HTTP Protocol and Server-Side Basics

Similar documents
Parameterization in OpenSTA for load testing. Parameterization in OpenSTA Author: Ranjit Shewale

World Wide Web, etc.

Web Search An Application of Information Retrieval Theory

Applications & Application-Layer Protocols: The Web & HTTP

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

HTTP Request Handling

How to work with HTTP requests and responses

Outline of Lecture 3 Protocols

WEB TECHNOLOGIES CHAPTER 1

COSC 2206 Internet Tools. The HTTP Protocol

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

Lecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616

s642 web security computer security adam everspaugh

Unraveling the Mysteries of J2EE Web Application Communications

DOWNLOADING WEB PAGES

The TCPProxy. Table of contents

How browsers talk to servers. What does this do?

Notes beforehand... For more details: See the (online) presentation program.

Kerberos and Single Sign On with HTTP

CSCI-1680 WWW Rodrigo Fonseca

Introduction to Ethical Hacking

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Giving credit where credit is due

CSCI-1680 WWW Rodrigo Fonseca

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Web, HTTP and Web Caching

CS 5450 HTTP. Vitaly Shmatikov

The HTTP Protocol HTTP

Jeff Offutt SWE 642 Software Engineering for the World Wide Web

CS 43: Computer Networks. Layering & HTTP September 7, 2018

HTTP Review. Carey Williamson Department of Computer Science University of Calgary

Server-Side Web Programming: Python (Part 1) Copyright 2017 by Robert M. Dondero, Ph.D. Princeton University

WWW: the http protocol

Configure ACE with Source NAT and Client IP Header Insert

Web History. Systemprogrammering 2006 Föreläsning 9 Web Services. Internet Hosts. Web History (cont) 1945: 1989: Topics 1990:

Global Servers. The new masters

HTTP, circa HTTP protocol. GET /foo/bar.html HTTP/1.1. Sviluppo App Web 2015/ Intro 3/3/2016. Marco Tarini, Uninsubria 1

CMSC 332 Computer Networking Web and FTP

Analysis of the effects of removing redundant header information in persistent HTTP connections

HashCookies A Simple Recipe

Application Level Protocols

How the Internet Works

Web Application Security GVSAGE Theater

Networking. INFO/CSE 100, Spring 2006 Fluency in Information Technology.

LAMP, WEB ARCHITECTURE, AND HTTP

Outline Computer Networking. HTTP Basics (Review) How to Mark End of Message? (Review)

COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ

REST. Lecture BigData Analytics. Julian M. Kunkel. University of Hamburg / German Climate Computing Center (DKRZ)

How to Configure Authentication and Access Control (AAA)

CS631 - Advanced Programming in the UNIX Environment

Web Security, Part 2

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

Web Programming 4) PHP and the Web

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CS144 Notes: Web Standards

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

Computer Networks. Wenzhong Li. Nanjing University

Apica ZebraTester. Advanced Load Testing Tool and Cloud Platform

Building a Web-based Health Promotion Database

Web Programming 3. Object Oriented Interface to CGI.pm. Generating Images. Using Headers. Using Cookies. Hidden fields.

Web Engineering. Basic Technologies: Protocols and Web Servers. Husni

Assignment, part 2. Statement and concepts INFO-0010

Policies to Resolve Archived HTTP Redirection

C22: Browser & Web Server Communication

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

CGI / HTTP(s) GET NETIO M2M API protocols docs

Application Layer Introduction; HTTP; FTP

CS193i Handout #18. HTTP Part 5

INF5750. RESTful Web Services

3. WWW and HTTP. Fig.3.1 Architecture of WWW

Chapter 27 WWW and HTTP Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

The Architecture of the World Wide Web

Applications & Application-Layer Protocols: The Web & HTTP

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Deployment Guide AX Series with Oracle E-Business Suite 12

Web. Computer Organization 4/16/2015. CSC252 - Spring Web and HTTP. URLs. Kai Shen

urllib2 extensible library for opening URLs

Threat Landscape 2017

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Networking and Internet

Module 3 Web Component

::/Topics/Configur...

