SlideShare a Scribd company logo

Ch 3: Web Application Technologies

•
•
Sam Bowne
Sam Bowne

This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.

Education
1 of 88
Download to read offline
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 2-1-22
HTTP
Hypertext Transfer Protocol (HTTP) • Connectionless protoco l • Client sends an HTTP request to a Web serve r • Gets an HTTP respons e • No session formed, nothing remembered--no "state"
HTTP Requests • Verb: GET (also called "method" ) • URL: /css?family=Roboto:400,70 0 • Portion after ? is the query string containing parameter s • Version: HTTP/1.1
HTTP Requests • Referer: URL the request originated fro m • User-Agent: browser being use d • Host: Hostname of the serve r • Essential when multiple hosts run on the same I P • Required in HTTP/1.1
HTTP Requests • Cookie: additional parameters the server has issued to the client
HTTP Response • First lin e • HTTP versio n • Status code (200 in this case ) • Textual "reason phrase" describing the respons e • Ignored by browser
HTTP Response • Server: banner of server softwar e • Not always accurat e • Set-Cookie used to set cookie values
HTTP Response • Pragma: tells browser not to store response in its cach e • Expires: set to a date in the past to ensure that the content is freshly loaded
HTTP Response • Message Body after header contains data of type speci fi ed in Content-Type header
HTTP Methods: GET • GET retrieves resource s • Can send parameters in the URL query strin g • Users can bookmark the whole UR L • Whole URL may appear in server logs and in Referer header s • Also on the browser's scree n • Don't put sensitive information in the query string
HTTP Methods: POST • POST performs action s • Request parameters can be in URL query string and in the body of the messag e • Parameters in body aren't saved in bookmarks or most server log s • A better place for sensitive data
HTTP Methods: POST • POST requests perform actions, like buying somethin g • Clicking the browser's Back button displays a box like this
Other HTTP Methods • HEAD returns only the header, not the bod y • Can be used to check if a resource is available before GETing i t • OPTIONS shows allowed method s • PUT uploads to server (usually disabled)
URL (Uniform Resource Locator) • If protocol is absent, it defaults to HTT P • If port is absent, it uses the default port for the protoco l • 80 for HTTP, 443 for HTTPS, etc.
REST (Representational State Transfer) • RESTful URLs put parameters in the URL, not the query strin g • Becomes
A
HTTP Headers
Cookies • Cookies are resubmitted in each request to the same domain • Unlike other request parameters, such as the query string
Set-Cookie Header • Optional attribute s • expires - date when the cookie stops being vali d • If absent, cookie is used only in the current browser sessio n • domain - speci fi ed domain for which cookie is vali d • Must be the same or a parent of the domain from which the cookie is receive d • "Same-Origin Policy"
Set-Cookie Header • Optional attribute s • path - URL path for which the cookie is vali d • secure - transmit cookie only via HTTP S • HttpOnly - Cookie cannot be directly accessed via client-side JavaScript
Status Codes Groups
Important Status Codes • 200 OK - request succeeded, response body contains resul t • 301 Moved Permanently - redirects the browser, client should use new URL in the futur e • 302 Found - redirects browser temporarily. Client should revert to original URL in subsequent requests
Important Status Codes • 304 Not Modi fi ed - browser should use cached copy of resourc e • 400 Bad Request - invalid HTTP reques t • 401 Unauthorized - Server requires HTTP authentication. • WWW-Authenticate header speci fi es the type(s) of authentication supported
Important Status Codes • 403 Forbidden - no one is allowed to access resource, regardless of authenticatio n • 404 Not Found - requested resource does not exis t • 500 Internal Server Error - unhanded exception in an app, such as a PHP erro r • Next page: Link Ch 3l
HTTPS • HTTP over SSL (Secure Sockets Layer ) • Actually now TLS (Transport Layer Security ) • All versions of SSL are deprecate d • Protects data with encryptio n • Protects data in motion, but not at rest or in use
HTTP Proxies • Browser sends requests to proxy serve r • Proxy fetches resource and sends it to browse r • Proxies may provide caching, authentication, and access control
HTTPS and Man-in-the- Middle (MITM) Attacks • HTTPS connections use public-key cryptography and end-to-end encryptio n • Only the endpoints can decrypt traf fi c • Companies wishing to restrict HTTPS traf fi c have two choice s • Perform complete MITM with fake certi fi cates, or real root certi fi cates from trusted CA' s • Allow encrypted traf fi c to trusted domains without being able to inspect it
HTTPS and Proxies • Browser sends an HTTP request to the proxy using the CONNECT method and destination hostname and port numbe r • If proxy allows the request, it returns 200 status and keeps the TCP connection ope n • Thereafter acts as a pure TCP-level relay to the destination web server
HTTP Authentication • Basic: sends username and password in Base64-encodin g • NTLM: Uses Windows NTLM protocol (MD4 hashing ) • Digest: Challenge-response using MD5 hashin g • These are generally used in intranets, not on the Interne t • All are very weak cryptographically, and should be protected with HTTPS
B
Web Functionality
Server-Side Functionality • Static content - HTML pages and images that are the same for all user s • Dynamic content - response created in the fl y, can be customized for each use r • Created by scripts on the serve r • Customized based on parameters in the request
HTTP Parameters • May be sent in these ways:
Other Inputs • Server-side application may use any part of the HTTP request as an inpu t • Such as User-Agen t • Often used to display smartphone-friendly versions of pages
