Advertisement
Advertisement

More Related Content

Advertisement
Advertisement

HTTP protocol and Streams Security

  1. HTTP Protocol & Streams Security and Introduction
  2. Protocol HTTP(S) – 80/443
  3. The HTTP Protocol • Standard for transferring documents on the World Wide Web (RFC 2616 – 1.1) • TCP/IP based communications protocol • The protocol is – – connectionless – media-independent – stateless – mostly all text
  4. Sample HTTP exchange • Browser = client, Web server = server GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 HTTP Request HTTP/1.1 200 OK Date: Thu, 14 Jul 2005 20:27:45 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8 HTTP ResponseClient Server
  5. HTTP Request and Response • Methods – GET, POST, HEAD • New Methods in HTTP 1.1 • Header fields: Server, Host, Length, etc. • Response codes – 200, 404, 500, etc.
  6. HTTP Methods - Common • The GET method • The HEAD method • The POST method
  7. The GET Method • retrieves entity identified by the Request-URI • can be used to submit form data – URL-encodes form data and appends to Request- URI • query length is limited GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0
  8. The POST method • sends data block with request to server • extra headers describe message body • query length can be unlimited POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 search=searchtext
  9. Analyzing HTTP traffic • Security assessment needs sound knowledge of HTTP analysis • Tools and mind needed to analyze the traffic • What to look for? – methods, cookie, querysting etc. • All part of HTTP – Response analysis is equally important.
  10. Other methods in HTTP/1.1 • Trace – echoes back the received request • used with Via: and Max-Forwards for debugging • Put – uploads a representation of specified resource • Delete – deletes the specified resource • Options (Extensibility hook) – returns HTTP methods supported by the server
  11. HTTP Streams
  12. Ajax
  13. Ajax model Transport layer Browser server-side systems user interface web server Data stores, backend processing, legacy systems HTTP request HTML + CSS data Browser server-side systems Ajax engine web and/or XMLserver Data stores, backend processing, legacy systems HTTP request XML Data user interface Classic web application model Ajax-enabled web application model JavaScript call HTML + CSS data
  14. Ajax introduction
  15. DOM • Dynamic HTML • Browser loads Document Object Model • DOM can be manipulated by scripts in the browser • Components – History – Location – Forms etc….
  16. XHR object • No Sockets in browser • XHR – XMLHttpRequest Object provides socket to browser. • It has event model and async communication setup • XML easy data structures to access and consume in browser • JavaScript make a call and access it from server through XHR
  17. XHR - Ajax function getajax() { var http; if(window.XMLHttpRequest){ http = new XMLHttpRequest(); }else if (window.ActiveXObject){ http=new ActiveXObject("Msxml2.XMLHTTP"); if (! http){ http=new ActiveXObject("Microsoft.XMLHTTP"); } } http.open("GET", "./ajax.txt", true); http.onreadystatechange = function() { if (http.readyState == 4) { response = http.responseText; document.getElementById('main').innerHTML = response; } } http.send(null); }
  18. RIA
  19. RIA • Rich Internet Application can be created using Flash technologies • Various technologies through which application can be created • Supports various libraries • Can make a call to Web Services or XML-RPC calls etc.
  20. Example
  21. Silverlight • Microsoft came up with similar framework and player like flash • It helps in building RIA • It runs on .NET framework • Easy to build applications and works across platforms • It may catch up down the line – still in very early stage
  22. Web 2.0 Data
  23. Data structures • Ajax is using various data streams • Developers are innovating this field • JavaScript can talk with back end sources • Mashups application can be leveraged • It is important to understand these streams • It has significant security impact
  24. JSON • JSON (JavaScript Object Notation) - a lightweight data-interchange format • Based on JavaScript Programming Language (Standard ECMA-262) • Completely language independent • C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. • Interchangeable is the Key.
  25. JSON • Example { "firstName": "John", "lastName": "Smith", "address": { "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": 10021 }, "phoneNumbers": [ "212 732-1234", "646 123-4567" ] }
  26. XML • XML stream can be accessed by Ajax call • It can be Web Services • XML parsing done at browser end • XHR object supports XML response handling • XML nodes are extracted and injected in the DOM • XML is becoming popular with Web 2.0 applications
  27. Script as data • Developers are using script as data between server and clients • Information sent to the browser as variable set • These script get executed on the browser. • This is another way of updating DOM context • DOM manipulation needs eval()
  28. Array serialization • Array is another native JavaScript object • It is possible to serialize this object over application • Browser extract the array from the server • Inject information to the DOM • DOM updates the browser • Array is popular and easy to exchange
  29. JS-Object serialization • JS object are possible to serialize • This way entire object can be sent to the browser • Object can contain both data and methods • This is much easier for browser to process • It just inject object to the DOM • Once it is in the DOM it is easier to update the browser content
  30. Conclusion
Advertisement