Upload
prajwal-panchmahalkar
View
472
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Fundamental Concepts
OWASP HyderabadOct 10th, 2009
Marc-André Laverdière
Agenda
● Network Basics● IP, TCP, UDP, DNS● Internet Architecture● Static Web architecture● HTTP features● REST-based architecture
(P.S. All images courtesy of Wikipedia)
Network Basics
● OSI 7 Layer Model
Network Topologies
● Point to point: using a switch or dedicated wiring
● Bus: common wire, like in cable internet
● Star: central hub● Ring: token ring● Mesh: redudancies● Tree: hierarchical
Network Terms
● Client: computer that requests a service
● Server: computer that fulfills the request
● Gateway: point of contact to another network
● Proxy: intermediary for making requests to servers. Often caches resources
● Router: forwards information
● Hub: connects many network segments
● Switch: more efficient hub
● Link: connection between two points
IP
● IP: Internet Protocol● Used to send
packets between point A and point B
● No delivery guarantee
● Two current versions: IPv4 and IPv6
IPv4 vs IPv6
● IPv6 adds many features to IPv4:– Greater address space
– Supports autoconfiguration
– Multicast
– Mandatory IPSec (encryption, authentication, tunelling)
– Removed rare fields, redundant checksum
– Larger max packet size (4GB)
– Support for mobile devices
NAT
● Network Address Translation, used with IP masquerading
● Used to make one IP address as front-end for many. E.g. Wireless hub+router
● Gateway rewrites the packets so that they look like they all originate from the gateway
● Breaks some applications, like SIP and some peer-to-peer clients
TCP
● Transmission Control Protocol● Allows reliable transmissions● Error detection● Flow/congestion control● Add concept of port● Connection-based
UDP
● User Datagram Protocol● Ports● Fast● No integrity checking/resending
DNS
● Domain Name System
● UDP main● Some TCP● 13 root
clusters
Internet Architecture
● Interconnected computer networks● TCP/IP● DNS● Lots of hardware● Supports many things
– WWW
– Usenet
– IRC
Static Web Architecture
● Www: portion of the Internet for retrieval of hyperdocuments
● Multiple clients, multiple servers● All resources are static● Documents can include or refer to other
resources● Resources are organized under websites● DNS, HTTP, HTML
HTTP
● HyperText Transfer Protocol
● Text-based
● Binary content must be encoded (often Base64)
● One connection per request (HTTP 1.0) or one connection for many (HTTP 1.1)
● Stateless
● Verbs:– HEAD: get metadata
– GET: get a resource
– POST: submit data to a resource
– PUT: upload a resource
– DELETE
– TRACE: echo back the request
– OPTIONS: list supported methods
– CONNECT: create a tunnel
HTTP Request● User-Agent Opera/9.64 (X11; Linux i686; U; en)
Presto/2.1.1
● Host www.wired.com
● Accept text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
● Accept-Language en-IN,en;q=0.9
● Accept-Charset iso-8859-1, utf-8, utf-16, *;q=0.1
● Accept-Encoding deflate, gzip, x-gzip, identity, *;q=0
● Cookie [cut]
● Cookie2 $Version=1
● Proxy-Connection Keep-Alive
HTTP Response Header● HTTP/1.1 200 OK
● Date: Mon, 23 May 2005 22:38:34 GMT
● Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)
● Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
● Etag: "3f80f-1b6-3e1cb03b"
● Accept-Ranges: bytes
● Content-Length: 438
● Connection: close
● Content-Type: text/html; charset=UTF-8
Cookies
● Cookies are values determined by the server that are stored by the client
● The client automatically sends the cookie value on every request to the server
REST-Based Architecture
● Problem: what I described is static. We need to execute code to have Web Applications
● Principles: – Everything goes through the resources.
Resources are different than the representation given to the clients
– Resources can be manipulated through the representation
– Each message is self-descriptive
– Hypermedia contains the application state
Essentially
● Applications react to queries from the clients only. Nothing happens without a query.
● Resource access is free to trigger any processing