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Scan Report Executive Summary

HyperText Transfer Protocol

Proxying. Why and How. Alon Altman. Haifa Linux Club. Proxying p.1/24

Scan Time Start time : Fri May 14 19:16: End time : Fri May 14 19:18:

Web Security: Vulnerabilities & Attacks

COMPUTER NETWORK. Homework #1. Due Date: March 29, 2017 in class

WWW, REST, and Web Services

Black Box DCX3000 / DCX1000 Using the API

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

Network Applications and the Web

HTTP Server Application

Transcription:

HTTP Protocol and Server-Side Basics Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming HTTP Protocol and Server-Side Basics Slide 1/26

Outline The HTTP protocol Environment Variables Session Management Cookies Web Programming HTTP Protocol and Server-Side Basics Slide 2/26

Manual interaction with the HTTP protocol Manual interaction with a webserver is possible by typing telnet www.somename.ac.uk 80 then typing GET / HTTP/1.0 and then pressing enter twice. Web Programming HTTP Protocol and Server-Side Basics Slide 3/26

Format of the first line of an HTTP request: METHOD space Request-URI space HTTP-Version \n\n Methods are GET, HEAD, OPTIONS, POST, DELETE, etc. The Request-URI is usually the path and name of the document (eg. / or /somedir/index.html ). The HTTP-Version is currently either 1.0 or 1.1. Web Programming HTTP Protocol and Server-Side Basics Slide 4/26

A typical HTTP request with GET The HTTP request is normally generated by the user s browser. A typical request with GET is GET /cgi-bin/somefile.cgi HTTP/1.0 CONNECTION: Keep-Alive USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22) PRAGMA: no-cache HOST: www.somename.ac.uk ACCEPT: image/gif, image/x-xbitmap, image/jpeg, */* QUERY STRING: name=mary&comments=hello Web Programming HTTP Protocol and Server-Side Basics Slide 5/26

A typical HTTP request with POST POST /cgi-bin/somefile.cgi HTTP/1.0 REFERER: http://www.somename.ac.uk/cgi-bin/someform.html CONNECTION: Keep-Alive USER-AGENT: Mozilla/4.0 (compatible; MSIE 5.22) HOST: www.somename.ac.uk ACCEPT: image/gif, image/x-xbitmap, image/jpeg, */* CONTENT-TYPE: application/x-www-form-urlencoded CONTENT-LENGTH: 42 name=mary&comments=hello Web Programming HTTP Protocol and Server-Side Basics Slide 6/26

A typical answer from a webserver HTTP/1.1 200 OK Date: Thu, 18 Nov 2004 15:41:04 GMT Server: Apache/2.0.40 (Red Hat Linux) Accept-Ranges: bytes X-Powered-By: Open SoCks 1.2.0000 Last modified: Thu, 18 Nov 2004 15:41:04 GMT Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional// "http://www.w3.org/tr/html4/loose.dtd"> <html>... Web Programming HTTP Protocol and Server-Side Basics Slide 7/26

Different possible first lines HTTP/1.1 200 OK HTTP/1.1 404 Not Found HTTP/1.1 302 Found HTTP/1.0 500 internal error (302 indicates a redirection): Web Programming HTTP Protocol and Server-Side Basics Slide 8/26

Low-level interaction with the HTTP protocol Normally users need not interact with the HTTP protocol on a low level because browsers do all the work. But there are reasons why programmers may need more low level access to the web: Testing of websites from the command-line. For example, if a whole website is to be checked for dead links this can be conveniently done from the command-line. Testing of the security of one s own website (especially for scripts) by trying to break in. Web crawlers, spiders, robots: programs that navigate the web and collect information, for example, for creating search engines. Web Programming HTTP Protocol and Server-Side Basics Slide 9/26

What tools to use Most modern programming languages contain libraries that allow for direct interaction with the HTTP protocol (such as libwww or socket libraries). There are plugins for browsers (such as Firefox) which support viewing and editing of HTML headers. Web Programming HTTP Protocol and Server-Side Basics Slide 10/26

Environment Variables Environment variables are a means for server-side web languages to exchange information between the server and the client. They control the information which is disclosed by either server or client or which refers to a specific HTTP request. Not all environment variables are always available. Web Programming HTTP Protocol and Server-Side Basics Slide 11/26

Client-Side Information Environment variables which contain client-side information: HTTP USER AGENT HTTP ACCEPT REMOTE ADDR type and version of the client s browser client accepted MIME types IP address of the client Web Programming HTTP Protocol and Server-Side Basics Slide 12/26

Sever-Side Information Environment variables which contain server-side information: SERVER SOFTWARE SERVER NAME SERVER PROTOCOL software used for webserver (e.g. Apache) name of server protocol used by server (e.g. HTTP/1.1) Web Programming HTTP Protocol and Server-Side Basics Slide 13/26

Request-Specific Information Environment variables which contain information about a specific HTTP request: SCRIPT NAME REQUEST METHOD QUERY STRING CONTENT LENGTH HTTP COOKIE REMOTE USER HTTP REFERER the URL of the script usually either GET or POST form parameters as part of URL (only for GET) (only for POST) content of a cookie username - if authentication is used URL of previous page Web Programming HTTP Protocol and Server-Side Basics Slide 14/26