Web Application Technologies
The Java Platform • Standard for large-scale enterprise application s • Lends itself to multitiered and load-balanced architecture s • Well-suited to modular development and code reus e • Runs on Windows, Linux, and Solaris
Java Platform Terms • Enterprise Java Bean (EJB ) • Heavyweight software component to encapsulate business logic, such as transactional integrity • Plain Old Java Object (POJO ) • User-de fi ned, lightweight object, distinct from a special object such as an EJB • Java Servle t • Object on an application server that receives HTTP requests from client and returns HTTP responses
Java Platform Terms • Java web containe r • Platform or engine that provides a runtime environment for Java-based web applications • Ex: Apache Tomcat, BEA WebLogic, JBoss
Common Components • Third-party or open-source components that are often used alongside custom-built code
ASP.NET • Microsoft's web application framewor k • Competitor to Java platfor m • Uses .NET Framework, which provides a virtual machine (the Common Language Runtime) and a set of powerful APIs (Application Program Interfaces ) • Applications can be written in any .NET language, such as C# or VB.NET
Visual Studio • Powerful development environment for ASP.NET application s • Easy for developers to make a web application, even with limited programming skill s • ASP.NET helps protect against some common vulnerabilities, such as cross-site scripting, without requiring any effort from the developer
PHP • Originally "Personal Home Page", now "PHP Hypertext Processor " • Often used on LAMP server s • Linux, Apache, MySQL, and PH P • Free and easy to use, but many security problem s • Both in PHP itself and in custom code using it
Common PHP Applications
Ruby on Rails • Allows rapid development of application s • Can autogenerate much of the code if developer follows the Rails coding style and naming convention s • Has vulnerabilities like PHP
SQL (Structured Query Language) • Used to access data in relational databases, such as Oracle, MS-SQL, and MySQ L • Data stored in tables, each containing rows and column s • SQL queries are used to read, add, update, or delete dat a • SQL injection vulnerabilities are very severe
XML (eXtensible Markup Language) • A speci fi cation to encode data in machine- readable for m • Markup uses tags
Web Services and SOAP (Simple Object Access Protocol) • SOAP uses HTTP and XML to exchange data
• Link Ch 3b
SOAP • If user-supplied data is incorporated into SOAP requests, it can have code injection vulnerabilitie s • Server usually publishes available services and parameters using Web Services Description Language (WSDL ) • soapUI and other tools can generate requests based on WSDL fi le
C
Client-Side Functionality (in browser)
HTML Hypertext Markup Language • HTML used for formatting "markup " • XHTML is based on XML and is stricter than old versions of HTML
Hyperlinks • Clickable text that go to URL s • Clicking this link : • Makes this request
HTML Forms
HTTP Request
multipart/form-data • Browser generates random boundary tex t • Link Ch 3c
HTTP Request
CSS Cascading Style Sheets • Speci fi es format of document element s • Separates content from presentatio n • Has vulnerabilities, and can be used for attacks
Javascript • Scripts that run in the client's browse r • Used to validate user-entered data before submitting it to the serve r • Dynamically modify UI in response to user action, such as in drop-down menu s • Using Document Object Model (DOM) to control the browser's behavior
VBScript • Microsoft's alternative to JavaScrip t • Only supported in Internet Explorer (now obsolete ) • Edge does not support VBScrip t • Links Ch 3d, 3e
Document Object Model DOM
• Link Ch 3g Using the DOM
Ajax Asynchronous JavaScript and XML • Client-side scripts can fetch data without reloading the entire pag e • Allow you to drag Google Maps around
Ajax Example • Google Maps AP I • Links Ch 3h, 3i
JSON JavaScript Object Notation • Client-side JavaScript uses the XMLHttpRequest API to request data from a serve r • Data is returned in JSON format:
Updating Data with JSON
Same-Origin Policy • Prevents content from different origins interfering with each other in a browse r • Content from one website can only read and modify data from the same websit e • Ex: scripts on Facebook can't read or write to data on your online banking pag e • When this process fails, you get Cross-Site Scripting, Cross-Site Request Forgery, and other attacks
Same-Origin Policy
HTML5
Web 2.0
Browser Extensions • Many security problem s • More and more restricted in modern browsers
State and Sessions • Stateful data required to supplement stateless HTT P • This data is held in a server-side structure called a session • The session contains data such as items added to a shopping car t • Some state data is stored on the client, often HTTP cookies or hidden form fi elds
Encoding Schemes
URL Encoding • URLs may contain only printable ASCII character s • 0x20 to 0x7e, inclusiv e • To transfer other characters, or problematic ASCII characters, over HTTP, they must be URL- encided
Unicode Encoding • Supports all the world's writing system s • 16 bits per character, starting with %u
UTF-8 Encoding • Variable lengt h • Uses % character before each byt e • Unicode and UTF-8 are often used to bypass fi lters in attacks
HTML Encoding
• HTML-encoding user data before sending it to another user is used to prevent Cross-Site Scripting attacks
Base64 Encoding • Represents binary data using 64 ASCII character s • Six bits at a tim e • Used to encode email attachments so they can be sent via SMT P • Uses this character set
Hex Encoding • Hexadecimal numbers corresponding to each ASCII characte r • ABC encodes to 414243
Remoting and Serialization Frameworks • Allows client-side code to use server-side APIs as if they were local
D

