HTTP is the protocol used to transmit data over the web. It is stateless and requires sessions to track state. Requests and responses use headers to transmit metadata. Sensitive data should only be sent over HTTPS and only through POST, PUT, PATCH requests never in the URL query string. Response headers like HSTS, CSP, and CORS help secure applications by controlling caching, framing, and cross-origin requests.
The document discusses REST (REpresentational State Transfer), an architectural style for building distributed systems. It covers REST concepts like resources, representations, URIs, HTTP methods, caching, and versioning. It provides guidance on designing RESTful APIs, including determining resources, supported methods, and return codes. Content negotiation and tools for testing REST APIs are also mentioned.
This presentation gives a high level concepts and more of code to take a stab at developing a simple Restful server. I targeted people who would like to build a simple RESTFul server from scratch and experiment.
This document discusses best practices for designing RESTful web services. It begins by defining REST as an architectural style for distributed hypermedia systems, rather than a protocol or standard. The document outlines the constraints and principles of RESTful design, including client-server architecture, statelessness, cacheability and a uniform interface. It then evaluates several common approaches to building web APIs in terms of how well they follow REST principles. The document argues that an API designed according to REST principles, using hypermedia and self-descriptive messages, results in a loosely coupled and scalable design.
The document discusses extending service-oriented architecture (SOA) with REST and Web 2.0 principles. It defines representational state transfer (REST) and describes its characteristics, including being resource-centric, using uniform interfaces, and being stateless. It advocates designing SOAs in a RESTful way by following best practices like using standard HTTP methods and URIs to access resources.
The document discusses RESTful web services and compares them to SOAP-based web services. It defines RESTful web services and outlines their key characteristics, including using standard HTTP methods to perform operations on resources identified by URIs. The document provides examples of building RESTful web services with JAX-RS and discusses arguments for using RESTful approaches over SOAP-based services, noting REST's simplicity, flexibility and performance advantages.
The never-ending REST API design debate -- Devoxx France 2016Restlet
The document discusses best practices for REST API design, including:
1) Using nouns instead of verbs for endpoints, and plural resource names instead of singular. It also recommends snake_case formatting.
2) Properly using HTTP status codes like 201 Created, 202 Accepted, 204 No Content, and providing helpful error responses.
3) Supporting features like pagination, filtering, sorting, searching, and caching responses with headers like ETag and Last-Modified.
4) Discussing approaches for API versioning in the URL, custom headers, or accept headers. The importance of hypermedia and discoverability is also emphasized.
This document provides an overview and primer on REST (REpresentational State Transfer) architectural style for building web services. It discusses key REST concepts like resources identified by URIs, use of standard HTTP methods like GET, PUT, POST, DELETE, stateless communication, and representation of resources in different formats like XML and JSON. It also describes how the JAX-RS API in Java maps to these REST concepts through annotations and allows building RESTful web services and APIs in a declarative way.
The document provides guidelines and best practices for designing RESTful APIs, including:
- Using JSON over XML and making the API stateless and secure.
- Following conventions for HTTP verbs and status codes.
- Keeping data structures consistent and handling data with modern frameworks.
- Providing comprehensive documentation for data types, methods, and samples.
The document discusses REST (REpresentational State Transfer), an architectural style for building distributed systems. It covers REST concepts like resources, representations, URIs, HTTP methods, caching, and versioning. It provides guidance on designing RESTful APIs, including determining resources, supported methods, and return codes. Content negotiation and tools for testing REST APIs are also mentioned.
This presentation gives a high level concepts and more of code to take a stab at developing a simple Restful server. I targeted people who would like to build a simple RESTFul server from scratch and experiment.
This document discusses best practices for designing RESTful web services. It begins by defining REST as an architectural style for distributed hypermedia systems, rather than a protocol or standard. The document outlines the constraints and principles of RESTful design, including client-server architecture, statelessness, cacheability and a uniform interface. It then evaluates several common approaches to building web APIs in terms of how well they follow REST principles. The document argues that an API designed according to REST principles, using hypermedia and self-descriptive messages, results in a loosely coupled and scalable design.
The document discusses extending service-oriented architecture (SOA) with REST and Web 2.0 principles. It defines representational state transfer (REST) and describes its characteristics, including being resource-centric, using uniform interfaces, and being stateless. It advocates designing SOAs in a RESTful way by following best practices like using standard HTTP methods and URIs to access resources.
The document discusses RESTful web services and compares them to SOAP-based web services. It defines RESTful web services and outlines their key characteristics, including using standard HTTP methods to perform operations on resources identified by URIs. The document provides examples of building RESTful web services with JAX-RS and discusses arguments for using RESTful approaches over SOAP-based services, noting REST's simplicity, flexibility and performance advantages.
The never-ending REST API design debate -- Devoxx France 2016Restlet
The document discusses best practices for REST API design, including:
1) Using nouns instead of verbs for endpoints, and plural resource names instead of singular. It also recommends snake_case formatting.
2) Properly using HTTP status codes like 201 Created, 202 Accepted, 204 No Content, and providing helpful error responses.
3) Supporting features like pagination, filtering, sorting, searching, and caching responses with headers like ETag and Last-Modified.
4) Discussing approaches for API versioning in the URL, custom headers, or accept headers. The importance of hypermedia and discoverability is also emphasized.
This document provides an overview and primer on REST (REpresentational State Transfer) architectural style for building web services. It discusses key REST concepts like resources identified by URIs, use of standard HTTP methods like GET, PUT, POST, DELETE, stateless communication, and representation of resources in different formats like XML and JSON. It also describes how the JAX-RS API in Java maps to these REST concepts through annotations and allows building RESTful web services and APIs in a declarative way.