Can environment variables be trusted? Web Programming HTTP Protocol and Server-Side Basics Slide 15/26

Can environment variables be trusted? The value of environment variables cannot be trusted. For example: clients can lie about which type of browser they use. HTTP REFERER should never be used for security because it can be modified by a client. For highly secure applications, the content of cookies should be encrypted because otherwise it can be modified by a client. Web Programming HTTP Protocol and Server-Side Basics Slide 15/26

Why can environment variables not be trusted? Web Programming HTTP Protocol and Server-Side Basics Slide 16/26

Why can environment variables not be trusted? Because they are usually transmitted as plain text via the HTTP protocol. A client can use a scripting language or browser plugin to read and modify environment variables. Web Programming HTTP Protocol and Server-Side Basics Slide 16/26

A challenge for server-side web languages Session management poses a challenge for server-side web languages because, in contrast to stand-alone applications, server-side applications transfer data between servers and clients. A server-side application does not have full control over the data at the client s computer. A client can delete, modify or add to any data. Therefore client data cannot be trusted. Web Programming HTTP Protocol and Server-Side Basics Slide 17/26

A webform and response without sessions Server security check page 1 webform user data page 2 response Client user data browser response Web Programming HTTP Protocol and Server-Side Basics Slide 18/26

Using session IDs Sessions are created to minimise the risk of data corruption. All user data is stored on the server and associated with a session ID. Data retrieval is based on the session ID. A security check must be performed on any data, which a user enters, before the data is stored on the server. It is not necessary to perform security checks on data that is retrieved from the server. This is in contrast to CGI applications without sessions: in that case a security check must be performed on user data every time the data is used! Web Programming HTTP Protocol and Server-Side Basics Slide 19/26

Webform, confirmation and response Server database user data security check user data page 1 webform user data page 2 page 3 confirm final page ok? thank you Web Programming HTTP Protocol and Server-Side Basics Slide 20/26

Session IDs Session IDs are passed from page to page either by using hidden HTML form text or by using the query string or by using cookies (on the client computer). The session IDs should be generated by the server and should be long and complicated enough to deter users from manual tampering with the IDs. Web Programming HTTP Protocol and Server-Side Basics Slide 21/26

user data Server database security check sid user data sid user data page 1 webform user data page 2 page 3 confirm final page ok? thank you user data sid user data sid Client browser cookie Web Programming HTTP Protocol and Server-Side Basics Slide 22/26

Storing user data The user data, which is associated with a session ID can be stored on the server in a file in a database. This approach reduces the number of security checks that must be performed on user data. Web Programming HTTP Protocol and Server-Side Basics Slide 23/26

Storing user data The user data, which is associated with a session ID can be stored on the server in a file in a database. This approach reduces the number of security checks that must be performed on user data. Further measures can be taken for applications which require high security: the session can be password protected; the cookie data can be encrypted; the whole session can be encrypted using SSL. Web Programming HTTP Protocol and Server-Side Basics Slide 23/26

Cookies Cookies are transmitted between client and server via the HTTP COOKIE environment variable. This means that any cookie data needs to be written before the HTML header is sent. Web Programming HTTP Protocol and Server-Side Basics Slide 24/26

Cookies Cookies are transmitted between client and server via the HTTP COOKIE environment variable. This means that any cookie data needs to be written before the HTML header is sent. Cookie data can be read at any time. Web Programming HTTP Protocol and Server-Side Basics Slide 24/26

Workflow for cookies First: read any existing cookie. Second: compile cookie data and send it. Third: Print the HTML header. Web Programming HTTP Protocol and Server-Side Basics Slide 25/26

Workflow for cookies First: read any existing cookie. Second: compile cookie data and send it. Third: Print the HTML header. Note: it is counterintuitive to first read the cookie and then write it! Web Programming HTTP Protocol and Server-Side Basics Slide 25/26

Example: creating a counter with a cookie Read the cookie data. Web Programming HTTP Protocol and Server-Side Basics Slide 26/26

Example: creating a counter with a cookie Read the cookie data. If no prior cookie is received, set counter = 0. Web Programming HTTP Protocol and Server-Side Basics Slide 26/26

Example: creating a counter with a cookie Read the cookie data. If no prior cookie is received, set counter = 0. Read counter value and increase by 1. Web Programming HTTP Protocol and Server-Side Basics Slide 26/26

Example: creating a counter with a cookie Read the cookie data. If no prior cookie is received, set counter = 0. Read counter value and increase by 1. Write the cookie. Print the HTML header. Web Programming HTTP Protocol and Server-Side Basics Slide 26/26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback