txt", true);
http.onreadystatechange = function()
{
if (http.readyState == 4) {
response = http.responseText;
document.getElementById('main').innerHTML = response;
}
}
http.send(null);
}

RIA

RIA
• Rich Internet Application can be created using
Flash technologies
• Various technologies through which
application can be created
• Supports various libraries
• Can make a call to Web Services or XML-RPC
calls etc.

Example

Silverlight
• Microsoft came up with similar framework
and player like flash
• It helps in building RIA
• It runs on .NET framework
• Easy to build applications and works across
platforms
• It may catch up down the line – still in very
early stage

Web 2.0 Data

Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with back end sources
• Mashups application can be leveraged
• It is important to understand these streams
• It has significant security impact

JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.

JSON
• Example
{ "firstName": "John", "lastName": "Smith",
"address": { "streetAddress": "21 2nd Street",
"city": "New York", "state": "NY", "postalCode":
10021 }, "phoneNumbers": [ "212 732-1234", "646
123-4567" ] }

XML
• XML stream can be accessed by Ajax call
• It can be Web Services
• XML parsing done at browser end
• XHR object supports XML response handling
• XML nodes are extracted and injected in the
DOM
• XML is becoming popular with Web 2.0
applications

Script as data
• Developers are using script as data between
server and clients
• Information sent to the browser as variable
set
• These script get executed on the browser.
• This is another way of updating DOM context
• DOM manipulation needs eval()

Array serialization
• Array is another native JavaScript object
• It is possible to serialize this object over
application
• Browser extract the array from the server
• Inject information to the DOM
• DOM updates the browser
• Array is popular and easy to exchange

JS-Object serialization
• JS object are possible to serialize
• This way entire object can be sent to the
browser
• Object can contain both data and methods
• This is much easier for browser to process
• It just inject object to the DOM
• Once it is in the DOM it is easier to update the
browser content

Conclusion