This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.
3. Hypertext Transfer Protocol
(HTTP)
• Connectionless protoco
l
• Client sends an HTTP request to a Web
serve
r
• Gets an HTTP respons
e
• No session formed, nothing
remembered--no "state"
4. HTTP Requests
• Verb: GET (also called "method"
)
• URL: /css?family=Roboto:400,70
0
• Portion after ? is the query string containing
parameter
s
• Version: HTTP/1.1
5. HTTP Requests
• Referer: URL the request originated fro
m
• User-Agent: browser being use
d
• Host: Hostname of the serve
r
• Essential when multiple hosts run on the same I
P
• Required in HTTP/1.1
7. HTTP Response
• First lin
e
• HTTP versio
n
• Status code (200 in this case
)
• Textual "reason phrase" describing the respons
e
• Ignored by browser
8. HTTP Response
• Server: banner of server softwar
e
• Not always accurat
e
• Set-Cookie used to set cookie values
9. HTTP Response
• Pragma: tells browser not to store
response in its cach
e
• Expires: set to a date in the past to ensure
that the content is freshly loaded
10. HTTP Response
• Message Body after header contains data
of type speci
fi
ed in Content-Type header
11. HTTP Methods: GET
• GET retrieves resource
s
• Can send parameters in the URL query strin
g
• Users can bookmark the whole UR
L
• Whole URL may appear in server logs and in
Referer header
s
• Also on the browser's scree
n
• Don't put sensitive information in the query
string
12. HTTP Methods: POST
• POST performs action
s
• Request parameters can be in URL query string
and in the body of the messag
e
• Parameters in body aren't saved in
bookmarks or most server log
s
• A better place for sensitive data
13. HTTP Methods: POST
• POST requests perform actions, like buying
somethin
g
• Clicking the browser's Back button displays a
box like this
14. Other HTTP Methods
• HEAD returns only the header, not the bod
y
• Can be used to check if a resource is
available before GETing i
t
• OPTIONS shows allowed method
s
• PUT uploads to server (usually disabled)
15. URL (Uniform Resource
Locator)
• If protocol is absent, it defaults to HTT
P
• If port is absent, it uses the default port for the
protoco
l
• 80 for HTTP, 443 for HTTPS, etc.
22. Cookies
• Cookies are resubmitted in each request to the
same domain
• Unlike other request parameters, such as the
query string
23. Set-Cookie Header
• Optional attribute
s
• expires - date when the cookie stops being
vali
d
• If absent, cookie is used only in the current
browser sessio
n
• domain - speci
fi
ed domain for which cookie is
vali
d
• Must be the same or a parent of the domain
from which the cookie is receive
d
• "Same-Origin Policy"
24. Set-Cookie Header
• Optional attribute
s
• path - URL path for which the cookie is vali
d
• secure - transmit cookie only via HTTP
S
• HttpOnly - Cookie cannot be directly accessed
via client-side JavaScript
26. Important Status Codes
• 200 OK - request succeeded, response body
contains resul
t
• 301 Moved Permanently - redirects the browser,
client should use new URL in the futur
e
• 302 Found - redirects browser temporarily.
Client should revert to original URL in
subsequent requests
27. Important Status Codes
• 304 Not Modi
fi
ed - browser should use cached
copy of resourc
e
• 400 Bad Request - invalid HTTP reques
t
• 401 Unauthorized - Server requires HTTP
authentication.
• WWW-Authenticate header speci
fi
es the
type(s) of authentication supported
28. Important Status Codes
• 403 Forbidden - no one is allowed to access
resource, regardless of authenticatio
n
• 404 Not Found - requested resource does not
exis
t
• 500 Internal Server Error - unhanded exception
in an app, such as a PHP erro
r
• Next page: Link Ch 3l
29.
30. HTTPS
• HTTP over SSL (Secure Sockets Layer
)
• Actually now TLS (Transport Layer Security
)
• All versions of SSL are deprecate
d
• Protects data with encryptio
n
• Protects data in motion, but not at rest or in
use
31. HTTP Proxies
• Browser sends requests to proxy serve
r
• Proxy fetches resource and sends it to browse
r
• Proxies may provide caching, authentication,
and access control
32. HTTPS and Man-in-the-
Middle (MITM) Attacks
• HTTPS connections use public-key
cryptography and end-to-end encryptio
n
• Only the endpoints can decrypt traf
fi
c
• Companies wishing to restrict HTTPS traf
fi
c
have two choice
s
• Perform complete MITM with fake certi
fi
cates,
or real root certi
fi
cates from trusted CA'
s
• Allow encrypted traf
fi
c to trusted domains
without being able to inspect it
33. HTTPS and Proxies
• Browser sends an HTTP request to the proxy
using the CONNECT method and destination
hostname and port numbe
r
• If proxy allows the request, it returns 200 status
and keeps the TCP connection ope
n
• Thereafter acts as a pure TCP-level relay to the
destination web server
34. HTTP Authentication
• Basic: sends username and password in
Base64-encodin
g
• NTLM: Uses Windows NTLM protocol (MD4
hashing
)
• Digest: Challenge-response using MD5 hashin
g
• These are generally used in intranets, not on
the Interne
t
• All are very weak cryptographically, and should
be protected with HTTPS
37. Server-Side Functionality
• Static content - HTML pages and images that
are the same for all user
s
• Dynamic content - response created in the
fl
y,
can be customized for each use
r
• Created by scripts on the serve
r
• Customized based on parameters in the
request
39. Other Inputs
• Server-side application may use any part of the
HTTP request as an inpu
t
• Such as User-Agen
t
• Often used to display smartphone-friendly
versions of pages
41. The Java Platform
• Standard for large-scale enterprise application
s
• Lends itself to multitiered and load-balanced
architecture
s
• Well-suited to modular development and code
reus
e
• Runs on Windows, Linux, and Solaris
42. Java Platform Terms
• Enterprise Java Bean (EJB
)
• Heavyweight software component to encapsulate
business logic, such as transactional integrity
• Plain Old Java Object (POJO
)
• User-de
fi
ned, lightweight object, distinct from a
special object such as an EJB
• Java Servle
t
• Object on an application server that receives
HTTP requests from client and returns HTTP
responses
43. Java Platform Terms
• Java web containe
r
• Platform or engine that provides a runtime
environment for Java-based web applications
• Ex: Apache Tomcat, BEA WebLogic, JBoss
45. ASP.NET
• Microsoft's web application framewor
k
• Competitor to Java platfor
m
• Uses .NET Framework, which provides a virtual
machine (the Common Language Runtime) and
a set of powerful APIs (Application Program
Interfaces
)
• Applications can be written in any .NET
language, such as C# or VB.NET
46. Visual Studio
• Powerful development environment for ASP.NET
application
s
• Easy for developers to make a web application,
even with limited programming skill
s
• ASP.NET helps protect against some common
vulnerabilities, such as cross-site scripting,
without requiring any effort from the developer
47. PHP
• Originally "Personal Home Page", now "PHP
Hypertext Processor
"
• Often used on LAMP server
s
• Linux, Apache, MySQL, and PH
P
• Free and easy to use, but many security
problem
s
• Both in PHP itself and in custom code using it
49. Ruby on Rails
• Allows rapid development of application
s
• Can autogenerate much of the code if developer
follows the Rails coding style and naming
convention
s
• Has vulnerabilities like PHP
50. SQL (Structured Query
Language)
• Used to access data in relational databases,
such as Oracle, MS-SQL, and MySQ
L
• Data stored in tables, each containing rows and
column
s
• SQL queries are used to read, add, update, or
delete dat
a
• SQL injection vulnerabilities are very severe
54. SOAP
• If user-supplied data is incorporated into SOAP
requests, it can have code injection
vulnerabilitie
s
• Server usually publishes available services and
parameters using Web Services Description
Language (WSDL
)
• soapUI and other tools can generate requests
based on WSDL
fi
le
63. CSS
Cascading Style Sheets
• Speci
fi
es format of document element
s
• Separates content from presentatio
n
• Has vulnerabilities, and can be used for attacks
64. Javascript
• Scripts that run in the client's browse
r
• Used to validate user-entered data before
submitting it to the serve
r
• Dynamically modify UI in response to user
action, such as in drop-down menu
s
• Using Document Object Model (DOM) to control
the browser's behavior
65. VBScript
• Microsoft's alternative to JavaScrip
t
• Only supported in Internet Explorer (now
obsolete
)
• Edge does not support VBScrip
t
• Links Ch 3d, 3e
68. Ajax
Asynchronous JavaScript and XML
• Client-side scripts can fetch data without
reloading the entire pag
e
• Allow you to drag Google Maps around
70. JSON
JavaScript Object Notation
• Client-side JavaScript uses the
XMLHttpRequest API to request data from a
serve
r
• Data is returned in JSON format:
72. Same-Origin Policy
• Prevents content from different origins
interfering with each other in a browse
r
• Content from one website can only read and
modify data from the same websit
e
• Ex: scripts on Facebook can't read or write to
data on your online banking pag
e
• When this process fails, you get Cross-Site
Scripting, Cross-Site Request Forgery, and
other attacks
77. State and Sessions
• Stateful data required to supplement stateless
HTT
P
• This data is held in a server-side structure
called a session
• The session contains data such as items added
to a shopping car
t
• Some state data is stored on the client, often
HTTP cookies or hidden form
fi
elds
79. URL Encoding
• URLs may contain only printable ASCII
character
s
• 0x20 to 0x7e, inclusiv
e
• To transfer other characters, or problematic
ASCII characters, over HTTP, they must be URL-
encided
84. • HTML-encoding user data before sending it to
another user is used to prevent Cross-Site
Scripting attacks
85. Base64 Encoding
• Represents binary data using 64 ASCII
character
s
• Six bits at a tim
e
• Used to encode email attachments so they can
be sent via SMT
P
• Uses this character set