Embed Size (px)
DESCRIPTION
In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.
Citation preview
The BasicsHypertext Transfer Protocol And More.
History Of HTTPSpecified in the early 90s.
Very simple text-based protocol.
Designed for transferring text-based documents.
How It Is BuiltA request and a response.
Request/response line, headers and a body.
Lines delimited by the CRLF characters (0x0d, 0x0a)
Typical HTTP RequestGET /path/to/something HTTP/1.1Host: hostnameUser-Agent: Mozilla/5.0 ...Accept: text/html,application/xhtml+xml,/;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://i/came/from/here
Typical HTTP ResponseHTTP/1.1 200 OKDate: Wed, 23 Nov 2013 10:10:10 GMTServer: Some ServerVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1337Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html;charset=UTF-8
body
Browser → ServerSpecify the method: GET, POST, HEAD, OPTIONS, etc.
Specify the location: a URL/URI (Unified Resource Locator/Identifier).
Tell the server more stuff how you want the data: headers.
Provide optional body.
Browser ← ServerThe server responds with status code: 2xx (ok), 3xx, 4xx, 5xx (not ok).
It is followed by extra information: headers.
There is also optional body.
HTTP Request DeconstructedMETHOD location VERSIONHeader1: Value1Header2: Value2
body
HTTP Response DeconstructedVERSION code MESSAGEHeader1: Value1Header2: Value2
body
In SummaryPlain text format made of lines.
Lines are segmented by the CRLF characters.
Each part made of initial line, headers and a body.
Guarantees simple implementation across different technologies.
Some ObservationsNo authentication!
No encryption!
No sessions!
No streaming!
HTTP DevelopsThe spec is extended with HTTP/1.0 and later HTTP/1.1.
Streaming, Authentication, Sessions, Virtual Hosts and more.
HTTP AuthenticationThere are several kinds: basic, digest, ntlm.
Basic auth is based around base64 encoding.
Digest is based around challange/response.
NTLM is proprietary protocol developed by Microsoft.
HTTP EncryptionA layer underneath HTTP called SSL.
SSL stands for Secure Socket Layer.
It works as a wrapper around sockets.
HTTP SessionsThe HTTP protocol is completely stateless.
Sessions enable state typically stored as cookies.
Cookies are a simple storage provided by the browser.
Cookies are restricted byte SOP (Same Origin Policies).
Cookies also have various security flags: httpOnly and secure.
Enough?There is so much more to learn.
Virtual HostsInitially one HTTP server per box.
This used to be very wasteful pre-virtualization era.
The host header was introduced to enable multiple sites per box.
Transport MechanismsContent-Length: <size> - the body has a length.
Transfer-Encoding: chunked - the body is made of chunks.
Transport Encodingsapplication/x-www-form-urlencoded is used for sending forms.
multipart/form-data is used for submitting files.
application/json is used for uploading/downloading json.
application/xml is used for uploading/downloading xml.
Data EncodingsURL encoding: % followed by the hex representation of a character.
Entity encoding also known as XML encoding: &<entity>;.
Base64 encoding: everything is represented by 64 characters ASCII.
GET vs. POSTHere is a GET request where parameters are in the URL:
GET /path/delete.php?username=guest HTTP/1.1
Here is a POST request where parameters are in the body:
POST /path/delete.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 14
username=guest
Sometimes GET and POST are substitutable.
RESTArchitectural style of programming predominately for APIs.
DELETE /username/guest HTTP/1.1
HTMLHyper Text Markup Language
<html><head></head><body></body></html>
XMLExtensible Markup Language
<doc><element></element></doc>
JSONJavaScript Object Notation
{"key": "value"}
LabWe will learn how to apply all of this.
Simple Challenges1. Make a simple GET request .
2. Make a simple POST request .
⇢
⇢
Moderate Challenges1. Make an authenticated request with basic auth .
2. Make an authenticated request with cookies .
3. Make a form data (file upload) request .
⇢
⇢
⇢
Advanced Challenges1. Make a proxy request .⇢
