HTTP Security. CSC 482/582: Computer Security Slide #1
|
|
- Magnus Robinson
- 5 years ago
- Views:
Transcription
1 HTTP Security CSC 482/582: Computer Security Slide #1
2 Topics 1. How HTTP works 2. HTTP methods, headers, and responses 3. URIs, URLs, and URNs 4. Statelessness 5. Cookies 6. More HTTP methods and headers 7. Proxying and Caching 8. HTTP Vulnerabilities CSC 482/582: Computer Security Slide #2
3 HTTP: HyperText Transfer Protocol Request for Resource Response Web Client Web Server CSC 482/582: Computer Security Slide #3
4 Pages Require Many Requests CSC 482/582: Computer Security Slide #4
5 HTTP GET Request Method URL Protocol Version GET HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/ Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Blank Line No Data for GET method CSC 482/582: Computer Security Slide #5
6 HTTP POST Request Method URL Protocol Version POST HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/ Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Blank Line name=jane+doe&sex=female&color=green&ove r6feet=true&over200pounds=false&athletic ability=na POST data CSC 482/582: Computer Security Slide #6
7 HTTP Response Protocol Version HTTP Response Code Blank Line HTTP/ OK Headers Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT <HTML>... (page data)... </HTML> Web Page Data CSC 482/582: Computer Security Slide #7
8 Common HTTP Methods Method GET HEAD PUT DELETE OPTIONS POST Description Retrieve resource located at specified URI. Retrieve metadata about resource located at specified URI. Useful for caches to determine if they need to retrieve an updated resource. Create or replace resource located at specified URI with resource provided by client. Delete resource located at specified URI. Return list of HTTP methods that can be used with specified URI. Create a new resource under the specified URI, e.g. adding a new message in a web forum, adding a comment to a blog post, annotating a photo, etc. In summary, POST is a way for a client to create a new resource without knowing its URI; the client just knows the URI of a parent or factory resource. CSC 482/582: Computer Security Slide #8
9 Idempotence and Safety An operation is safe if making the request will not change any state on the server. GET, HEAD, and OPTIONS are safe. An operation is idempotent if making one request has the same effect as making a series of identical requests. PUT and DELETE are idempotent. POST is neither safe nor idempotent. It is possible for servers to misuse requests like GET. Example: GET If misused, testing tools, spiders, caches can destroy data. CSC 482/582: Computer Security Slide #9
10 Common HTTP Response Codes Response Code Meaning 200 OK Resource is available in the body of the response. No errors. 400 BAD REQUEST 500 INTERNAL SERVER ERROR 301 MOVED PERMANENTLY Client sent a request with an error. If there is a response body, it contains an error message. Server error. If there is a response body, it contains an error message. Client triggered action that caused URI to change or attempted to access old URI. 404 NOT FOUND No resource is available at the specified URI. 410 GONE Resource is no longer available at the specified URI. 409 CONFLICT Client requested action that would put resources in an inconsistent state. CSC 482/582: Computer Security Slide #10
11 Common Request Headers Header Accept: Authorization : Cookie: Content- Length: Host: If-Modified- Since: Referer: User-Agent: Description Content-types (Internet media types) acceptable for response. Authentication credentials for HTTP authorization. Sends state previously set by server back to server. Length of data in body (important for POST requests.) Name of server (and port if not default). Mandatory in HTTP/1.1. Server should only return a response if the data was modified since date specified in this header. URL of web page from which a link was followed to produce this request. Some URLs contain sensitive information, so some sites use intermediate services to anonymize this header. String that identifies browser, typically containing a product name and version (Firefox/36.0), layout name and version (Gecko/2010), operating system (Linux x86_64), and compatibility (Mozilla/5.0). CSC 482/582: Computer Security Slide #11
12 Common Response Headers Header Content- Length: Content- Type: Location: Server: Set-Cookie: Transfer- Encoding: WWW- Authenticate : Description Specifies length of response body sent to browser except in the case of chunked data, where chunk lengths are sent in body. Internet media type of data being sent to browser. Used in redirection responses. Server identification string, e.g. Apache/ Creation or overwriting of an HTTP cookie. Specifies encoding (compression type or chunked) for page data sent to browser. Specifies type of HTTP authentication that should be used. CSC 482/582: Computer Security Slide #12
13 HTTP Header Parsing Handling of duplicate headers. ~50% of browsers/servers will use first header. ~50% of browsers/servers will use last header. Mixing of protocol versions Difficult to predict effect of mixing of 1.0 and 1.1 headers, especially when headers have the same purpose. Ex: Expires(1.0) and Cache-Control(1.1) headers. Semicolon-delimited header values Quoted string format values not handled well by IE. Content-Disposition: attach; filename= evil.exe;.txt CSC 482/582: Computer Security Slide #13
