SlideShare a Scribd company logo

Basic web security model

G
G Prachi

Basic web security model

Technology
1 of 48
Basic Web Security Model
Contents • Browser Content • Document Object Model • Same Origin Policy
World Wide Web (WWW) • Latest revolution in the Internet Scenario • Allowsmultimediadocumentstobeshared between machines–Text,Image Video,Audio • Resemblesacob-webduetoInterlinkingofdocumentswhichiscomplexand unstructured
HTTP • Hyper Text Transfer Protocol Language used by clients to interact with servers • HTTP is Stateless which means that every request is treated discretely and the server does not maintain the logical connection between packets • Connection Steps: • Client opens socket connection to HTTP server • Client sends requests to server • Server sends back message • Server closes the connection
HTTP Request Methods • GET: • Used if link is clicked or address typed in browser • No body in request with GET method • POST: • Used when submit button is clicked on a form • Form information contained in body of request • HEAD: • Requests that only header fields (no body) be returned in the response
Web Browsers • A web browser (commonly referred to as a browser) is a software application for accessing information on the World Wide Web • Each individual web page, image, and video is identified by a distinct URL, enabling browsers to retrieve and display them on the user's device • The information is received in the form of HTML – HyperText Markup Language • The browser parses HTML and displays them with the prescribed aesthetics
Web Browsers • Primary Tasks • Convert web addresses (URL’s) to HTTP requests • Communicate with web servers via HTTP • Render (appropriately display) documents returned by a server • Additional Functionality • Execution of scripts (e.g., drop-down menus) • Event handling (e.g., mouse clicks) • GUI for controls (e.g., buttons) • Secure communication with servers • Display of non-HTML documents (e.g., PDF) via plug-ins
Document Object Model (DOM) • The Document Object Model (DOM) is an API that allows programs to interact with HTML (or XML) documents • In typical browsers, the JavaScript version of the API is provided via the document host object. • W3C recommendations define standard DOM • Originally, the Document Object Model (DOM) and Javascript were tightly bound • Each major browser line (IE and Netscape) had their own overlapping DOM implementation • Now, the DOM is a separate standard, and can be manipulated by other languages (eg Java, server side javascript, python, etc)
DOM Structure • Objects are in a hierarchy • The window is the parent for a given web page • Document is the child with the objects that are most commonly manipulated window * location * frames * history * navigator * event * screen * document o links o anchors o images o filters o forms o applets o embeds o plug-ins o frames o scripts o all o selection o stylesheets o body
DOM: Referencing Objects • Objects can be referenced • by their id or name (this is the easiest way, but you need to make sure a name is unique in the hierarchy) • by their numerical position in the hierarchy, by walking the array that contains them • by their relation to parent, child, or sibling (parentNode, previousSibling, nextSibling, firstChild, lastChild or the childNodes array
DOM: Referencing Objects • The div is an element with an id of mydiv • It contains a text element, which can be referenced by childNodes[0] (childNode being an array of all childen of a node • So the text in the div is not a value of the div, but rather the value of the first (and only) childNode of the div <div id="mydiv"> An Example Division </div>
DOM History • Very simple DOM was part of Netscape 2.0 • Starting with Netscape 4.0 and IE 4.0, browser DOM API’s diverged significantly • W3C responded quickly with DOM Level 1 (Oct 1998) and subsequently DOM Level 2
Intrinsic Event Handling • An event is an occurrence of something potentially interesting to a script: • Ex: mouseover and mouseout events • An HTML intrinsic event attribute is used to specify a script to be called when an event occurs • Ex: onmouseover • Name of attribute is on followed by event name
DOM Example • The Rollover effect: Cursor not over image Image changes when cursor moves over
Import JavaScript code
Default language for scripts specified as attribute values
Calls to JavaScript show() function when mouse moves over/away from image
Notice that idof image is first argument to show()
DOM method returning Object
Returns instance of Element (DOM-defined host object) representing HTML element with given id
Some properties of Element instance correspond to attributes of HTMLelement
Method aby Elementinstances for setting value of an attribute
Effect: src attribute of HTML element with specified eltIdis changed to specified URL
Image src changed to CFP22.pngwhen mouse is over image, CFP2.pngwhen leaves
Document Tree • HTML document elements form a tree structure • DOM allows scripts to access and modify the document tree
Document Tree • There are many types of nodes in the DOM document tree, representing elements, text, comments, the document type declaration, etc. • Every Object in the DOM document tree has properties and methods defined by the Node host object
Document Tree: Node
Document Tree: Node
Example HTMLdocument Function we will write that will use Nodemethods and properties to produce string representing Element tree Document Tree: Node
Document Tree: Node • String produced by TreeOutline()
Document Tree: Node • Example: “walking” the tree of an HTML document • Reference to html element is contained in documentElement property of document object • Use Node-defined methods to recursively create an outline of nodeName’s:
Document Tree: Node
Contains nodeTypevalue representing Element Document Tree: Node
DOM Event Handling • Event instance is created for each event • Event instance properties: • type: name of event (click, mouseover, etc.) • target: Node corresponding to document element that generated the event (e.g., button element for click, img for mouseover). This is the event target. • JavaScript event listener: function that is called with Event instance when a certain event occurs • An event listener is associated with a target element by calling addEventListener() on the element
DOM Event Handling
Event target DOM Event Handling
Event type DOM Event Handling
Event handler Definition of event handler DOM Event Handling
Eventinstance DOM Event Handling
Normally false (more later) DOM Event Handling
DOM Event Handling
DOM Event Handling: Mouse Events • DOM2 mouse events • click • mousedown • mouseup • mousemove • mouseover • mouseout • Event instances have additional properties for mouse events
DOM Event Handling: Mouse Events
Same-Origin Policy • The same-origin policy is an important concept in the web application security model • Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin • An origin is defined as a combination of URI scheme, host name, and port number • This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Same-Origin Policy • All modern browsers implement some form of the Same-Origin Policy as it is an important security cornerstone • The same-origin policy is an important concept in the web application security model • The policies are not required to match an exact specification • They are extended to define roughly compatible security boundaries for other web technologies: • Such as Microsoft Silverlight • Adobe Flash • Adobe Acrobat • XMLHttpRequest
Same-Origin Policy: an example • The following are the outcomes of the URL’s accessed from http://www.example.com/dir/test.html

Recommended

Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Data compression huffman coding algoritham
Data compression huffman coding algorithamData compression huffman coding algoritham
Data compression huffman coding algorithamRahul Khanwani
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Computer architecture cache memory
Computer architecture cache memoryComputer architecture cache memory
Computer architecture cache memoryMazin Alwaaly
 

Recommended

Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Data compression huffman coding algoritham
Data compression huffman coding algorithamData compression huffman coding algoritham
Data compression huffman coding algorithamRahul Khanwani
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption StandardPrince Rachit
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Computer architecture cache memory
Computer architecture cache memoryComputer architecture cache memory
Computer architecture cache memoryMazin Alwaaly
 
Code generation in Compiler Design
Code generation in Compiler DesignCode generation in Compiler Design
Code generation in Compiler DesignKuppusamy P
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)swapnac12
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
Congestion avoidance in TCP
Congestion avoidance in TCPCongestion avoidance in TCP
Congestion avoidance in TCPselvakumar_b1985
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)DUET
 
SHA 1 Algorithm.ppt
SHA 1 Algorithm.pptSHA 1 Algorithm.ppt
SHA 1 Algorithm.pptRajapriya82
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail securityDr.Florence Dayana
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
Chomsky classification of Language
Chomsky classification of LanguageChomsky classification of Language
Chomsky classification of LanguageDipankar Boruah
 
Code Optimization
Code OptimizationCode Optimization
Code OptimizationAkhil Kaushik
 
Type Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeType Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeUnited International University
 
Web application architecture
Web application architectureWeb application architecture
Web application architectureTejaswini Deshpande
 
04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarp04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarpPalanivel Kuppusamy
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash AlgorithmVishakha Agarwal
 
Message and Stream Oriented Communication
Message and Stream Oriented CommunicationMessage and Stream Oriented Communication
Message and Stream Oriented CommunicationDilum Bandara
 
Tcpip services and applications
Tcpip services and applicationsTcpip services and applications
Tcpip services and applicationsOnline
 
Message digest 5
Message digest 5Message digest 5
Message digest 5Tirthika Bandi
 
Assemblers
AssemblersAssemblers
AssemblersDattatray Gandhmal
 
WEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptxWEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptxkarthiksmart21
 
Learn javascript easy steps
Learn javascript easy stepsLearn javascript easy steps
Learn javascript easy stepsprince Loffar
 

More Related Content

What's hot

Code generation in Compiler Design
Code generation in Compiler DesignCode generation in Compiler Design
Code generation in Compiler DesignKuppusamy P
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)swapnac12
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
Congestion avoidance in TCP
Congestion avoidance in TCPCongestion avoidance in TCP
Congestion avoidance in TCPselvakumar_b1985
 
Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)DUET
 
SHA 1 Algorithm.ppt
SHA 1 Algorithm.pptSHA 1 Algorithm.ppt
SHA 1 Algorithm.pptRajapriya82
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
Chomsky classification of Language
Chomsky classification of LanguageChomsky classification of Language
Chomsky classification of LanguageDipankar Boruah
 
04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarp04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarpPalanivel Kuppusamy
 
Message and Stream Oriented Communication
Message and Stream Oriented CommunicationMessage and Stream Oriented Communication
Message and Stream Oriented CommunicationDilum Bandara
 
Tcpip services and applications
Tcpip services and applicationsTcpip services and applications
Tcpip services and applicationsOnline
 

What's hot (20)

Code generation in Compiler Design
Code generation in Compiler DesignCode generation in Compiler Design
Code generation in Compiler Design
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4
 
Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)Performance analysis(Time & Space Complexity)
Performance analysis(Time & Space Complexity)
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
Congestion avoidance in TCP
Congestion avoidance in TCPCongestion avoidance in TCP
Congestion avoidance in TCP
 
S/MIME
S/MIMES/MIME
S/MIME
 
Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)Secure Hash Algorithm (SHA-512)
Secure Hash Algorithm (SHA-512)
 
SHA 1 Algorithm.ppt
SHA 1 Algorithm.pptSHA 1 Algorithm.ppt
SHA 1 Algorithm.ppt
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 
Network management
Network managementNetwork management
Network management
 
Chomsky classification of Language
Chomsky classification of LanguageChomsky classification of Language
Chomsky classification of Language
 
Code Optimization
Code OptimizationCode Optimization
Code Optimization
 
Type Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeType Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLike
 
Web application architecture
Web application architectureWeb application architecture
Web application architecture
 
04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarp04 coms 525 tcpip - arp and rarp
04 coms 525 tcpip - arp and rarp
 
Secure Hash Algorithm
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm
 
Message and Stream Oriented Communication
Message and Stream Oriented CommunicationMessage and Stream Oriented Communication
Message and Stream Oriented Communication
 
Tcpip services and applications
Tcpip services and applicationsTcpip services and applications
Tcpip services and applications
 
Message digest 5
Message digest 5Message digest 5
Message digest 5
 
Assemblers
AssemblersAssemblers
Assemblers
 

Similar to Basic web security model

WEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptxWEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptxkarthiksmart21
 
Learn javascript easy steps
Learn javascript easy stepsLearn javascript easy steps
Learn javascript easy stepsprince Loffar
 
INFT132 093 07 Document Object Model
INFT132 093 07 Document Object ModelINFT132 093 07 Document Object Model
INFT132 093 07 Document Object ModelMichael Rees
 
Web technologies-course 09.pptx
Web technologies-course 09.pptxWeb technologies-course 09.pptx
Web technologies-course 09.pptxStefan Oprea
 
JavaScript DOM & event
JavaScript DOM & eventJavaScript DOM & event
JavaScript DOM & eventBorey Lim
 
Easy javascript
Easy javascriptEasy javascript
Easy javascriptBui Kiet
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoFu Cheng
 
Html dom & j query
Html dom & j queryHtml dom & j query
Html dom & j queryhafeez1216
 
Windows 8 DevUnleashed - Session 1
Windows 8 DevUnleashed - Session 1Windows 8 DevUnleashed - Session 1
Windows 8 DevUnleashed - Session 1drudolph11
 
A Review on LWC Events for communication.pptx
A Review on LWC Events for communication.pptxA Review on LWC Events for communication.pptx
A Review on LWC Events for communication.pptxKadharBashaJ
 
Building Rich Internet Apps with Silverlight 2
Building Rich Internet Apps with Silverlight 2Building Rich Internet Apps with Silverlight 2
Building Rich Internet Apps with Silverlight 2Microsoft Iceland
 

Similar to Basic web security model (20)

WEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptxWEB TECHNOLOGY Unit-4.pptx
WEB TECHNOLOGY Unit-4.pptx
 
Learn javascript easy steps
Learn javascript easy stepsLearn javascript easy steps
Learn javascript easy steps
 
INFT132 093 07 Document Object Model
INFT132 093 07 Document Object ModelINFT132 093 07 Document Object Model
INFT132 093 07 Document Object Model
 
JavaScript and BOM events
JavaScript and BOM eventsJavaScript and BOM events
JavaScript and BOM events
 
Web technologies-course 09.pptx
Web technologies-course 09.pptxWeb technologies-course 09.pptx
Web technologies-course 09.pptx
 
JavaScript DOM & event
JavaScript DOM & eventJavaScript DOM & event
JavaScript DOM & event
 
Easy javascript
Easy javascriptEasy javascript
Easy javascript
 
Part 7
Part 7Part 7
Part 7
 
Javascript libraries
Javascript librariesJavascript libraries
Javascript libraries
 
WT_TOTAL.pdf
WT_TOTAL.pdfWT_TOTAL.pdf
WT_TOTAL.pdf
 
Dhtml sohaib ch
Dhtml sohaib chDhtml sohaib ch
Dhtml sohaib ch
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojo
 
JavaScript and DOM
JavaScript and DOMJavaScript and DOM
JavaScript and DOM
 
Html dom & j query
Html dom & j queryHtml dom & j query
Html dom & j query
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
Windows 8 DevUnleashed - Session 1
Windows 8 DevUnleashed - Session 1Windows 8 DevUnleashed - Session 1
Windows 8 DevUnleashed - Session 1
 
Web Technology Part 3
Web Technology Part 3Web Technology Part 3
Web Technology Part 3
 
A Review on LWC Events for communication.pptx
A Review on LWC Events for communication.pptxA Review on LWC Events for communication.pptx
A Review on LWC Events for communication.pptx
 
DOM Structure
DOM StructureDOM Structure
DOM Structure
 
Building Rich Internet Apps with Silverlight 2
Building Rich Internet Apps with Silverlight 2Building Rich Internet Apps with Silverlight 2
Building Rich Internet Apps with Silverlight 2
 

More from G Prachi

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
Program security
Program securityProgram security
Program securityG Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptographyG Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedomG Prachi
 

More from G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Administering security
Administering securityAdministering security
Administering security
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Program security
Program securityProgram security
Program security
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Basic web security model

  • 2. Contents • Browser Content • Document Object Model • Same Origin Policy
  • 3. World Wide Web (WWW) • Latest revolution in the Internet Scenario • Allowsmultimediadocumentstobeshared between machines–Text,Image Video,Audio • Resemblesacob-webduetoInterlinkingofdocumentswhichiscomplexand unstructured
  • 4. HTTP • Hyper Text Transfer Protocol Language used by clients to interact with servers • HTTP is Stateless which means that every request is treated discretely and the server does not maintain the logical connection between packets • Connection Steps: • Client opens socket connection to HTTP server • Client sends requests to server • Server sends back message • Server closes the connection
  • 5. HTTP Request Methods • GET: • Used if link is clicked or address typed in browser • No body in request with GET method • POST: • Used when submit button is clicked on a form • Form information contained in body of request • HEAD: • Requests that only header fields (no body) be returned in the response
  • 6. Web Browsers • A web browser (commonly referred to as a browser) is a software application for accessing information on the World Wide Web • Each individual web page, image, and video is identified by a distinct URL, enabling browsers to retrieve and display them on the user's device • The information is received in the form of HTML – HyperText Markup Language • The browser parses HTML and displays them with the prescribed aesthetics
  • 7. Web Browsers • Primary Tasks • Convert web addresses (URL’s) to HTTP requests • Communicate with web servers via HTTP • Render (appropriately display) documents returned by a server • Additional Functionality • Execution of scripts (e.g., drop-down menus) • Event handling (e.g., mouse clicks) • GUI for controls (e.g., buttons) • Secure communication with servers • Display of non-HTML documents (e.g., PDF) via plug-ins
  • 8. Document Object Model (DOM) • The Document Object Model (DOM) is an API that allows programs to interact with HTML (or XML) documents • In typical browsers, the JavaScript version of the API is provided via the document host object. • W3C recommendations define standard DOM • Originally, the Document Object Model (DOM) and Javascript were tightly bound • Each major browser line (IE and Netscape) had their own overlapping DOM implementation • Now, the DOM is a separate standard, and can be manipulated by other languages (eg Java, server side javascript, python, etc)
  • 9. DOM Structure • Objects are in a hierarchy • The window is the parent for a given web page • Document is the child with the objects that are most commonly manipulated window * location * frames * history * navigator * event * screen * document o links o anchors o images o filters o forms o applets o embeds o plug-ins o frames o scripts o all o selection o stylesheets o body
  • 10. DOM: Referencing Objects • Objects can be referenced • by their id or name (this is the easiest way, but you need to make sure a name is unique in the hierarchy) • by their numerical position in the hierarchy, by walking the array that contains them • by their relation to parent, child, or sibling (parentNode, previousSibling, nextSibling, firstChild, lastChild or the childNodes array
  • 11. DOM: Referencing Objects • The div is an element with an id of mydiv • It contains a text element, which can be referenced by childNodes[0] (childNode being an array of all childen of a node • So the text in the div is not a value of the div, but rather the value of the first (and only) childNode of the div <div id="mydiv"> An Example Division </div>
  • 12. DOM History • Very simple DOM was part of Netscape 2.0 • Starting with Netscape 4.0 and IE 4.0, browser DOM API’s diverged significantly • W3C responded quickly with DOM Level 1 (Oct 1998) and subsequently DOM Level 2
  • 13. Intrinsic Event Handling • An event is an occurrence of something potentially interesting to a script: • Ex: mouseover and mouseout events • An HTML intrinsic event attribute is used to specify a script to be called when an event occurs • Ex: onmouseover • Name of attribute is on followed by event name
  • 14. DOM Example • The Rollover effect: Cursor not over image Image changes when cursor moves over
  • 15.
  • 17. Default language for scripts specified as attribute values
  • 18. Calls to JavaScript show() function when mouse moves over/away from image
  • 19. Notice that idof image is first argument to show()
  • 20.
  • 22. Returns instance of Element (DOM-defined host object) representing HTML element with given id
  • 23. Some properties of Element instance correspond to attributes of HTMLelement
  • 24. Method aby Elementinstances for setting value of an attribute
  • 25. Effect: src attribute of HTML element with specified eltIdis changed to specified URL
  • 26. Image src changed to CFP22.pngwhen mouse is over image, CFP2.pngwhen leaves
  • 27. Document Tree • HTML document elements form a tree structure • DOM allows scripts to access and modify the document tree
  • 28. Document Tree • There are many types of nodes in the DOM document tree, representing elements, text, comments, the document type declaration, etc. • Every Object in the DOM document tree has properties and methods defined by the Node host object
  • 31. Example HTMLdocument Function we will write that will use Nodemethods and properties to produce string representing Element tree Document Tree: Node
  • 32. Document Tree: Node • String produced by TreeOutline()
  • 33. Document Tree: Node • Example: “walking” the tree of an HTML document • Reference to html element is contained in documentElement property of document object • Use Node-defined methods to recursively create an outline of nodeName’s:
  • 35. Contains nodeTypevalue representing Element Document Tree: Node
  • 36. DOM Event Handling • Event instance is created for each event • Event instance properties: • type: name of event (click, mouseover, etc.) • target: Node corresponding to document element that generated the event (e.g., button element for click, img for mouseover). This is the event target. • JavaScript event listener: function that is called with Event instance when a certain event occurs • An event listener is associated with a target element by calling addEventListener() on the element
  • 44. DOM Event Handling: Mouse Events • DOM2 mouse events • click • mousedown • mouseup • mousemove • mouseover • mouseout • Event instances have additional properties for mouse events
  • 45. DOM Event Handling: Mouse Events
  • 46. Same-Origin Policy • The same-origin policy is an important concept in the web application security model • Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin • An origin is defined as a combination of URI scheme, host name, and port number • This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
  • 47. Same-Origin Policy • All modern browsers implement some form of the Same-Origin Policy as it is an important security cornerstone • The same-origin policy is an important concept in the web application security model • The policies are not required to match an exact specification • They are extended to define roughly compatible security boundaries for other web technologies: • Such as Microsoft Silverlight • Adobe Flash • Adobe Acrobat • XMLHttpRequest
  • 48. Same-Origin Policy: an example • The following are the outcomes of the URL’s accessed from http://www.example.com/dir/test.html

Editor's Notes

  1. The Document Object Model (DOM) is a programming API for HTML and XML documents. It defines the logical structure of documents and the way a document is accessed and manipulated. In the DOM specification, the term "document" is used in the broad sense - increasingly, XML is being used as a way of representing many different kinds of information that may be stored in diverse systems, and much of this would traditionally be seen as data rather than as documents. Nevertheless, XML presents this data as documents, and the DOM may be used to manage this data. With the Document Object Model, programmers can create and build documents, navigate their structure, and add, modify, or delete elements and content. Anything found in an HTML or XML document can be accessed, changed, deleted, or added using the Document Object Model, with a few exceptions - in particular, the DOM interfaces for the internal subset and external subset have not yet been specified. As a W3C specification, one important objective for the Document Object Model is to provide a standard programming interface that can be used in a wide variety of environments and applications. The Document Object Model can be used with any programming language. In order to provide precise, language-independent specification of the Document Object Model interfaces, we have chosen to define the specifications in OMG IDL, as defined in the CORBA 2.2 specification. 
  2. Event handling has been part of JavaScript since the language's inception. They refer to specific, user imitated actions within the webpage, such as the moving of your mouse over a link, the clicking on a link, or submission of a form. Thanks to event handling, our scripts are more interactive and are able to perform certain actions depending on the user's. The DOM of modern web browsers such as IE5+, NS6+, and Firefox provide expanded methods and flexibility (relative to older browsers) for capturing events. The 2 traditional ways of assigning event handlers The 2 common and conventional ways of setting up an event handler- via HTML, or scripting. In both cases, a function or code is attached at the end, which is executed when the handler detects the specified event. Via HTML, using attributes We can define an event handler directly inside the relevant HTML tag, by embedding it as a attribute. A piece of JavaScript is also included to tell the browser to perform something when the event occurs. For example, <a href="http://freewarejava.com" onMouseover="window.status='Click here for Java applets';return true" onMouseout="window.status=''">Freewarejava.com</a> 2) Via scripting We can also assign and set up event handlers to elements using scripting, and inside your script . This allows for the event handlers to be dynamically set up, without having to mess around with the HTML codes on the page. When setting up event handlers for an element directly inside your script, the code to execute for the events must be defined inside a function. <a ID="test" href="http://freewarejava.com">Freewarejava.com</a>   <script type="text/javascript">   function changestatus(){ window.status="Click here for Java applets" return true }   function changebackstatus(){ window.status='' }   document.getElementById("test").onmouseover=changestatus document.getElementById("test").onmouseout=changebackstatus   </script>