The document provides guidelines and best practices for designing RESTful APIs, including:
- Using JSON over XML and making the API stateless and secure.
- Following conventions for HTTP verbs and status codes.
- Keeping data structures consistent and handling data with modern frameworks.
- Providing comprehensive documentation for data types, methods, and samples.
The document discusses building Restful web services including:
- Main steps like defining resources, HTTP methods, authentication, and best practices
- Frameworks for building Restful services like JAX-RS which uses annotations like @Path and @GET
- Additional tools that can help like Swagger for documentation and JSON parsers for validation
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
This document summarizes RESTful and unRESTful HTTP patterns. It discusses how REST aims to address issues with network-based, decentralized systems by constraining architectural elements. Some common anti-patterns are described, such as RPC over URI and HTTP tunneling, which violate REST principles. Best practices for RESTful HTTP include identifying resources, manipulating resources through representations, using self-descriptive messages, and making application state discoverable through hypermedia.
The document discusses Representational State Transfer (REST) and RESTful web services. It provides an overview of REST principles including treating everything as a resource with a uniform interface, using standard HTTP methods, supporting multiple representations, communicating statelessly through hypermedia, and linking resources together. It then provides examples of how to design a RESTful API for a bookmark management application, mapping operations to resources, URIs, and HTTP methods.
The document provides an overview of RESTful web services compared to SOAP web services. It discusses how REST is based on the architectural constraints of the web and uses HTTP methods to perform CRUD operations on resources. It also covers the core concepts of REST including resources, representations, and the REST constraints of being stateless, cacheable, etc. Examples are given of how RESTful services can use HTTP features like conditional GET requests and security mechanisms. Frameworks for building RESTful services and comparisons with SOAP are also summarized.
Representational State Transfer (REST) and HATEOASGuy K. Kloss
This document outlines Representational State Transfer (REST) and HATEOAS (Hypermedia as the Engine of Application State). It discusses the principles of REST including identification of resources, manipulation of resources through HTTP methods, self-descriptive messages, and HATEOAS. An example scenario of a flight booking API is provided to illustrate how HATEOAS links indicate state transitions within a REST API.
The document provides an overview of a seminar on RESTful web services. It discusses what REST is, its characteristics and principles, and compares RESTful architectures to SOAP. Key points covered include how REST focuses on a system's resources and how they are addressed and transferred over HTTP, the client-server interaction style of REST, and advantages of REST like scalability and loose coupling between components.
The document discusses various methods for accessing and consuming external data with jQuery including:
1) RESTful web services and consuming REST APIs with jQuery's AJAX methods by making GET and POST requests.
2) Common data formats for APIs like XML, JSON, and RSS and examples of each.
3) Consuming the Twitter REST API with jQuery to get user tweets, post new tweets, and search tweets.
4) Twitter's @Anywhere solution which makes it easy to add Twitter features like follow buttons and tweet widgets to applications.
5) Demonstrating the Facebook JavaScript SDK and APIs for features like login/logout and posting.
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
The document discusses the HTTP protocol and how it facilitates data transfer on the world wide web. It describes key aspects of HTTP like its request-response structure, common methods like GET and POST, status codes, and how tools can analyze HTTP traffic. It then covers how AJAX uses the XMLHttpRequest object to asynchronously retrieve and update web page elements without reloading. Finally, it discusses data formats like JSON, XML, and JavaScript that are commonly used in AJAX and rich internet applications.
This document provides an overview of ASP.NET Web API including:
- A model of REST maturity with 4 levels from plain XML to hypermedia controls.
- The purpose of Web APIs as RESTful HTTP services compared to SOAP.
- Mapping from WCF to the Web API model using controllers, actions, and routing instead of endpoints.
- Features like content negotiation, model binding, and dependency injection supported in the Web API stack.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
The document discusses REST and JAX-RS 2.0. It defines REST as an architectural style for building lightweight web services using HTTP. The key REST principles include giving everything a unique ID, linking resources together, using standard HTTP methods, supporting multiple representations, communicating statelessly, and enabling caching. JAX-RS 2.0 is a Java specification that makes it easy to build RESTful web services by using annotations to define resources and HTTP methods. It supports the REST principles and features like content negotiation, hypermedia links, and caching controls.
This document discusses the advantages of using REST over SOAP for web services. REST has a lower barrier to entry and is easier to use than SOAP. It uses simple HTTP requests instead of complex SOAP envelopes, resulting in better performance and less overhead. With REST, requests are made by sending a URL instead of an XML payload in the body of a request. This makes REST APIs lighter, faster and easier to use.
- REST (Representational State Transfer) uses HTTP requests to transfer representations of resources between clients and servers. The format of the representation is determined by the content-type header and the interaction with the resource is determined by the HTTP verb used.
- The four main HTTP verbs are GET, PUT, DELETE, and POST. GET retrieves a representation of the resource and is safe, while PUT, DELETE, and POST can modify the resource's state in atomic operations.
- Resources are abstract concepts acted upon by HTTP requests, while representations are the actual data transmitted in responses. The representation may or may not accurately reflect the resource's current state.
- SOAP and RESTful web services are two common approaches for building web services. SOAP uses XML and web-related standards like HTTP, SMTP, and SOAP. RESTful services are based on REST architectural principles and use HTTP and common data formats like JSON and XML.
- The document outlines the specifications, implementations, and differences between SOAP and RESTful web services. It discusses topics like SOAP vs REST characteristics, WSDL and SOAP message structure, JAX-WS and JAX-RS annotations for building web services, and considerations for when to use each approach.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
Companion slides for Stormpath CTO and Co-Founder Les Hazlewood's Elegant REST Design Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. Whether you’re writing your first API, or just need to figure out that last piece of the puzzle, this is a great opportunity to learn more.