14 Internet Media Types Standards Original MIME (Multipurpose Internet Mail Extensions) IANA maintains official registry of types at Format Type/Subtype; Optional Parameters Example: text/html; charset=utf-8 Handling in HTTP Requested in Accept: header. Specified by server in Content-Type: header. Browser may view directly, use plug-in, or start an external program. Slide #14
15 HTTP Standards Historical Standards HTTP 0.9 (1991) 1 st documented version. HTTP 1.0 (1996) defined in RFC HTTP 1.1 (1999) defined in RFC Current Standard (well specified HTTP/1.1, 2014) RFC 7230: Message Syntax and Routing RFC 7231: Semantics and Content RFC 7232: Conditional Requests RFC 7233: Range Requests RFC 7234: Caching RFC 7235: Authentication CSC 482/582: Computer Security Slide #15
16 HTTP/2 Focused on performance; no semantics changes Based on Google s SPDY protocol. Single TCP connection for each client/server pair. Allows multiple requests and responses to be sent simultaneously over same connection. HPACK header compression. Server can push additional documents (images, stylesheets, scripts, iframes). Status IETF finished, expected to publish RFC in 1Q2015. Firefox 36 and Chrome 40 will support draft HTTP/2. CSC 482/582: Computer Security Slide #16
17 Uniform Resource Identifiers (URIs) A URI is a string of characters that identify a web resource that come in two types. Uniform Resource Names (URNs) Identify a resource by name within a specific namespace. Ex: urn:isbn: Uniform Resource Locators (URLs) Identify a resource via a representation of its primary access mechanism, e.g. a network address. Ex: CSC 482/582: Computer Security Slide #17
18 URL Format Proto is the network protocol, e.g. http, ftp, mailto, etc. User and pw are optional authentication credentials. Host is the DNS name or IP address of the server. Port is the TCP port number; defaults to 80 for http. Path is the name of the resource on the server, which may or may not represent a filesystem path. Qstr is a query string typically used by GET requests to send parameters to an application. Frag is a fragment identifier used by the client to identify a location within a web page. It is not sent to the server. Some client apps use fragments for navigation, so their contents may be security sensitive. CSC 482/582: Computer Security Slide #18
19 URL Encoding Query string is set of key=value pairs separated by &?q=cloud&lang=en Whitespace marks end of URL Special characters must be URL-encoded. %HH represents character with hex values, e.g. %20 = space. Special characters include whitespace / # & Any character may be encoded, including proto, path, etc. URL encoding is also used in the body of POST requests. CSC 482/582: Computer Security Slide #19
20 HTTP is a stateless protocol A stateful protocol allows requests to move the server into a different state, in which a request may produce a different result. Example protocols: FTP, SMTP, TCP FTP command get rest.txt will return a different file when cwd is /public rather than /private. A stateless protocol treats each request as an independent transaction that is unrelated to any previous request so that communication consists of independent pairs of requests and responses. Examples: HTTP, IP CSC 482/582: Computer Security Slide #20
21 Stateless and Stateful Architectures CSC 482/582: Computer Security Slide #21
22 Handling Statelessness Store state information directly in the address (URI) To access second page in google search for http : q=http&safe=off&start=10 Works best for web services. Store state indirectly in an HTTP header (cookies) Most common type of state storage. Some plug-ins can store state. Flash cookies are the most common type. HTML 5 provides browser storage features. CSC 482/582: Computer Security Slide #22
23 Cookies Maintain state via HTTP headers State specified is set of name=value pairs. Set-Cookie header sent from server. Cookie header sent from browser. No RFC specification used til RFC 6265 in Examples Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT Cookie: foo=bar Encoding Encode cookies with base64 to avoid metacharacter interpretation (colons, commas, slashes, quotes, etc.) CSC 482/582: Computer Security Slide #23
24 Cookie Fields Expires: if specified, cookie may be saved to disk and persist across sessions. If not, then cookie persists for duration of browser session. Max-age: similar to Expires, but not supported by IE. Domain: scoping mechanism to allow cookie to be scoped to domain broader than host that sent Set-Cookie header. Path: scopes cookie to a specified path prefix. Secure: prevents cookie from being sent over non-encrypted connections. HttpOnly: removes ability to read cookie via document.cookie API in JavaScript to protect against XSS. CSC 482/582: Computer Security Slide #24
25 Cookie Security Policy Domain parameter limits which servers are sent cookie in complex ways (see table). Path parameter limits which paths are sent cookies, but JavaScript from any path can read cookies. CSC 482/582: Computer Security Slide #25
26 More HTTP Methods Method COPY MOVE SEARCH PROPFIND CONNECT TRACE Description Copies file to path in Destination header. Part of WebDAV specification. Moves file to path in Destination header. Part of WebDAV specification. Searches directory path for resources. Retrieves information about resources, such as author, size, content-type. Make non-http connections via HTTP proxies. Returns exact request received by header in response body. Can be used to bypass HttpOnly cookie protection against XSS attacks.
