SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
3.
The HTTP Protocol
• Standard for transferring documents on the
World Wide Web (RFC 2616 – 1.1)
• TCP/IP based communications protocol
• The protocol is –
– connectionless
– media-independent
– stateless
– mostly all text
4.
Sample HTTP exchange
• Browser = client, Web server = server
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
HTTP Request
HTTP/1.1 200 OK
Date: Thu, 14 Jul 2005 20:27:45 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
Etag: "3f80f-1b6-3e1cb03b"
Accept-Ranges: bytes Content-Length: 438
Connection: close
Content-Type: text/html; charset=UTF-8
HTTP ResponseClient
Server
5.
HTTP Request and Response
• Methods – GET, POST, HEAD
• New Methods in HTTP 1.1
• Header fields: Server, Host, Length, etc.
• Response codes – 200, 404, 500, etc.
6.
HTTP Methods - Common
• The GET method
• The HEAD method
• The POST method
7.
The GET Method
• retrieves entity identified by the Request-URI
• can be used to submit form data
– URL-encodes form data and appends to Request-
URI
• query length is limited
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
8.
The POST method
• sends data block with request to server
• extra headers describe message body
• query length can be unlimited
POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0;
rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml,
text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
search=searchtext
9.
Analyzing HTTP traffic
• Security assessment needs sound knowledge
of HTTP analysis
• Tools and mind needed to analyze the traffic
• What to look for? – methods, cookie,
querysting etc.
• All part of HTTP – Response analysis is equally
important.
10.
Other methods in HTTP/1.1
• Trace
– echoes back the received request
• used with Via: and Max-Forwards for debugging
• Put
– uploads a representation of specified resource
• Delete
– deletes the specified resource
• Options (Extensibility hook)
– returns HTTP methods supported by the server
13.
Ajax model
Transport layer
Browser
server-side systems
user interface
web server
Data stores,
backend processing,
legacy systems
HTTP request
HTML + CSS data
Browser
server-side systems
Ajax engine
web and/or XMLserver
Data stores,
backend processing,
legacy systems
HTTP request
XML Data
user interface
Classic web application model Ajax-enabled web application model
JavaScript call
HTML + CSS data
15.
DOM
• Dynamic HTML
• Browser loads Document Object Model
• DOM can be manipulated by scripts in the
browser
• Components
– History
– Location
– Forms etc….
16.
XHR object
• No Sockets in browser
• XHR – XMLHttpRequest Object provides
socket to browser.
• It has event model and async communication
setup
• XML easy data structures to access and
consume in browser
• JavaScript make a call and access it from
server through XHR
17.
XHR - Ajax
function getajax()
{
var http;
if(window.XMLHttpRequest){
http = new XMLHttpRequest();
}else if (window.ActiveXObject){
http=new ActiveXObject("Msxml2.XMLHTTP");
if (! http){
http=new ActiveXObject("Microsoft.XMLHTTP");
}
}
http.open("GET", "./ajax.txt", true);
http.onreadystatechange = function()
{
if (http.readyState == 4) {
response = http.responseText;
document.getElementById('main').innerHTML = response;
}
}
http.send(null);
}
19.
RIA
• Rich Internet Application can be created using
Flash technologies
• Various technologies through which
application can be created
• Supports various libraries
• Can make a call to Web Services or XML-RPC
calls etc.
21.
Silverlight
• Microsoft came up with similar framework
and player like flash
• It helps in building RIA
• It runs on .NET framework
• Easy to build applications and works across
platforms
• It may catch up down the line – still in very
early stage
23.
Data structures
• Ajax is using various data streams
• Developers are innovating this field
• JavaScript can talk with back end sources
• Mashups application can be leveraged
• It is important to understand these streams
• It has significant security impact
24.
JSON
• JSON (JavaScript Object Notation) - a
lightweight data-interchange format
• Based on JavaScript Programming Language
(Standard ECMA-262)
• Completely language independent
• C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many
others.
• Interchangeable is the Key.
26.
XML
• XML stream can be accessed by Ajax call
• It can be Web Services
• XML parsing done at browser end
• XHR object supports XML response handling
• XML nodes are extracted and injected in the
DOM
• XML is becoming popular with Web 2.0
applications
27.
Script as data
• Developers are using script as data between
server and clients
• Information sent to the browser as variable
set
• These script get executed on the browser.
• This is another way of updating DOM context
• DOM manipulation needs eval()
28.
Array serialization
• Array is another native JavaScript object
• It is possible to serialize this object over
application
• Browser extract the array from the server
• Inject information to the DOM
• DOM updates the browser
• Array is popular and easy to exchange
29.
JS-Object serialization
• JS object are possible to serialize
• This way entire object can be sent to the
browser
• Object can contain both data and methods
• This is much easier for browser to process
• It just inject object to the DOM
• Once it is in the DOM it is easier to update the
browser content