Recommended

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Apache Cordova
Apache CordovaApache Cordova
Apache Cordova
Ivano Malavolta
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 

Recommended

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Apache Cordova
Apache CordovaApache Cordova
Apache Cordova
Ivano Malavolta
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status Code
Abhishek L.R
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
Rest API
Rest APIRest API
Rest API
Phil Aylesworth
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
Mhmud Khraibene
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
Anil Allewar
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Sukrit Gupta
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
virtual hosting and configuration
virtual hosting and configurationvirtual hosting and configuration
virtual hosting and configuration
HAMZA AHMED
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 

More Related Content

What's hot

Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status Code
Abhishek L.R
 
NMAP
NMAPNMAP
NMAP
PrateekAryan1
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
Rest API
Rest APIRest API
Rest API
Phil Aylesworth
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
Mhmud Khraibene
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
Ramon
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
Anil Allewar
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Sukrit Gupta
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
virtual hosting and configuration
virtual hosting and configurationvirtual hosting and configuration
virtual hosting and configuration
HAMZA AHMED
 

What's hot (20)

Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status Code
 
NMAP
NMAPNMAP
NMAP
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
Rest API
Rest APIRest API
Rest API
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
virtual hosting and configuration
virtual hosting and configurationvirtual hosting and configuration
virtual hosting and configuration
 

Similar to Ch 3: Web Application Technologies

CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
Sanjeev Verma, PhD
 
Web technology Unit I Part C
Web technology Unit I Part CWeb technology Unit I Part C
Web technology Unit I Part C
SSN College of Engineering, Kalavakkam
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
Unit v
Unit v Unit v
Unit v
APARNA P
 
