REST. Web-based APIs

Similar documents
Working with Database. Client-server sides AJAX JSON Data formats Working with JSON data Request Response Bytes Database

Data Formats and APIs

JSON is a light-weight alternative to XML for data-interchange JSON = JavaScript Object Notation

JSON as an XML Alternative. JSON is a light-weight alternative to XML for datainterchange

AJAX ASYNCHRONOUS JAVASCRIPT AND XML. Laura Farinetti - DAUIN

The Web: Concepts and Technology

CSC 337. JavaScript Object Notation (JSON) Rick Mercer

ASP.NET AJAX adds Asynchronous JavaScript and XML. ASP.NET AJAX was up until the fall of 2006 was known by the code-known of Atlas.


AJAX. Lab. de Bases de Dados e Aplicações Web MIEIC, FEUP 2010/11. Sérgio Nunes

Introduction to JSON. Roger Lacroix MQ Technical Conference v

CSC Web Technologies, Spring Web Data Exchange Formats

Queens Library API Requirements Document For e-content Partners

This tutorial will help you understand JSON and its use within various programming languages such as PHP, PERL, Python, Ruby, Java, etc.

[Rosa Say on flickr] Module 12 Tree-Structured data CS 106 Winter 2018

Assignment: Seminole Movie Connection

/ Introduction to XML

Kyle Rainville Littleton Coin Company

Introduction to Web Services

A synchronous J avascript A nd X ml

Module 12 Tree-Structured data

Grading for Assignment #1

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

JavaScript I Language Basics

Assigns a number to 110,000 letters/glyphs U+0041 is an A U+0062 is an a. U+00A9 is a copyright symbol U+0F03 is an

10.1 Overview of Ajax

So, if you receive data from a server, in JSON format, you can use it like any other JavaScript object.

Copyright Descriptor Systems, Course materials may not be reproduced in whole or in part without prior written consent of Joel Barnum

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Data formats. { "firstname": "John", "lastname" : "Smith", "age" : 25, "address" : { "streetaddress": "21 2nd Street",

XML JavaScript Object Notation JSON Cookies Miscellaneous What Javascript can t do. OOP Concepts of JS

INTRODUCTION TO DATA SCIENCE

TNM STAGING AS AN HTTP SERVICE

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

International Journal of Advance Engineering and Research Development. Refining Data Exchange Methodologies using JavaScript Object Notation

Alpha College of Engineering and Technology. Question Bank

Web client programming

CRM Service Wrapper User Guide

AJAX: Rich Internet Applications

Web Scraping XML/JSON. Ben McCamish

Data Formats. Course NDBI040: Big Data Management and NoSQL Databases. Lecture 06: Martin Svoboda

User Interaction: jquery

REST over HTTP. Ambient intelligence. Fulvio Corno. Politecnico di Torino, 2015/2016

What the Bayeux? Filip Hanik. SpringSource Inc Keystone, Colorado, Slide 1

Session 18. jquery - Ajax. Reference. Tutorials. jquery Methods. Session 18 jquery and Ajax 10/31/ Robert Kelly,

Homework 8: Ajax, JSON and Responsive Design Travel and Entertainment Search (Bootstrap/Angular/AJAX/JSON/jQuery /Cloud Exercise)

CS Final Exam Review Suggestions - Spring 2018

Alternative Data Models Toward NoSQL

COMP9321 Web Application Engineering

Introduction to Database Systems CSE 414

Some Facts Web 2.0/Ajax Security

Web 2.0 Attacks Explained

REST in Peace Mastering the JSDO with a Dynamic ABL backend. Mike Fechner, Consultingwerk Ltd.

Lecture 8 (7.5?): Javascript

10/18/2017. Announcements. NoSQL Motivation. NoSQL. Serverless Architecture. What is the Problem? Database Systems CSE 414

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Delivery Options: Attend face-to-face in the classroom or remote-live attendance.

Part of this connection identifies how the response can / should be provided to the client code via the use of a callback routine.

Flat triples approach to RDF graphs in JSON


INFO/CS 4302 Web Informa6on Systems

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Delivery Options: Attend face-to-face in the classroom or via remote-live attendance.