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
This document provides an introduction to APIs, discussing what they are, their advantages and disadvantages, and examples of different types of APIs. APIs specify the boundary and communication between two systems, defining the functions and objects that can be passed. APIs can exist within a single program or between independent programs. They simplify design, enable change without affecting the entire system, and allow for scaling and concurrent development. However, APIs also increase complexity and can make some changes more difficult. Examples provided include the Java Collections Framework interface and the Twitter REST API.
The document provides an overview of Jersey, an open source framework for developing RESTful web services in Java. It describes how Jersey implements JAX-RS and supports developing resources using Java annotations like @Path, @GET and @Produces. Resources are POJOs that handle HTTP requests at specific URI paths. Jersey also supports object injection, sub-resources, response building and common deployment options like using Grizzly HTTP server.
The document discusses building Restful web services including:
- Main steps like defining resources, HTTP methods, authentication, and best practices
- Frameworks for building Restful services like JAX-RS which uses annotations like @Path and @GET
- Additional tools that can help like Swagger for documentation and JSON parsers for validation
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
This document summarizes RESTful and unRESTful HTTP patterns. It discusses how REST aims to address issues with network-based, decentralized systems by constraining architectural elements. Some common anti-patterns are described, such as RPC over URI and HTTP tunneling, which violate REST principles. Best practices for RESTful HTTP include identifying resources, manipulating resources through representations, using self-descriptive messages, and making application state discoverable through hypermedia.
The document discusses Representational State Transfer (REST) and RESTful web services. It provides an overview of REST principles including treating everything as a resource with a uniform interface, using standard HTTP methods, supporting multiple representations, communicating statelessly through hypermedia, and linking resources together. It then provides examples of how to design a RESTful API for a bookmark management application, mapping operations to resources, URIs, and HTTP methods.
The document provides an overview of RESTful web services compared to SOAP web services. It discusses how REST is based on the architectural constraints of the web and uses HTTP methods to perform CRUD operations on resources. It also covers the core concepts of REST including resources, representations, and the REST constraints of being stateless, cacheable, etc. Examples are given of how RESTful services can use HTTP features like conditional GET requests and security mechanisms. Frameworks for building RESTful services and comparisons with SOAP are also summarized.
Representational State Transfer (REST) and HATEOASGuy K. Kloss
This document outlines Representational State Transfer (REST) and HATEOAS (Hypermedia as the Engine of Application State). It discusses the principles of REST including identification of resources, manipulation of resources through HTTP methods, self-descriptive messages, and HATEOAS. An example scenario of a flight booking API is provided to illustrate how HATEOAS links indicate state transitions within a REST API.
The document provides an overview of a seminar on RESTful web services. It discusses what REST is, its characteristics and principles, and compares RESTful architectures to SOAP. Key points covered include how REST focuses on a system's resources and how they are addressed and transferred over HTTP, the client-server interaction style of REST, and advantages of REST like scalability and loose coupling between components.
The document discusses various methods for accessing and consuming external data with jQuery including:
1) RESTful web services and consuming REST APIs with jQuery's AJAX methods by making GET and POST requests.
2) Common data formats for APIs like XML, JSON, and RSS and examples of each.
3) Consuming the Twitter REST API with jQuery to get user tweets, post new tweets, and search tweets.
4) Twitter's @Anywhere solution which makes it easy to add Twitter features like follow buttons and tweet widgets to applications.
5) Demonstrating the Facebook JavaScript SDK and APIs for features like login/logout and posting.
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
The document discusses the HTTP protocol and how it facilitates data transfer on the world wide web. It describes key aspects of HTTP like its request-response structure, common methods like GET and POST, status codes, and how tools can analyze HTTP traffic. It then covers how AJAX uses the XMLHttpRequest object to asynchronously retrieve and update web page elements without reloading. Finally, it discusses data formats like JSON, XML, and JavaScript that are commonly used in AJAX and rich internet applications.
This document provides an overview of ASP.NET Web API including:
- A model of REST maturity with 4 levels from plain XML to hypermedia controls.
- The purpose of Web APIs as RESTful HTTP services compared to SOAP.
- Mapping from WCF to the Web API model using controllers, actions, and routing instead of endpoints.
- Features like content negotiation, model binding, and dependency injection supported in the Web API stack.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
The document discusses REST and JAX-RS 2.0. It defines REST as an architectural style for building lightweight web services using HTTP. The key REST principles include giving everything a unique ID, linking resources together, using standard HTTP methods, supporting multiple representations, communicating statelessly, and enabling caching. JAX-RS 2.0 is a Java specification that makes it easy to build RESTful web services by using annotations to define resources and HTTP methods. It supports the REST principles and features like content negotiation, hypermedia links, and caching controls.
This document discusses the advantages of using REST over SOAP for web services. REST has a lower barrier to entry and is easier to use than SOAP. It uses simple HTTP requests instead of complex SOAP envelopes, resulting in better performance and less overhead. With REST, requests are made by sending a URL instead of an XML payload in the body of a request. This makes REST APIs lighter, faster and easier to use.
- REST (Representational State Transfer) uses HTTP requests to transfer representations of resources between clients and servers. The format of the representation is determined by the content-type header and the interaction with the resource is determined by the HTTP verb used.
- The four main HTTP verbs are GET, PUT, DELETE, and POST. GET retrieves a representation of the resource and is safe, while PUT, DELETE, and POST can modify the resource's state in atomic operations.
- Resources are abstract concepts acted upon by HTTP requests, while representations are the actual data transmitted in responses. The representation may or may not accurately reflect the resource's current state.
- SOAP and RESTful web services are two common approaches for building web services. SOAP uses XML and web-related standards like HTTP, SMTP, and SOAP. RESTful services are based on REST architectural principles and use HTTP and common data formats like JSON and XML.
- The document outlines the specifications, implementations, and differences between SOAP and RESTful web services. It discusses topics like SOAP vs REST characteristics, WSDL and SOAP message structure, JAX-WS and JAX-RS annotations for building web services, and considerations for when to use each approach.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
Companion slides for Stormpath CTO and Co-Founder Les Hazlewood's Elegant REST Design Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. Whether you’re writing your first API, or just need to figure out that last piece of the puzzle, this is a great opportunity to learn more.
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
This document provides an introduction to APIs, discussing what they are, their advantages and disadvantages, and examples of different types of APIs. APIs specify the boundary and communication between two systems, defining the functions and objects that can be passed. APIs can exist within a single program or between independent programs. They simplify design, enable change without affecting the entire system, and allow for scaling and concurrent development. However, APIs also increase complexity and can make some changes more difficult. Examples provided include the Java Collections Framework interface and the Twitter REST API.
The document provides an overview of Jersey, an open source framework for developing RESTful web services in Java. It describes how Jersey implements JAX-RS and supports developing resources using Java annotations like @Path, @GET and @Produces. Resources are POJOs that handle HTTP requests at specific URI paths. Jersey also supports object injection, sub-resources, response building and common deployment options like using Grizzly HTTP server.
Tech Meetup: How to build a Rest API in JavaSantex Group
Santex' Tech Meet up given by Pablo Chiban and Alan Albertengo, both Java Developers at Santex. You can see the Meetup on our YouTube channel: http://bit.ly/1r2LlVW
Transparencias que tratan cómo acceder a los datos de las peticiones bajo los distintos métodos HTTP y cómo servir distintos formatos de datos, además del consumo de servicios web.
Usado en el Curso de Extensión Universitaria "Desarrollo de aplicaciones web mediante servicios web y APIs abiertas" de la Universidad de Oviedo: http://directo.uniovi.es/postgrado/cabecera_ep.asp?Curso=2008&IdPrograma=5187
Infinispan is an in-memory data grid that provides a distributed key-value store. It allows for data replication across nodes for high availability and partitions data using consistent hashing to enable horizontal scalability. Infinispan supports transactions, caching, querying and more. It can be configured programmatically or via XML and integrates with various Java technologies like JPA, CDI and Spring.
As you go into the cloud, the applications you are building will often be built on service-oriented architectures that communicate through RESTful APIs. Where API design and development used to be an uncommon thing, today it has become a basic application requirement. George Reese will cover the basic considerations in designing and implementing an API for your applications.
George Reese is the author of a number of technology books and a regular speaker on RESTful APIs, cloud computing, Java, and database systems. His most recent books are The REST API Design Handbook and O’Reilly’s Cloud Application Architectures. Professionally, he is the Executive Director of Cloud Computing at Dell as a result of Dell's recent acquisition of Enstratius, a company George co-founded. George has also led a number of Open Source projects, including several MUD libraries and the Imaginary Home home automation libraries for Java. He is also the primary maintainer of Dasein Cloud, a cloud abstraction API for Java.
George holds a BA from Bates College in Maine and an MBA from the Kellogg School of Management at Northwestern University.
Building RESTful Java Applications with EMFKenn Hussey
Representational State Transfer (REST) is a style of software architecture for distributed hypermedia systems such as the World Wide Web. However, it is possible to design any enterprise software system in accordance with the REST architectural style without using the HTTP protocol and without interacting with the World Wide Web.
Systems that follow the principles of REST often referred to as RESTful. Proponents of REST argue that the Web enjoyed the scalability and growth that it has had as a direct result of a few key design principles. Among these principles are the notions that application state and functionality are divided into resources and that every resource is uniquely addressable using a universal syntax for use in hypermedia links. Another key principle of REST is that all resources share a uniform interface for the transfer of state between client and resource, consisting of a constrained set of content types and a constrained set of well-defined operations.
The Eclipse Modeling Framework (EMF) provides a Java runtime framework and tools for generative application development and fine-grained data integration based on simple models. Models can be specified directly using EMF's metamodel, Ecore, or imported from other forms, including UML and XML Schema. Given a model specification, EMF can generate a corresponding set of Java interfaces and implementation classes that can easily be mixed with hand-written code for maximum flexibility. When deployed, applications developed with EMF benefit from a powerful and extensible runtime, which, among other features, includes a persistence mechanism which has always supported the principles of REST – perhaps even before the term "REST" became popular. This tutorial will provide an introduction to EMF, including alternatives for specifying a model, EMF's code generation tools, and key runtime framework concepts. As a practical usage of this knowledge, the presenters will show how EMF can be used to build RESTful applications, exploring some best practices for working with resources and other features of the framework.
This presentation lays out the concept of the traditional web, the improvements web 2.0 have brought about, etc.
I have attempted to explain RIA as well.
The main part of this presentation is centered around ajax, its uses, advantages / disadvantages, framework considerations when using ajax, java-script hijacking, etc.
Hopefully it should be a good read as an intro doc to RIA and Ajax.
This document discusses web scraping using PHP. It provides an overview of HTTP requests like GET and POST, libraries for making requests like cURL and PEAR HTTP Client, parsing responses, and best practices for web scraping applications.
The document discusses various topics relating to web and AJAX performance including browser and server performance, HTTP protocols, browser connections, state handling, caching, HTTP headers, and common antipatterns that can negatively impact performance. It also provides examples of live demonstrations and recommends testing in the browser to avoid unexpected performance issues.
The document provides an introduction to basic web architecture, including HTML, URIs, HTTP, cookies, database-driven websites, AJAX, web services, XML, and JSON. It discusses how the web is a two-tiered architecture with a web browser displaying information from a web server. Key components like HTTP requests and responses are outlined. Extension of web architecture with server-side processing using languages like PHP and client-side processing with JavaScript are also summarized.
This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Abstract:
This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools.
To practice along please install curl (http://curl.haxx.se/download.html).
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
The document discusses web application security. It covers background topics like HTTP and HTTPS. It then discusses gathering information about the application, platform, and domain. Manual testing is covered, including vulnerabilities like XSS, SQL injection, and CSRF. The use of tools like scanners is also mentioned. Remediation and documentation are also briefly discussed.
The document provides an overview of key web technologies including:
- The World Wide Web (WWW) is a global system of interconnected documents accessed via URLs over HTTP. It consists of web servers that host content and web browsers that render pages.
- HTTP is the fundamental protocol of the WWW. It uses a request-response model where clients make requests that servers respond to. Common requests are GET to retrieve resources and POST to submit data.
- Cookies are small pieces of data stored by the client that are included in future HTTP requests to maintain state across interactions.
The document discusses Representational State Transfer (REST) architectural style and principles for designing web services. It provides examples of RESTful APIs for resources like songs, tweets, and maps. It explains key REST concepts like using standard HTTP methods, addressing resources with URIs, stateless communications, and linking resources to provide a uniform interface.
Walks through the basics of the HTTP protocol, URLs, cookies and caching, with tricks and tips that can be used by web developers. From a Geek.class I did on Oct 6, 2011 for Meet the Geeks.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
The document discusses remote procedure calls (RPC) and web services. It describes how RPC works by defining an interface and using stubs to make synchronous function calls between a client and server. It also explains the basic components of web services, including SOAP for messaging, WSDL for interface definition, and UDDI for service discovery. The document provides examples of how to implement web services using Java.
The document provides an introduction to web spider web weaving and discusses key concepts related to HTTP requests and responses between clients and servers. It explains common web technologies like web servers, browsers, spiders, and scripting languages. It also discusses database servers, web models like LAMP and WAMP, HTTP sessions, and introducing a uniform server.
This document outlines an advanced ASP.NET Web API course agenda. The course will cover topics like model binding and custom formatters, OData, asynchronous operations, and performance improvement techniques. The first part of the course will introduce web technologies like HTTP, JSON, XML, and provide an overview of ASP.NET Web API. Later sections will demonstrate how to work with model binding, custom formatters, OData queries, and async logic. The course will also cover security implementations like basic authentication and token validation, as well as performance techniques such as message compression and high-performance JavaScript serialization.
Fulfilling the Hypermedia Constraint via HTTP OPTIONS, The HTTP Vocabulary In...ruyalarcon
This document summarizes a presentation on fulfilling the hypermedia constraint in RESTful systems using HTTP OPTIONS requests, representing HTTP requests and responses in RDF, and using link headers. It discusses modeling API specifications and constraints using these techniques to transparently provide documentation and controls to user agents. Examples are given of annotating YouTube video IDs requested from an API with RDF and using link headers to indicate related resources.
This document summarizes key principles for building scalable, reliable and secure RESTful services using HTTP. It discusses how to ensure reliability through idempotent operations. It also covers techniques for scaling such as use of ETags, caching, content types and uniform resource locators (URLs). The document concludes with an overview of security considerations and tools that can be used including HTTP authentication, SSL and XML signature/encryption.
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 4...WebStackAcademy
Setting up a servlet environment
Servlets are Java programs that run on a Web server and build Web pages. Here are a few definitions:
Servlet Development Kits
Java Servlet Development Kit (JSDK) provides Servlet API classes (servlet.jar). Place servlet.jar into CLASSPATH, so that java classes can access it.
Servlet Engines
A servlet is a Java class that needs to be executed in a Java VM by servlet engine. The servlet engine loads the servlet class the first time the servlet is requested. The servlet then stays loaded to handle multiple requests until it is explicitly unloaded or the servlet engine is shut down.
Following are few WebServers that supports servlets:
Apache Tomcat
BEA WebLogic
IBM Websphere
Sun's Java Web Server (JWS)
Apache Tomcat.
Java Servlet Development Kit (JSDK)
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
This presentation will discuss how the Representational State Transfer (REST) architectural style can be applied to the design of your web services.
You will learn how to use HTTP methods and status codes properly and we will discuss how to use Hypermedia As The Engine Of Application State (HATEOAS). The principles of REST and HATEOAS will be demonstrated through the Atom Publishing Protocol (AtomPub) using the Google Data APIs and other AtomPub implementations as examples.
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
1. Edgescan uses automated validation and analytics to determine if vulnerabilities discovered during scans are true or false positives, automatically publishing issues with over 90% confidence.
2. Vulnerabilities with lower confidence scores or that are high severity undergo expert validation by seasoned penetration testers to further validate findings.
3. This two-step validation process helps ensure Edgescan only delivers accurate vulnerability intelligence to clients.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
A deck discussing the the findings from the Edgescan 2021 Vulnerability Stats Report. A full stack view of the vulnerabilities discovered in 2020 based on thousands of assessments. Host, network and application layer security metrics -Full stack
This document discusses the failure of traditional vulnerability management and proposes a more effective approach. It argues that vulnerability management needs to be continuous, accurate, integrated across the full technology stack, and augmented with human expertise. Traditional approaches relying solely on automated scans are not keeping pace with rapid technology changes and the sophisticated techniques used by attackers. An effective vulnerability management program requires continuous visibility, automated patching of known issues, secure development practices, and vigilance in detecting new vulnerabilities through a combination of tools and human review.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Full stack vulnerability management at scaleEoin Keary
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack.
- While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context.
- Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
Vulnerability Intelligence - Standing Still in a world full of changeEoin Keary
The document discusses effective and scalable fullstack vulnerability management. It describes managing thousands of systems globally through continuous assessment and false-positive free vulnerability scanning of web applications, APIs, hosts, and full IT stacks. Recent major data breaches are listed, demonstrating the real threat of cybercrime. The majority of critical and high risks are found in web application layers. Attack vectors include malware, phishing, hacking, and nation state cyber espionage. An agile risk model is advocated to keep pace with frequent code changes and deployment of new systems and services. Integration with security tools like SIEM, firewalls, and bug trackers provides intelligence and visibility.
The document provides statistics and analysis from edgescan's 2018 vulnerability report. Some key findings include:
- 19% of vulnerabilities were in web applications and APIs, while 81% were in network infrastructure. Application layer vulnerabilities posed higher risks.
- Internal systems had higher rates of high/critical risks (24.9% for applications) than internet-facing systems.
- Common web application vulnerabilities included XSS, SQL injection, and vulnerable components. For infrastructure, TLS/SSL issues and SMB vulnerabilities were most prevalent.
- Unsupported Windows 2003 systems and vulnerabilities like EternalBlue accounted for a large portion of risks found.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Web security – everything we know is wrong cloud versionEoin Keary
This document summarizes a presentation on web security given by Eoin Keary. The key points made are:
1) Traditional penetration testing is not sufficient for continuous security and the arms race with attackers. Continuous monitoring and testing is needed.
2) Many vulnerabilities come from third party code and dependencies that are not adequately tested or managed.
3) It is difficult for organizations to manage vulnerabilities at scale across many applications without enterprise vulnerability management.
4) Too many reported vulnerabilities can overwhelm developers, so prioritization and explaining issues simply is important.
Why continuous assessment is required. How to keep pace with development and secure constant change. Vulnerability statistics across the fullstack. What are the most common security issues in the web application and host layer.
Talk in Switzerland at European Broadcasting Union cyber security event - Feb 2017.
Discussing some core aspects of secure application development, technical security controls and secure systems development lifecycle....
Vulnerability management and threat detection by the numbersEoin Keary
1. There are many approaches to application security testing like DAST, SAST, IAST, but an attacker only needs to find one vulnerability.
2. Both vulnerabilities in code and inaccuracies in security assessments pose potential risks.
3. Most application code uses open source frameworks, but many organizations do not monitor for vulnerabilities in these components or have open source policies.
4. While automation can help scale security assessments, factors like context, accuracy, and technical constraints make fully scaling security challenging.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Alec Kassir cozmozone
The contemporary hospital setting is witnessing a growing convergence between physical security and cybersecurity. Because of advancements in technology and the rise in cyberattacks, healthcare facilities face unique challenges.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
2. WHERE ARE WE GOING?
HTTP Basics
HTTP Request Methods
HTTP Security Response Headers
Sensitive Data In Transit
Intercepting Proxy
Don’t Trust The HTTP Request!
3. WEB APPLICATION BEHAVIOUR
HTTP is stateless. Requests and responses between browsers and servers have no shared memory.
Application layer sessions are needed to track state.
Dynamic Scripting can occur on Server-Side (e.g. RoR, Django, ASP.NET, JSP, Express, etc) or on Client-
Side (Javascript, Flash, Applets).
A web server or an application server can deliver HTML to be directly rendered by the web browser. Or,
the server might deliver data as JSON or XML to be processed by a Client-Side application in the
browser.
Requests for data such as images, scripts, and stylesheets are typically retrieved using HTTP GET.
Requests from HTML forms typically submit data using HTTP POST. AJAX requests can additionally
submit HTTP requests of types PUT, PATCH, and DELETE.
4. WHAT ARE HTTP HEADERS?
HTTP headers are components of the message header of HTTP
Requests and Responses.
HTTP headers are used to define meta-information for an HTTP
transaction.
HTTP headers are colon-separated name-value pairs in clear-text
string format, terminated by a carriage return (r) and line feed
(n) character sequence.
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
5. EXAMPLES OF HTTP REQUEST HEADERS
Authorization:
Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Accept:
text/plain
Content-Type:
application/x-www-form-urlencoded
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
rv:30.0) Gecko/20100101 Firefox/30.0
6. VALIDATING HTTP REQUEST HEADERS
Are the headers themselves known to IANA?
Are the number of headers received appropriate to the application context?
Do each of the headers come with a pre-determined regular expression or equivalent for
validation?
What headers are usually seen in context with other headers?
How do I detect missing headers?
Some headers occur in context of the application and are not global. For example, is a
cookie scoped to a domain?
Some headers have time components to them such as expires. Is the header contextually
validated by date checks?
Official standard on HTTP Request Headers
https://www.iana.org/assignments/message-headers/message-headers.xhtml
7. HTTP REQUEST: GET VS POST
GET https://example.com/search.jsp?name=foo HTTP/1.0rn
User-Agent: Mozilla/4.0rn
Host: example.comrn
Cookie: SESSIONID=2KDSU72H9GSA289rn
rn
HTTP GET Request
POST https://example.com/search.jsp?data=jim HTTP/1.0rn
User-Agent: Mozilla/4.0rn
Host: example.comrn
Content-Length: 16rn
Cookie: SESSIONID=2KDSU72H9GSA289rn
rn
name=blah&type=1
rn
HTTP POST Request
8. TRIGGERING AN HTTP(S) GET
Typing into a URL bar
Bookmark selection
<img> tag
Loading a JS or CSS file
Loading a Webfont
HTML Form submission method="GET"
jQuery.get() http://api.jquery.com/jQuery.get/
9. HTTP GET REQUEST: PLAINTEXT IMAGE
GET /personal/dancing/naked/inebriated/kauaifun.jpg HTTP/1.1rn
Host: images.manico.netrn
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0)
Gecko/20100101 Firefox/30.0rn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn
Accept-Language: en-US,en;q=0.5rn
Accept-Encoding: gzip, deflatern
DNT: 1rn
Connection: keep-alivern
rn
10. HTTP GET REQUEST:
INSECURE FORM SUBMISSIONGET
http://example.com/search?form_name=home&title=security&database=cli
ents HTTP/1.1rn
Host: example.comrn
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)rn
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn
Accept-Language: en-us,en;q=0.5rn
Accept-Encoding: gzip,deflatern
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7rn
Keep-Alive: 300rn
Proxy-Connection: keep-alivern
Referer: http://company.com?username=Jim&pass=rp2h6jibalicern
11. HTTP GET SHOULD BE BORING
Most web frameworks intentionally do not provide CSRF protection
for GET requests
A GET request should not produce side effects. It should be
"Nullipotent".
A GET request should only be used for data retrieval
A GET request should NEVER be used for:
• Logging out a user
• Logging in a user
• Deleting a resource
• Modifying a resource
• Creating a resource
• Sending an email
12. HTTP GET PARAMETER LEAKAGE
Bookmarks
Browser History
Proxy Server Logs
Web Server Logs
Referrer Request Headers
13. TRIGGERING AN HTTP/S POST
HTML Form POST Submission
jQuery.post() http://api.jquery.com/jQuery.post/
<form
action="https://acme-bank.example/payment"
method="POST"
id="payment-form">
$.post(
"https://acme-bank.example/payment",
function () {
$(".result").html("Payment was successful");
}
);
15. HTTP PUT REQUEST
$.ajax(
"https://contact-manager.example/contacts/1234",
dataType: "json",
type: "PUT",
data: {
name: "John Doe",
email: "john.doe@example.com"
}
);
An HTTP PUT request is used to replace a resource, or to create a new resource
where the identifier of the resource is known.
The same security precautions that apply to an HTTP POST request should also
apply to a PUT request.
Never send sensitive data in the query string of an HTTP PUT request
16. HTTP PATCH REQUEST
$.ajax(
"https://contact-manager.example/contacts/1234",
dataType: "json",
type: "PATCH",
data: {
email: "john.doe@example.com"
}
);
An HTTP PATCH request is used to apply partial modifications to a
resource.
The same security precautions that apply to an HTTP POST request should
also apply to a HTTP PATCH request.
Never send sensitive data in the query string of an HTTP PATCH request
17. HTTP DELETE REQUEST
$.ajax(
"https://contact-manager.example/contacts/1234",
dataType: "json",
type: "DELETE"
);
An HTTP DELETE request is used to delete a resource.
The same security precautions that apply to an HTTP POST request should
also apply to a PUT request.
Never send sensitive data in the query string of an HTTP PUT request.
Not all web servers and application frameworks will allow for a message
body in an HTTP DELETE. Therefore, it is sometimes possible that
sensitive cannot be securely sent from an HTTP DELETE.
18. TRANSPORTING SENSITIVE DATA
Never transmit sensitive data over HTTP/S GET
Always use SSL for everything!
In HTML forms, only submit sensitive data over HTTPS POST
When using AJAX, submit sensitive data only using POST, PUT, and PATCH
Only submit sensitive data only in the HTTPS REQUEST BODY
Never submit sensitive data in the HTTP/S query string
20. HTTP RESPONSE Set-Cookie HEADER
Set-Cookie: NAME=VALUE; expires=EXPIRES;
path=PATH; domain=DOMAIN;
secure; httponly;
Name The name of the cookie parameter
Value The parameter value
Expires The date at which to discard the cookie. If absent, the cookie will not be persistent, and will be discarded
when the browser is closed. If "-1", the cookie will be discarded immediately.
Domain The domain that the cookie applies to
Path The path that the cookie applies to
Secure Indicates that the cookie can only be used over secure HTTPS. USE THIS!
HttpOnly Indicates that the cookie can only be modified and accessed from the server. For example, JavaScript within
the browser application will not be able to access the cookie. USE THIS FOR SESSION IDs!
21. WHAT ARE HTTP RESPONSE HEADERS?
HTTP headers are components of the message header of HTTP Responses.
HTTP headers define different aspects of an HTTP transaction.
HTTP headers are colon-separated name-value pairs in clear-text string
format, terminated by a carriage return (r) and line feed (n) character
sequence.
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
23. HTTP RESPONSE SECURITY HEADERS
X-Frame-Options Set to "SAMEORIGIN" to allow framing on same domain.
Set to "DENY" to deny framing at all
Set to "ALLOWALL" if you want to allow framing for all website
X-XSS-Protection Set to "1; mode=block" to use XSS Auditor and block page if XSS attack is detected.
Set to "0;" if you want to switch XSS Auditor off. This is useful if response contents scripts
from request parameters
X-Content-Security-Policy A powerful mechanism for controlling which sites certain content types can be loaded
from
Access-Control-Allow-Origin Used to control which sites are allowed to bypass same origin policies and send cross-
origin requests.
Strict-Transport-Security Used to control if the browser is allowed to only access a site over a secure connection
Cache-Control Used to control mandatory content caching rules
26. CONTENT SECURITY POLICY
Move all inline script and style into separate files
Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
Define a policy for the site regarding loading of content
Anti-XSS W3C standard
http://www.w3.org/TR/CSP/
CSP Support Statistics
http://caniuse.com/#feat=contentsecuritypolicy
CSP Example Usage
http://content-security-policy.com/
27. OTHER SSL FAILS
Posting passwords or other sensitive data over HTTP
Using weak version of SSL
Using weak ciphers
Terminating SSL early in your infrastructure
Trusting the CA system
28. HTTP RESPONSE HEADER:
Strict-Transport-Security
Forces your browser to always use HTTPS
Strict-transport-security: max-age=10000000; includeSubdomains
Base case:
Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
29. DISABLING THE BROWSER CACHE
Add the following as part of your HTTP Response:
Cache-Control: no-store, no-cache, must-revalidate
Expires: -1
31. ASVS 2 HTTP REQUIREMENTS:
EASY
V11.2 Verify that the application accepts only a defined set of HTTP request methods, such as
GET and POST and unused methods are explicitly blocked.
V11.3 Verify that every HTTP response contains a content type header specifying a safe character
set (e.g., UTF-8).
V11.8 Verify that HTTP headers and / or other mechanisms for older browsers have been
included to protect against clickjacking attacks.
32. ASVS 2 HTTP REQUIREMENTS:
INTERMEDIATE
V11.6 Verify that HTTP headers in both requests and responses contain only printable ASCII
characters.
V11.9 Verify that HTTP headers added by a frontend (such as X-Real-IP), and used by the
application, cannot be spoofed by the end user.
V11.10 Verify that the HTTP header, X-Frame-Options is in use for sites where content should not
be viewed in a 3rd-party X-Frame. A common middle ground is to send SAMEORIGIN,
meaning only websites of the same origin may frame it.
V11.12 Verify that the HTTP headers do not expose detailed version information of system
components.
33. HTTP Basics
HTTP Request Methods
HTTP Security Response Headers
Sensitive Data In Transit
Intercepting Proxy
Don’t Trust The HTTP Request!
SUMMARY
Editor's Notes
1
The stateless nature of HTTP means that abstractions need to be used in order to create a persistence layer between the client and server. This creates complexities which are responsible for many web security issues.
Websockets was primarily designed to provide full-duplex communication between web browser and server. The initiation of the websockets session is handled through via HTTP, but it otherwise acts independently of HTTP. However, because it allows for communication to the browser, it opens up possible attack vectors.
Although traditional web forms primarily use GET and POST, many contemporary SPAs make extensive use of PUT/PATCH/DELETE. An SPA is a "Single Page Application". Examples of frameworks used to build SPAs would be BackboneJS, Angular, and EmberJS.
Http headers can be thought of the addressing information on the outside of a postage envelope.
The Authorization header is built-in method for the browser to send identification credentials for a user to the web server. This header should only be used over HTTPS.
The Accept header allows the browser to identify to the server which kinds of content it is expecting in the HTTP response.
The Content-Type header tells the browser what kind of content is being sent in the request.
The User-Agent identifies information about the browser to the web server.
Not all headers will be known to IANA. Some applications might need to make use of custom request headers. In this case, the application should check the custom request headers against a whitelist within the application.
For your safety, you are advised to not download kauaifun.jpg
Some of the security problems here are:
The GET URL contains sensitive parameters. These can turn up in log files and analytics tools.
The Referer URL contains sensitive parameters. These can turn up in log files and analytics tools.
The JSESSIONID is being sent over an insecure (non HTTPS) connection. This could allow for a session-hijacking attack.
RFC 2616 #9.1.1: "the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval"
Nullipotent means "No Power".
https://en.wiktionary.org/wiki/nullipotent: Describes "nullipotent" as "an action which has no side effect. Queries are typically nullipotent: they return useful data, but do not change the data structure queried."
Bookmarks: Bookmarks are not stored securely, leaving URLs open to a potential attacker.
Browser History: Browser history is not stored securely, leaving URLs open to a potential attacker.
Proxy Server Logs: Proxies can potentially be operated by persons with malicious intentions. Even trustworthy proxies are susceptible to intrusions, which could reveal proxy logs to an attacker.
Web Server Logs: In the event that a web server is compromised, an attacker could have access to web server logs which could reveal sensitive information in URLs.
Referer: The HTTP 1.1 RFC explicitly states: "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."
rfc2616, section 15.1.3 recommends that sensitive data should not be sent in a form submission which has method="GET". But, it is a good idea to take this a step further, and simply never use method="GET" at all as a general good practice.
RFC 2616 #9.6: "The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the Request-URI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI."
HTTP PUT is useful when designing RESTful web applications
RFC 5789 #2: "The PATCH method requests that a set of changes described in the request entity be applied to the resource identified by the Request-URI. The set of changes is represented in a format called a "patch document" identified by a media type. If the Request-URI does not point to an existing resource, the server MAY create a new resource, depending on the patch document type."
HTTP PATCH is useful when designing RESTful web applications, although opinions on how it should be properly implemented are varied.
RFC 2616 #9.7: "The DELETE method requests that the origin server delete the resource identified by the Request-URI. This method MAY be overridden by human intervention (or other means) on the origin server. The client cannot be guaranteed that the operation has been carried out, even if the status code returned from the origin server indicates that the action has been completed successfully. However, the server SHOULD NOT indicate success unless, at the time the response is given, it intends to delete the resource or move it to an inaccessible location."
HTTP DELETE is useful when designing RESTful web applications
The body is HTML5 markup: http://www.w3.org/TR/html5/
JM: Save resources since nothing is framed
BC: Use "DENY" whenever possible
BC: Surprisingly, it seems difficult to find information on the actual algorithms the XSS protection uses
BC: Talk about when/how to use CSP vs when/how to use CORS?
BC: This is a very interesting topic. Perhaps add visual examples to slide?
BC: Heartbleed as example of insecure SSL version
BC: Run site through SSL checker https://www.ssllabs.com/ssltest/