Browser
BrowserBrowser
Browser
Shweta Oza
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
Jeelani Shaik
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with OData
Mahek Merchant
 
Ch-1_.ppt
Ch-1_.pptCh-1_.ppt
Ch-1_.ppt
berihunmolla2
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
AASTHAJAJOO
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
Gil Fink
 
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.pptweb-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
20521742
 
SCWCD : The web client model
SCWCD : The web client modelSCWCD : The web client model
SCWCD : The web client model
Ben Abdallah Helmi
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1
Ben Abdallah Helmi
 
Httpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-convertedHttpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-converted
computerorganization
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf
Zani10
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
MouDhara1
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
kstalin2
 
Servlet1.ppt
Servlet1.pptServlet1.ppt
Servlet1.ppt
KhushalChoudhary14
 

Similar to Ch 3: Web Application Technologies (20)

CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application Technologies
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Web technology Unit I Part C
Web technology Unit I Part CWeb technology Unit I Part C
Web technology Unit I Part C
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Unit v
Unit v Unit v
Unit v
 
Browser
BrowserBrowser
Browser
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Rest WebAPI with OData
Rest WebAPI with ODataRest WebAPI with OData
Rest WebAPI with OData
 
Ch-1_.ppt
Ch-1_.pptCh-1_.ppt
Ch-1_.ppt
 
Module 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptxModule 5 Application and presentation Layer .pptx
Module 5 Application and presentation Layer .pptx
 
Using Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 WorldUsing Communication and Messaging API in the HTML5 World
Using Communication and Messaging API in the HTML5 World
 
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.pptweb-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
 
SCWCD : The web client model
SCWCD : The web client modelSCWCD : The web client model
SCWCD : The web client model
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1
 
Httpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-convertedHttpbasics 1207412539273264-9-converted
Httpbasics 1207412539273264-9-converted
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
 
Servlet.ppt
Servlet.pptServlet.ppt
Servlet.ppt
 
Servlet1.ppt
Servlet1.pptServlet1.ppt
Servlet1.ppt
 

More from Sam Bowne

Cyberwar
CyberwarCyberwar
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
10 RSA10 RSA
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

How to Predict Vendor Bill Product in Odoo 17
How to Predict Vendor Bill Product in Odoo 17How to Predict Vendor Bill Product in Odoo 17
How to Predict Vendor Bill Product in Odoo 17
Celine George
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
giancarloi8888
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
OH TEIK BIN
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
Celine George
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
Steve Thomason
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
Nguyen Thanh Tu Collection
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
Krassimira Luka
 
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
ImMuslim
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17
Celine George
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
nitinpv4ai
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
RamseyBerglund
 
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptxNEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
iammrhaywood
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
RidwanHassanYusuf
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
zuzanka
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
heathfieldcps1
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
Himanshu Rai
 
CIS 4200-02 Group 1 Final Project Report (1).pdf
CIS 4200-02 Group 1 Final Project Report (1).pdfCIS 4200-02 Group 1 Final Project Report (1).pdf
CIS 4200-02 Group 1 Final Project Report (1).pdf
blueshagoo1
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
TechSoup
 

Recently uploaded (20)

How to Predict Vendor Bill Product in Odoo 17
How to Predict Vendor Bill Product in Odoo 17How to Predict Vendor Bill Product in Odoo 17
How to Predict Vendor Bill Product in Odoo 17
 
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdfREASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
REASIGNACION 2024 UGEL CHUPACA 2024 UGEL CHUPACA.pdf
 
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxA Free 200-Page eBook ~ Brain and Mind Exercise.pptx
A Free 200-Page eBook ~ Brain and Mind Exercise.pptx
 
How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17How Barcodes Can Be Leveraged Within Odoo 17
How Barcodes Can Be Leveraged Within Odoo 17
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
 
Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
 
Temple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation resultsTemple of Asclepius in Thrace. Excavation results
Temple of Asclepius in Thrace. Excavation results
 
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
Geography as a Discipline Chapter 1 __ Class 11 Geography NCERT _ Class Notes...
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17
 
Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)Oliver Asks for More by Charles Dickens (9)
Oliver Asks for More by Charles Dickens (9)
 
Electric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger HuntElectric Fetus - Record Store Scavenger Hunt
Electric Fetus - Record Store Scavenger Hunt
 
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptxNEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
 
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptxBIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
BIOLOGY NATIONAL EXAMINATION COUNCIL (NECO) 2024 PRACTICAL MANUAL.pptx
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
 
The basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptxThe basics of sentences session 7pptx.pptx
The basics of sentences session 7pptx.pptx
 
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem studentsRHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
RHEOLOGY Physical pharmaceutics-II notes for B.pharm 4th sem students
 
CIS 4200-02 Group 1 Final Project Report (1).pdf
CIS 4200-02 Group 1 Final Project Report (1).pdfCIS 4200-02 Group 1 Final Project Report (1).pdf
CIS 4200-02 Group 1 Final Project Report (1).pdf
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
 

Ch 3: Web Application Technologies

  • 1. CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies Updated 2-1-22
  • 3. Hypertext Transfer Protocol (HTTP) • Connectionless protoco l • Client sends an HTTP request to a Web serve r • Gets an HTTP respons e • No session formed, nothing remembered--no "state"
  • 4. HTTP Requests • Verb: GET (also called "method" ) • URL: /css?family=Roboto:400,70 0 • Portion after ? is the query string containing parameter s • Version: HTTP/1.1
  • 5. HTTP Requests • Referer: URL the request originated fro m • User-Agent: browser being use d • Host: Hostname of the serve r • Essential when multiple hosts run on the same I P • Required in HTTP/1.1
  • 6. HTTP Requests • Cookie: additional parameters the server has issued to the client
  • 7. HTTP Response • First lin e • HTTP versio n • Status code (200 in this case ) • Textual "reason phrase" describing the respons e • Ignored by browser
  • 8. HTTP Response • Server: banner of server softwar e • Not always accurat e • Set-Cookie used to set cookie values
  • 9. HTTP Response • Pragma: tells browser not to store response in its cach e • Expires: set to a date in the past to ensure that the content is freshly loaded
  • 10. HTTP Response • Message Body after header contains data of type speci fi ed in Content-Type header
  • 11. HTTP Methods: GET • GET retrieves resource s • Can send parameters in the URL query strin g • Users can bookmark the whole UR L • Whole URL may appear in server logs and in Referer header s • Also on the browser's scree n • Don't put sensitive information in the query string
  • 12. HTTP Methods: POST • POST performs action s • Request parameters can be in URL query string and in the body of the messag e • Parameters in body aren't saved in bookmarks or most server log s • A better place for sensitive data
  • 13. HTTP Methods: POST • POST requests perform actions, like buying somethin g • Clicking the browser's Back button displays a box like this
  • 14. Other HTTP Methods • HEAD returns only the header, not the bod y • Can be used to check if a resource is available before GETing i t • OPTIONS shows allowed method s • PUT uploads to server (usually disabled)
  • 15. URL (Uniform Resource Locator) • If protocol is absent, it defaults to HTT P • If port is absent, it uses the default port for the protoco l • 80 for HTTP, 443 for HTTPS, etc.
  • 16. REST (Representational State Transfer) • RESTful URLs put parameters in the URL, not the query strin g • Becomes
  • 17. A
  • 19.
  • 20.
  • 21.
  • 22. Cookies • Cookies are resubmitted in each request to the same domain • Unlike other request parameters, such as the query string
  • 23. Set-Cookie Header • Optional attribute s • expires - date when the cookie stops being vali d • If absent, cookie is used only in the current browser sessio n • domain - speci fi ed domain for which cookie is vali d • Must be the same or a parent of the domain from which the cookie is receive d • "Same-Origin Policy"
  • 24. Set-Cookie Header • Optional attribute s • path - URL path for which the cookie is vali d • secure - transmit cookie only via HTTP S • HttpOnly - Cookie cannot be directly accessed via client-side JavaScript
  • 26. Important Status Codes • 200 OK - request succeeded, response body contains resul t • 301 Moved Permanently - redirects the browser, client should use new URL in the futur e • 302 Found - redirects browser temporarily. Client should revert to original URL in subsequent requests
  • 27. Important Status Codes • 304 Not Modi fi ed - browser should use cached copy of resourc e • 400 Bad Request - invalid HTTP reques t • 401 Unauthorized - Server requires HTTP authentication. • WWW-Authenticate header speci fi es the type(s) of authentication supported
  • 28. Important Status Codes • 403 Forbidden - no one is allowed to access resource, regardless of authenticatio n • 404 Not Found - requested resource does not exis t • 500 Internal Server Error - unhanded exception in an app, such as a PHP erro r • Next page: Link Ch 3l
  • 29.
  • 30. HTTPS • HTTP over SSL (Secure Sockets Layer ) • Actually now TLS (Transport Layer Security ) • All versions of SSL are deprecate d • Protects data with encryptio n • Protects data in motion, but not at rest or in use
  • 31. HTTP Proxies • Browser sends requests to proxy serve r • Proxy fetches resource and sends it to browse r • Proxies may provide caching, authentication, and access control
  • 32. HTTPS and Man-in-the- Middle (MITM) Attacks • HTTPS connections use public-key cryptography and end-to-end encryptio n • Only the endpoints can decrypt traf fi c • Companies wishing to restrict HTTPS traf fi c have two choice s • Perform complete MITM with fake certi fi cates, or real root certi fi cates from trusted CA' s • Allow encrypted traf fi c to trusted domains without being able to inspect it
  • 33. HTTPS and Proxies • Browser sends an HTTP request to the proxy using the CONNECT method and destination hostname and port numbe r • If proxy allows the request, it returns 200 status and keeps the TCP connection ope n • Thereafter acts as a pure TCP-level relay to the destination web server
  • 34. HTTP Authentication • Basic: sends username and password in Base64-encodin g • NTLM: Uses Windows NTLM protocol (MD4 hashing ) • Digest: Challenge-response using MD5 hashin g • These are generally used in intranets, not on the Interne t • All are very weak cryptographically, and should be protected with HTTPS
  • 35. B
  • 37. Server-Side Functionality • Static content - HTML pages and images that are the same for all user s • Dynamic content - response created in the fl y, can be customized for each use r • Created by scripts on the serve r • Customized based on parameters in the request
  • 38. HTTP Parameters • May be sent in these ways:
  • 39. Other Inputs • Server-side application may use any part of the HTTP request as an inpu t • Such as User-Agen t • Often used to display smartphone-friendly versions of pages
  • 41. The Java Platform • Standard for large-scale enterprise application s • Lends itself to multitiered and load-balanced architecture s • Well-suited to modular development and code reus e • Runs on Windows, Linux, and Solaris
  • 42. Java Platform Terms • Enterprise Java Bean (EJB ) • Heavyweight software component to encapsulate business logic, such as transactional integrity • Plain Old Java Object (POJO ) • User-de fi ned, lightweight object, distinct from a special object such as an EJB • Java Servle t • Object on an application server that receives HTTP requests from client and returns HTTP responses
  • 43. Java Platform Terms • Java web containe r • Platform or engine that provides a runtime environment for Java-based web applications • Ex: Apache Tomcat, BEA WebLogic, JBoss
  • 44. Common Components • Third-party or open-source components that are often used alongside custom-built code
  • 45. ASP.NET • Microsoft's web application framewor k • Competitor to Java platfor m • Uses .NET Framework, which provides a virtual machine (the Common Language Runtime) and a set of powerful APIs (Application Program Interfaces ) • Applications can be written in any .NET language, such as C# or VB.NET
  • 46. Visual Studio • Powerful development environment for ASP.NET application s • Easy for developers to make a web application, even with limited programming skill s • ASP.NET helps protect against some common vulnerabilities, such as cross-site scripting, without requiring any effort from the developer
  • 47. PHP • Originally "Personal Home Page", now "PHP Hypertext Processor " • Often used on LAMP server s • Linux, Apache, MySQL, and PH P • Free and easy to use, but many security problem s • Both in PHP itself and in custom code using it
  • 49. Ruby on Rails • Allows rapid development of application s • Can autogenerate much of the code if developer follows the Rails coding style and naming convention s • Has vulnerabilities like PHP
  • 50. SQL (Structured Query Language) • Used to access data in relational databases, such as Oracle, MS-SQL, and MySQ L • Data stored in tables, each containing rows and column s • SQL queries are used to read, add, update, or delete dat a • SQL injection vulnerabilities are very severe
  • 51. XML (eXtensible Markup Language) • A speci fi cation to encode data in machine- readable for m • Markup uses tags
  • 52. Web Services and SOAP (Simple Object Access Protocol) • SOAP uses HTTP and XML to exchange data
  • 54. SOAP • If user-supplied data is incorporated into SOAP requests, it can have code injection vulnerabilitie s • Server usually publishes available services and parameters using Web Services Description Language (WSDL ) • soapUI and other tools can generate requests based on WSDL fi le
  • 55. C
  • 57. HTML Hypertext Markup Language • HTML used for formatting "markup " • XHTML is based on XML and is stricter than old versions of HTML
  • 58. Hyperlinks • Clickable text that go to URL s • Clicking this link : • Makes this request
  • 61. multipart/form-data • Browser generates random boundary tex t • Link Ch 3c
  • 63. CSS Cascading Style Sheets • Speci fi es format of document element s • Separates content from presentatio n • Has vulnerabilities, and can be used for attacks
  • 64. Javascript • Scripts that run in the client's browse r • Used to validate user-entered data before submitting it to the serve r • Dynamically modify UI in response to user action, such as in drop-down menu s • Using Document Object Model (DOM) to control the browser's behavior
  • 65. VBScript • Microsoft's alternative to JavaScrip t • Only supported in Internet Explorer (now obsolete ) • Edge does not support VBScrip t • Links Ch 3d, 3e
  • 67. • Link Ch 3g Using the DOM
  • 68. Ajax Asynchronous JavaScript and XML • Client-side scripts can fetch data without reloading the entire pag e • Allow you to drag Google Maps around
  • 69. Ajax Example • Google Maps AP I • Links Ch 3h, 3i
  • 70. JSON JavaScript Object Notation • Client-side JavaScript uses the XMLHttpRequest API to request data from a serve r • Data is returned in JSON format:
  • 72. Same-Origin Policy • Prevents content from different origins interfering with each other in a browse r • Content from one website can only read and modify data from the same websit e • Ex: scripts on Facebook can't read or write to data on your online banking pag e • When this process fails, you get Cross-Site Scripting, Cross-Site Request Forgery, and other attacks
  • 74. HTML5
  • 76. Browser Extensions • Many security problem s • More and more restricted in modern browsers
  • 77. State and Sessions • Stateful data required to supplement stateless HTT P • This data is held in a server-side structure called a session • The session contains data such as items added to a shopping car t • Some state data is stored on the client, often HTTP cookies or hidden form fi elds
  • 79. URL Encoding • URLs may contain only printable ASCII character s • 0x20 to 0x7e, inclusiv e • To transfer other characters, or problematic ASCII characters, over HTTP, they must be URL- encided
  • 80.
  • 81. Unicode Encoding • Supports all the world's writing system s • 16 bits per character, starting with %u
  • 82. UTF-8 Encoding • Variable lengt h • Uses % character before each byt e • Unicode and UTF-8 are often used to bypass fi lters in attacks
  • 84. • HTML-encoding user data before sending it to another user is used to prevent Cross-Site Scripting attacks
  • 85. Base64 Encoding • Represents binary data using 64 ASCII character s • Six bits at a tim e • Used to encode email attachments so they can be sent via SMT P • Uses this character set
  • 86. Hex Encoding • Hexadecimal numbers corresponding to each ASCII characte r • ABC encodes to 414243
  • 87. Remoting and Serialization Frameworks • Allows client-side code to use server-side APIs as if they were local
  • 88. D