Quick housekeeping Last Two Homeworks Extra Credit for demoing project prototypes Reminder about Project Deadlines/specifics Class on April 12th Resul

Technical SEO in 2018

Client Side JavaScript and AJAX

5/1/17. Announcements. NoSQL Motivation. NoSQL. Serverless Architecture. What is the Problem? Database Systems CSE 414

CSI 3140 WWW Structures, Techniques and Standards. Representing Web Data: XML

Rico AjaxEngine Tutorial

INDEX SYMBOLS See also

ETC1010: Data Modelling and Computing. Lecture 6: Reading di erent data formats

Composer Help. Web Request Common Block

16. Objects & JSON. Dr. Dave Parker. Informa;on and the Web, 2014/15

Networking & The Web. HCID 520 User Interface Software & Technology

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Contents. Demos folder: Demos\14-Ajax. 1. Overview of Ajax. 2. Using Ajax directly. 3. jquery and Ajax. 4. Consuming RESTful services

CSE 115. Introduction to Computer Science I

XMLHttpRequest. CS144: Web Applications

Advanced Aspects and New Trends in XML (and Related) Technologies

AJAX: Introduction CISC 282 November 27, 2018

Networking & The Web. HCID 520 User Interface Software & Technology

Layered approach. Data

Web Application Security. Philippe Bogaerts

5/2/16. Announcements. NoSQL Motivation. The New Hipster: NoSQL. Serverless. What is the Problem? Database Systems CSE 414

data analysis - basic steps Arend Hintze

AJAX with APEX. For More Information:

RKN 2015 Application Layer Short Summary

Database Systems CSE 414

Announcements. Two Classes of Database Applications. Class Overview. NoSQL Motivation. RDBMS Review: Serverless

Create-A-Page Design Documentation

TIME SCHEDULE MODULE TOPICS PERIODS. HTML Document Object Model (DOM) and javascript Object Notation (JSON)

CS312: Programming Languages. Lecture 21: JavaScript

CSE 115. Introduction to Computer Science I

2/6/2012. Rich Internet Applications. What is Ajax? Defining AJAX. Asynchronous JavaScript and XML Term coined in 2005 by Jesse James Garrett

AJAX. Introduction. AJAX: Asynchronous JavaScript and XML

JSON Home Improvement. Christophe Pettus PostgreSQL Experts, Inc. SCALE 14x, January 2016

Data Collections. Welcome to the Fourth Dimension (and beyond) Martin Phillips Ladybridge Systems Ltd. International Spectrum Conference, 2014

JavaScript. Like PHP, JavaScript is a modern programming language that is derived from the syntax at C.

Information Security CS 526 Topic 8

AJAX: The Basics CISC 282 March 25, 2014

Transcription:

REST Web-based APIs

REST Representational State Transfer Style of web software architecture that simplifies application Not a standard, but a design pattern

REST Take all resources for web application (data, files, functions) Identify each resource and action on resource via an HTTP method and URL. Method selects action Send arguments via the HTTP request (e.g. in URL, URL parameters, or payload) Where (URL) What (Appdefined) Resources (Data, files, functions) How (HTTP method)

REST toy example http://foo.com/bar/users Server foo.com Database bar Table users URL returns table users in database bar in a particular format (XML, JSON) Common examples Twitter, Flickr, Amazon

REST and HTTP methods HTTP request methods indicate the desired action GET Requests a representation of the specified resource. Use for operations that have NO side-effects (safe operations) Works with robots and crawlers. POST Submits data to be processed (e.g., from an HTML form) to the identified resource. Data is included in the body of the request. PUT Uploads a representation of the specified resource. DELETE Deletes the specified resource.