27 HTTP TRACE Example $ telnet localhost 80 Trying... Connected to Escape character is '^]'. TRACE / HTTP/1.1 Host: foo x-myheader: spam HTTP/ OK Date: Mon, 04 Mar :34:45 GMT Server: Apache/ (Unix) Connection: close Content-Type: message/http TRACE / HTTP/1.0 x-myheader: spam Host: foo Connection closed. CSC 482/582: Computer Security Slide #27
28 HTTP Proxies Browser configured to proxy GET request GET HTTP/1.1 User-Agent: mybrowser/2.0 Host: URL and Host specifications Perform same task. Evolved separately. Proxy must be careful to avoid being tricked into caching page from one as page from another site GET HTTP/1.1 Host: CSC 482/582: Computer Security Slide #28
29 HTTP Caching HTTP/1.1 cache behavior GETs with 200, 301, &c responses may be cached. Cache may be returned to any future requests for that URL even if headers differ, including cookies. Cache may revalidate content (with If-Modified-Since header) before reuse but is not required to do so. Cache-Control header Public: document is cacheable publicly. Private: proxies are not permitted to cache. No-cache: cache but don t reuse; only FF supports. No-store: do not cache this document at all. Pragma: no-cache from HTTP/1.0 still in use. CSC 482/582: Computer Security Slide #29
30 HTTP Headers HTTP headers can be vulnerable to Injection Attacks, including SQL Injection Cross-Site Scripting (XSS) Most commonly vulnerable headers Referer User-Agent String useragent = request.getheader( user-agent ); String squery = DELETE FROM UP_USER_UA_MAP WHERE USER_ID= + userid + AND USER_AGENT= + useragent +... stmt.executeupdate(squery); CSC 482/582: Computer Security Slide #30
31 HTTP Header Injection Add new header + body content to HTTP response. Client sends input containing end-of-line (EOL) HTTP EOL is CR/LF (\r\n, %0d%0a URL-encoded) Example Code: String author = request.getparameter(author_param);... Cookie cookie = new Cookie("author", author); cookie.setmaxage(cookieexpiration); response.addcookie(cookie); CSC 482/582: Computer Security Slide #31
32 HTTP Response Splitting Malicious input submitted via AUTHOR_PARAM form input: A Hacker\r\nHTTP/ OK\r\nContent-Type: text/html\r\n <html>hacker Content</html> Resulting HTTP responses HTTP/ OK Set-Cookie: author=a Hacker HTTP/ OK Content-Type: text/html <html>hacker Content</html>
33 Response Splitting Impact Attacker controls page contents Page defacement. Can redirect to attacker controlled site. Script executes in context of legitimate site JavaScript sent by attacker as part of second response has access to cookies and other data of legitimate site. CSC 482/582: Computer Security Slide #33
34 Cache Poisoning Attack 1. Select a page to poison in proxy cache. Replace /admin with phishing trojan. 2. Locate header injection vulnerability. Inject second response body with trojan. 3. Connect to proxy and send requests. 1. First request is header injection described above. 2. Second request is for page that s being poisoned. 4. Proxy talks to app, gets response. 5. Proxy interprets 2 nd response body as response to attacker s 2 nd pipelined request. Updates cache with trojan version. CSC 482/582: Computer Security Slide #34
35 Key Points 1. Requests 1. Idempotence 2. Safety 2. Stateless architecture 3. Cookies 4. HTTP response splitting 5. Cache poisoning CSC 482/582: Computer Security Slide #35
36 References 1. David Gourley et. Al., HTTP: The Definitive Guide, O Reilly, Krishnamurthy et. Al., Key Differences Between HTTP/1.0 and HTTP/1.1, 3. Mark Nottingham, RFC 2616 is Dead, Dafydd Stuttart and Marcus Pinto, The Web Application Hacker s Handbook, 2 nd Edition, Wiley, HTTP/2 Home Page, 6. Sanctum, HTTP Response Splitting Whitepaper, tpresponse.pdf, Michael Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, CSC 482/582: Computer Security Slide #36
How to work with HTTP requests and responses
How a web server processes static web pages Chapter 18 How to work with HTTP requests and responses How a web server processes dynamic web pages Slide 1 Slide 2 The components of a servlet/jsp application
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Web Security I Topics 1. HTTP 2. Transport Layer Security (TLS) 3. URLs 4. HTML and the DOM 5. Same Origin Policy 6. Cross-Site Attacks Web Transactions Web Server Web
More informationLecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications
Internet and Intranet Protocols and Applications Lecture 7b: HTTP Feb. 24, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu WWW - HTTP/1.1 Web s application layer protocol
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationWorld-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved
World-Wide Web Protocols CS 571 Fall 2006 2006 Kenneth L. Calvert All rights reserved World-Wide Web The Information Universe World-Wide Web structure: hypertext Nonlinear presentation of information Key
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 8. Internet Applications Internet Applications Overview Domain Name Service (DNS) Electronic Mail File Transfer Protocol (FTP) WWW and HTTP Content
More informationWEB TECHNOLOGIES CHAPTER 1
WEB TECHNOLOGIES CHAPTER 1 WEB ESSENTIALS: CLIENTS, SERVERS, AND COMMUNICATION Modified by Ahmed Sallam Based on original slides by Jeffrey C. Jackson THE INTERNET Technical origin: ARPANET (late 1960
More informationThe HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1
The HTTP protocol Fulvio Corno, Dario Bonino 08/10/09 http 1 What is HTTP? HTTP stands for Hypertext Transfer Protocol It is the network protocol used to delivery virtually all data over the WWW: Images
More informationLecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616
Lecture 3. HTTP v1.0 application layer protocol into details HTTP 1.0: RFC 1945, T. Berners-Lee Lee,, R. Fielding, H. Frystyk, may 1996 HTTP 1.1: RFC 2068, 2616 Ascii protocol uses plain text case sensitive
More informationINTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary
INTERNET ENGINEERING HTTP Protocol Sadegh Aliakbary Agenda HTTP Protocol HTTP Methods HTTP Request and Response State in HTTP Internet Engineering 2 HTTP HTTP Hyper-Text Transfer Protocol (HTTP) The fundamental
More informationHTTP Reading: Section and COS 461: Computer Networks Spring 2013
HTTP Reading: Section 9.1.2 and 9.4.3 COS 461: Computer Networks Spring 2013 1 Recap: Client-Server Communication Client sometimes on Initiates a request to the server when interested E.g., Web browser
More informationProduced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar
Mobile Application Development Higher Diploma in Science in Computer Science Produced by Eamonn de Leastar (edeleastar@wit.ie) Department of Computing, Maths & Physics Waterford Institute of Technology
More informationREST. Lecture BigData Analytics. Julian M. Kunkel. University of Hamburg / German Climate Computing Center (DKRZ)
REST Lecture BigData Analytics Julian M. Kunkel julian.kunkel@googlemail.com University of Hamburg / German Climate Computing Center (DKRZ) 11-12-2015 Outline 1 REST APIs 2 Julian M. Kunkel Lecture BigData
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationApplication Level Protocols
Application Level Protocols 2 Application Level Protocols Applications handle different kinds of content e.g.. e-mail, web pages, voice Different types of content require different kinds of protocols Application
More informationApplication Protocols and HTTP
Application Protocols and HTTP 14-740: Fundamentals of Computer Networks Bill Nace Material from Computer Networking: A Top Down Approach, 6 th edition. J.F. Kurose and K.W. Ross Administrivia Lab #0 due
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Sco2 Shenker and John Janno6 Administrivia HW3 out today Will cover HTTP, DNS, TCP TCP Milestone II coming up on Monday Make sure you sign
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Scott Shenker and John Jannotti Precursors 1945, Vannevar Bush, Memex: a device in which an individual stores all his books, records, and
More informationCOMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ
COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS Web Access: HTTP 16501018 Mehmet KORKMAZ World Wide Web What is WWW? WWW = World Wide Web = Web!= Internet Internet is a global system of interconnected computer
More informationApplications & Application-Layer Protocols: The Web & HTTP
CPSC 360 Network Programming Applications & Application-Layer Protocols: The Web & HTTP Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu http://www.cs.clemson.edu/~mweigle/courses/cpsc360
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationCOSC 2206 Internet Tools. The HTTP Protocol
COSC 2206 Internet Tools The HTTP Protocol http://www.w3.org/protocols/ What is TCP/IP? TCP: Transmission Control Protocol IP: Internet Protocol These network protocols provide a standard method for sending
More informationCaching. Caching Overview
Overview Responses to specific URLs cached in intermediate stores: Motivation: improve performance by reducing response time and network bandwidth. Ideally, subsequent request for the same URL should be
More informationHTTP, circa HTTP protocol. GET /foo/bar.html HTTP/1.1. Sviluppo App Web 2015/ Intro 3/3/2016. Marco Tarini, Uninsubria 1
HTTP protocol HTTP, circa 1989 a resource «give me the HTML representation of thatresource» «ok, here» Client request GET /hello.txt Server response Hello, world! Client Server Http 1.1 Request line Client
More informationSession 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes
Session 8 Deployment Descriptor 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/_status_codes
More informationTopics. Why Web Application Security? Web Security
Web Security CSC 482/582: Computer Security Slide #1 Topics 1. Why web application security? 2. HTTP and web input types 3. Web Application Vulnerabilities 4. Client-side Attacks 5. Finding Web Vulnerabilities
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationInternet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP
Web Programming - 2 (Ref: Chapter 2) TCP/IP Basics Internet Architecture Client Server Basics URL and MIME Types HTTP Routers interconnect the network TCP/IP software provides illusion of a single network
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 3 Spring 2012 January 25, 2012 Announcements Four HW0 s)ll missing HW1 due this week Start working on HW2 and HW3 Re- assess if you found HW0/HW1 challenging
More informationHTTP Protocol and Server-Side Basics
HTTP Protocol and Server-Side Basics Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming HTTP Protocol and Server-Side Basics Slide 1/26 Outline The HTTP protocol Environment Variables
More information3. WWW and HTTP. Fig.3.1 Architecture of WWW
3. WWW and HTTP The World Wide Web (WWW) is a repository of information linked together from points all over the world. The WWW has a unique combination of flexibility, portability, and user-friendly features
More informationCMPE 151: Network Administration. Servers
CMPE 151: Network Administration Servers Announcements Unix shell+emacs tutorial. Basic Servers Telnet/Finger FTP Web SSH NNTP Let s look at the underlying protocols. Client-Server Model Request Response
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More information2. Introduction to Internet Applications
2. Introduction to Internet Applications 1. Representation and Transfer 2. Web Protocols 3. Some Other Application Layer Protocols 4. Uniform Resource Identifiers (URIs) 5. Uniform Resource Locators (URLs)
More informationEE 122: HyperText Transfer Protocol (HTTP)
Background EE 122: HyperText Transfer Protocol (HTTP) Ion Stoica Nov 25, 2002 World Wide Web (WWW): a set of cooperating clients and servers that communicate through HTTP HTTP history - First HTTP implementation
More informationEEC-682/782 Computer Networks I
EEC-682/782 Computer Networks I Lecture 20 Wenbing Zhao w.zhao1@csuohio.edu http://academic.csuohio.edu/zhao_w/teaching/eec682.htm (Lecture nodes are based on materials supplied by Dr. Louise Moser at
More informationOutline of Lecture 3 Protocols
Web-Based Information Systems Fall 2007 CMPUT 410: Protocols Dr. Osmar R. Zaïane University of Alberta Course Content Introduction Internet and WWW TML and beyond Animation & WWW CGI & TML Forms Javascript
More informationDistributed Systems 1
95-702 Distributed Systems 1 Joe Intro Syllabus highlights 95-702 Distributed Systems 2 Understand the HTTP application protocol Request and response messages Methods / safety / idempotence Understand
More informationCSE 333 Lecture HTTP
CSE 333 Lecture 19 -- HTTP Hal Perkins Paul G. Allen School of Computer Science & Engineering University of Washington Administrivia HW4 due a week from Thursday - How s it look? Today: http; finish networking/web
More informationCS631 - Advanced Programming in the UNIX Environment
CS631 - Advanced Programming in the UNIX Environment Slide 1 CS631 - Advanced Programming in the UNIX Environment HTTP; Code Reading Department of Computer Science Stevens Institute of Technology Jan Schaumann
More informationLAMP, WEB ARCHITECTURE, AND HTTP
CS 418 Web Programming Spring 2013 LAMP, WEB ARCHITECTURE, AND HTTP SCOTT G. AINSWORTH http://www.cs.odu.edu/~sainswor/cs418-s13/ 2 OUTLINE Assigned Reading Chapter 1 Configuring Your Installation pgs.
More informationAcknowledgments... xix
CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...
More informationCMSC 332 Computer Networking Web and FTP
CMSC 332 Computer Networking Web and FTP Professor Szajda CMSC 332: Computer Networks Project The first project has been posted on the website. Check the web page for the link! Due 2/2! Enter strings into
More informationHypertext Transport Protocol
Hypertext Transport Protocol CSE 333 Summer 2018 Instructor: Hal Perkins Teaching Assistants: Renshu Gu William Kim Soumya Vasisht Administriia Section tomorrow: pthread tutorial/demo Followup exercise
More informationNotes beforehand... For more details: See the (online) presentation program.
Notes beforehand... Notes beforehand... For more details: See the (online) presentation program. Topical overview: main arcs fundamental subjects advanced subject WTRs Lecture: 2 3 4 5 6 7 8 Today: the
More informationThreat Landscape 2017
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat
More informationREST Web Services Objektumorientált szoftvertervezés Object-oriented software design
REST Web Services Objektumorientált szoftvertervezés Object-oriented software design Dr. Balázs Simon BME, IIT Outline HTTP REST REST principles Criticism of REST CRUD operations with REST RPC operations
More informationWeb, HTTP and Web Caching
Web, HTTP and Web Caching 1 HTTP overview HTTP: hypertext transfer protocol Web s application layer protocol client/ model client: browser that requests, receives, displays Web objects : Web sends objects
More informationRESTFUL WEB SERVICES - INTERVIEW QUESTIONS
RESTFUL WEB SERVICES - INTERVIEW QUESTIONS http://www.tutorialspoint.com/restful/restful_interview_questions.htm Copyright tutorialspoint.com Dear readers, these RESTful Web services Interview Questions
More informationJeff Offutt SWE 642 Software Engineering for the World Wide Web
Networking Basics Behind the World Wide Web Jeff Offutt http://www.cs.gmu.edu/~offutt/ SWE 642 Software Engineering for the World Wide Web Adapted from chapter 1 slides for : Web Technologies : A Computer
More informationApplication Layer Introduction; HTTP; FTP
Application Layer Introduction; HTTP; FTP Tom Kelliher, CS 325 Feb. 4, 2011 1 Administrivia Announcements Assignment Read 2.4 2.6. From Last Time Packet-switched network characteristics; protocol layers
More informationHTTP Review. Carey Williamson Department of Computer Science University of Calgary
HTTP Review Carey Williamson Department of Computer Science University of Calgary Credit: Most of this content was provided by Erich Nahum (IBM Research) Introduction to HTTP http request http request
More informationCS 43: Computer Networks. Layering & HTTP September 7, 2018
CS 43: Computer Networks Layering & HTTP September 7, 2018 Last Class: Five-layer Internet Model Application: the application (e.g., the Web, Email) Transport: end-to-end connections, reliability Network:
More informationThe World Wide Web. Internet
The World Wide Web Relies on the Internet: LAN (Local Area Network) connected via e.g., Ethernet (physical address: 00-B0-D0-3E-51-BC) IP (Internet Protocol) for bridging separate physical networks (IP
More informationWeb Security: XSS; Sessions
Web Security: XSS; Sessions CS 161: Computer Security Prof. Raluca Ada Popa Mar 22, 2018 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh SQL Injection
More information1.1 A Brief Intro to the Internet
1.1 A Brief Intro to the Internet - Origins - ARPAnet - late 1960s and early 1970s - Network reliability - For ARPA-funded research organizations - BITnet, CSnet - late 1970s & early 1980s - email and
More informationHypertext Transport Protocol
Hypertext Transport Protocol HTTP Hypertext Transport Protocol Language of the Web protocol used for communication between web browsers and web servers TCP port 80 HTTP - URLs URL Uniform Resource Locator
More informationINF5750. RESTful Web Services
INF5750 RESTful Web Services Recording Audio from the lecture will be recorded! Will be put online if quality turns out OK Outline REST HTTP RESTful web services HTTP Hypertext Transfer Protocol Application
More informationUnraveling the Mysteries of J2EE Web Application Communications
Unraveling the Mysteries of J2EE Web Application Communications An HTTP Primer Peter Koletzke Technical Director & Principal Instructor Common Problem What we ve got here is failure to commun cate. Captain,
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationComputer Systems and Networks
University of the Pacific LECTURE 12: PYTHON BYTES, TCP/IP (LAB 08) Computer Systems and Networks Dr. Pallipuram (vpallipuramkrishnamani@pacific.edu) Today s Agenda Python exercises to simulate network
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationHTTP/2: What You Need to Know. Robert
HTTP/2: What You Need to Know Robert Boedigheimer @boedie About Me Web developer since 1995 Pluralsight Author 3 rd Degree Black Belt, Tae Kwon Do ASP.NET MVP boedie@outlook.com @boedie weblogs.asp.net/boedie
More informationProxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24
Proxying p.1/24 Proxying Why and How Alon Altman alon@haifux.org Haifa Linux Club Proxying p.2/24 Definition proxy \Prox"y\, n.; pl. Proxies. The agency for another who acts through the agent; authority
More informationApplication Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017
CSC 401 Data and Computer Communications Networks Application Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017 Outline Application Layer (ch 2) 2.1 principles of network applications 2.2
More information1.1 A Brief Intro to the Internet
1.1 A Brief Intro to the Internet - Origins - ARPAnet - late 1960s and early 1970s - Network reliability - For ARPA-funded research organizations - BITnet, CSnet - late 1970s & early 1980s - email and
More informationDetects Potential Problems. Customizable Data Columns. Support for International Characters
Home Buy Download Support Company Blog Features Home Features HttpWatch Home Overview Features Compare Editions New in Version 9.x Awards and Reviews Download Pricing Our Customers Who is using it? What
More informationReview of Previous Lecture
Review of Previous Lecture Network access and physical media Internet structure and ISPs Delay & loss in packet-switched networks Protocol layers, service models Some slides are in courtesy of J. Kurose
More informationLecture 6 Application Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 6 Application Layer Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Application-layer protocols Application: communicating, distributed processes running in network hosts
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationLab 5: Web Attacks using Burp Suite
Lab 5: Web Attacks using Burp Suite Aim The aim of this lab is to provide a foundation in performing security testing of web applications using Burp Suite and its various tools. Burp Suite and its tools
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 client-side scripts and security while client-side scripts do much to improve the appearance of pages,
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationCS 5450 HTTP. Vitaly Shmatikov
CS 5450 HTTP Vitaly Shmatikov Browser and Network Browser OS Hardware request reply website Network slide 2 HTML A web page includes Base HTML file Referenced objects (e.g., images) HTML: Hypertext Markup
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationApplications & Application-Layer Protocols: The Web & HTTP
CS 312 Internet Concepts Applications & Application-Layer Protocols: The Web & HTTP Dr. Michele Weigle Department of Computer Science Old Dominion University mweigle@cs.odu.edu http://www.cs.odu.edu/~mweigle/cs312-f11/
More informationWorld Wide Web. Before WWW
FEUP, João Neves World Wide Web Joao.Neves@fe.up.pt CAcer t WoT User Digitally signed by CAcert WoT User DN: cn=cacert WoT User, email=joao.neves@i nescporto.pt, email=b2d718a54c3 83ce1a9d48aa87e2ef 687ee8769f0
More information1.1 A Brief Intro to the Internet
1.1 A Brief Intro to the Internet - Origins - ARPAnet - late 1960s and early 1970s - Network reliability - For ARPA-funded research organizations - BITnet, CSnet - late 1970s & early 1980s - email and
More informationHyperText Transfer Protocol
Outline Introduce Socket Programming Domain Name Service (DNS) Standard Application-level Protocols email (SMTP) HTTP HyperText Transfer Protocol Defintitions A web page consists of a base HTML-file which
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationAssignment, part 2. Statement and concepts INFO-0010
Assignment, part 2 Statement and concepts INFO-0010 Outline Statement Implementation of concepts Objective Mastermind game using HTTP GET and HTTP POST methods The platform Architecture Root page ("/")
More informationAnnouncements. The World Wide Web. Retrieving From the Server. Goals of Today s Lecture. The World Wide Web. POP3 Protocol
Announcements The World Wide Web Project #2 out Checkpoint due Weds Oct 18 Full project due Thurs Oct 26 EE 122: Intro to Communication Networks Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip
More information8/8/17. HTTP Overview. It s all about the network. If you want to really do Web programming right you will need to know the ins and outs of HTTP
HTTP Overview It s all about the network If you want to really do Web programming right you will need to know the ins and outs of HTTP If the network has problems you/users have problems much more than
More informationThe World Wide Web. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim
The World Wide Web EE 122: Intro to Communication Networks Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks
More informationSession 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers
Session 9 Deployment Descriptor Http 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/http_status_codes
More informationOutline Computer Networking. HTTP Basics (Review) How to Mark End of Message? (Review)
Outline 15-441 Computer Networking Lecture 25 The Web HTTP review and details (more in notes) Persistent HTTP review HTTP caching Content distribution networks Lecture 19: 2006-11-02 2 HTTP Basics (Review)
More informationScalable applications with HTTP
Scalable applications with HTTP Patrice Neff, co-founder Memonic patrice@memonic.com twitter.com/pneff 20100407 memonic Memonic Founded in 2009 Your personal digital notebook Easy web research Try it out
More informationAbout the Tutorial. Audience. Prerequisites. Copyright & Disclaimer
About the Tutorial The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the foundation for data communication
More informationCSP 1.3: An HTTP-Based Protocol for Parameterized, Aggregated Content
CSP 1.3: An HTTP-Based Protocol for Parameterized, Aggregated Content This document was modified: 9/26/2005 1. Introduction...3 1.1. Motivation and Design Goals...3 1.2. Glossary of Terms...3 2. Protocol
More informationApplication Layer. Applications and application-layer protocols. Goals:
Application Layer Goals: Conceptual aspects of network application protocols Client paradigm Service models Learn about protocols by examining popular application-level protocols HTTP DNS 1 Applications
More informationCSE 333 Lecture HTTP
CSE 333 Lecture 19 -- HTTP Hal Perkins Department of Computer Science & Engineering University of Washington Administrivia Server-side programming exercise due Wed. morning HW4 due a week later - How s
More informationCSP 1.4: An HTTP-Based Protocol for Parameterized, Aggregated Content
CSP 1.4: An HTTP-Based Protocol for Parameterized, Aggregated Content This document was modified: 6/25/2007 1. Introduction... 3 1.1. Motivation and Design Goals... 3 1.2. Glossary of Terms... 3 2. Protocol
More informations642 web security computer security adam everspaugh
s642 computer security web security adam everspaugh ace@cs.wisc.edu review memory protections / data execution prevention / address space layout randomization / stack protector Sandboxing / Limit damage
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationNetworking. Layered Model. DoD Model. Application Layer. ISO/OSI Model
Networking Networking is concerned with the physical topology of two or more communicating entities and the logical topology of data transmission. Layered Model Systems communicate over a shared communication
More informationChapter 27 WWW and HTTP Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 27 WWW and HTTP 27.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 27-1 ARCHITECTURE The WWW today is a distributed client/server service, in which
More information