REST and security Each API call must ensure request is authenticated and authorized Requires attention to many of the OWASP Top 10 A4: Insecure Direct Object Access A7: Missing Function Level Access Control A2: Broken Authentication and Session Management A1: Injection Now in OWASP Top 10 for 2017 draft

JSON

JSON JavaScript Object Notation De-facto web object data format Subset of JavaScript Minimal, lightweight, text-based syntax Easy to parse and generate Prevalent in most web sites Prevalent in many web APIs, often as part of a REST architecture Designed to enable stateful, real-time communication between browser and web application Often used to allow web server to directly modify elements of a page without refresh Initially AJAX (Asynchronous JavaScript and XML) where XML exchanged (e.g. homework site) Now mostly AJAJ where JSON exchanged instead

JSON objects Objects are unordered containers of key/value pairs Keys are strings Values are JSON values Wrapped in { }, separates key/value pairs : separates keys and values Parsed into local data structures as struct, record, hashtable, or dictionary

JSON Values Strings Sequence of 0 or more Unicode characters wrapped in double quotes Numbers Integer, Real, Scientific No octal or hex No NaN or Infinity (Uses null instead!) Booleans true, false null A value that isn't anything Objects Arrays

Arrays Ordered sequences of values wrapped in [], separates values JSON does not specify indexing. Array is parsed by web program language Implementation can start array indexing at 0 or 1. ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"] [ ] [0, -1, 0], [1, 0, 0], [0, 0, 1]

JSON example { } "firstname": "John", Name/Value Pairs "lastname": "Smith", "address": { "streetaddress": "21 2nd Street", "city": "New York", "state": "NY", "postalcode": 10021 }, "phonenumbers": [ "212 555-1234", String Array "646 555-4567" ] Child properties Number data type

JSON example stockfigher.io stock order { } 'account' : 'SWB1886430', 'venue' : 'ETKBEX', 'symbol' : 'EJYW', 'price' : 8100, 'qty' : 100, 'direction' : 'buy', 'ordertype' : 'limit Twitter direct message https://dev.twitter.com/rest/reference/get/direct_messages

JSON in AJAX & JavaScript JSON often exchanged in JavaScript via XMLHttpRequest Example: obtain as responsetext, then parse it responsetext is '{ "name": "Jack B. Nimble", "at large": true, "grade": "A", "format": { "type": "rect", "width": 1920, "height : 1080, "interlace": false, "framerate": 24 } }'; jsonobject = JSON.parse(responseText); document.write("the object<br>"); document.write("name: ", jsonobject.name, "<br>"); document.write("grade: ", jsonobject.grade, "<br>"); document.write("format: ", jsonobject.format, "<br>");

JSON and avoiding eval() JSON uses JavaScript syntax to specify objects in a serialized manner Can either write a parser to pull out key:value pairs from JSON string or simply evaluate JSON string via eval Parse version jsonobject = JSON.parse(responseText); Eval version jsonobject = eval('(' + responsetext + ')'); Which one is safer? What if JSON object contained rogue JavaScript code? Deserialization attacks Mixing code and data

JSON security Deserialization attacks Dependent upon trust On client, not an issue JSON data came from the same server that vended the page. eval of the data is no less secure than the original html (assuming sent over HTTPS)

JSON security What about on the server (i.e. Node.js)? Is it OK to ever use eval to generate object from client? No Can never trust the client The client cannot be trusted Server must validate everything the client tells it. Run-time evaluation of untrusted input extremely dangerous! Always use a parser on server running JavaScript (nodejs) JSON.parse(string) instead of eval.

eval is evil Avoid using it in your web applications PHP eval and deserialization issues (picoctf, natas) Python eval issues (picoctf) JavaScript eval issues (Pentestlab exercises, deserialization)

Security of JSON vs. XML JSON Data Structure No validation system No namespaces Parsing is just an eval Fast Security issues In JavaScript you can work with objects runtime evaluation of types Security: eval() means that if the source is not trusted anything could be put into it. Libraries exist to make parsing safe(r) XML Data Structure XSD Has namespaces (can use multiples) Parsing requires XML document parsing using things like XPath In JavaScript you can work with strings may require additional parsing Security: XML is text/parsing not code execution.

JSON vs Javascript Double quotes for strings No functions intended to be allowed (text, no code unless someone does an eval) No circular references (text, no references)

Questions https://sayat.me/wu4f

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback