Scribd
Upload
231 views23 pages

Unit 2 - Web Application Basics - 3

A good lecture notes on Web Application security

Uploaded by

oshwa_ish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
231 views23 pages

Unit 2 - Web Application Basics - 3

A good lecture notes on Web Application security

Uploaded by

oshwa_ish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Essentials of Web Application Security V3.

0
Module 2: Web Application Basics

© Copyright IBM Corporation 2014


Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Objectives

After completing this module, you will be able to:

• Describe the common components of Web applications

• Think of HTML and HTTP in their most basic forms; just like
a hacker would

© Copyright IBM Corporation 2014


What is a Web application?
• Web site versus Web application
 No precise definition
 Subtle distinction
• Web site
 Provides access to static documents
 No user input that affects business functionality
• Web application
 Builds on a Web site
 Takes user input that affects backend business logic
 The Web server typically interacts with other backend servers, such as an
application server or a database server

© Copyright IBM Corporation 2014


Web application components

Internet
Internet

Firewall
Database
Web server Application
Client tier
(presentation) server
(browser)
(business
logic)

Middle tier Data tier

© Copyright IBM Corporation 2014


Client tier

• Implemented in a Web browser


• Consists of HTML presentation
• Can also contain “semi” intelligent components (scripts)
 Java™Script
 ActiveX
 Dynamic HTML
• Handles all user-level input and output

© Copyright IBM Corporation 2014


Client tier: HTML (Hypertext Markup Language)
• A textual representation of a graphical page
• Consists of tags, attributes, and values
• There is a vast number of different tags, and each is rendered differently
• Most injection attacks involve breaking out of the current context and starting a new
context (more on code versus data in the next module)
• Less common attacks may involve creating a sub-context within the current context, or
directly into the current context
 The latter is impossible to stop

<html>
<html>
<head>
<head>
<title>My
<title>My Homepage</title>
Homepage</title>
</head>
</head>
<body>
<body>
<p>Hello
<p>Hello World</p>
World</p>
</body>
</body>
</html>
</html>

© Copyright IBM Corporation 2014


Client tier: Scripting capabilities
• A script has the following
capabilities:
<html>
 Implement user interactions <html>
<body
<body onmouseover="toggleBackColor()">
onmouseover="toggleBackColor()">
with the Web site <script>
<script>
function
function toggleBackColor()
toggleBackColor() {{
 Interact seamlessly with the if
if (document.body.bgColor=="#ff0000")
(document.body.bgColor=="#ff0000") {{
Web site document.body.bgColor="#ffffff";
document.body.bgColor="#ffffff";
 Perform any action that is }} else
else {{
document.body.bgColor="#ff0000";
related to the Web site }}
document.body.bgColor="#ff0000";

 Launch signed and safe }}


</script>
ActiveX controls </script>
<H1>Hello
<H1>Hello World</H1>
World</H1>
</body>
</body>
</html>
</html>

© Copyright IBM Corporation 2014


Client tier: Same origin policy
• A script loaded from one origin cannot get or set properties of a document
from a different origin
• The term origin is defined using the following values:
 Domain name
 Protocol
 Port
• Scripts can access other frames only from the same origin
• Scripts can issue requests to documents from a different origin, but cannot
view the corresponding responses

© Copyright IBM Corporation 2014


Client tier: Web 2.0
• Web 2.0
 Not a new technology
 Web 2.0 sites existed long before the term emerged
 Very hyped (a buzz word)
• What is Web 2.0 for us:
 Extensive use of JavaScript, XMLHttpRequests, and client-side logic
• Web 2.0 Security: Why does it get attention?
 Growth in usage  Growth in number of vulnerabilities
 Web 2.0 trend  More research  More attack flows
 Massive usage  Bigger risk (Samy MySpace worm)

© Copyright IBM Corporation 2014


Client tier: AJAX
• AJAX = Asynchronous JavaScript And XML
• In reality, it is simply a group of technologies
• Uses XMLHttpRequest Java™Script object:
 Allows background communication with the server
 Restricted by the Same Origin Policy
• Changes the UI look and feel:
 No refresh
 Faster interaction with the Web site
 One page application with lots of client’s logic

© Copyright IBM Corporation 2014


Middle tier: Presentation
• Generates and presents Web pages via Web server:
 Apache
 IIS
 And so on
• Can also generate “dynamic” content based on
 Active Server Pages (ASP)
 Cold Fusion (CFM)
 Java™Server Pages (JSP) technology
 Perl Hypertext Pre-processor (PHP)
 CGI/ Perl scripts
• Can be part of an “application server” implementation
 IBM® WebSphere® Application Server

© Copyright IBM Corporation 2014


Middle tier: Business logic
• Specific business functionality
• Can be based on one of several technologies
 Java™ EE
 Microsoft® .NET
 Others (Cold Fusion, PHP, and so on)
• Code to perform
 Required calculations
 Manage access to corporate resources
 Interfaces to data stores

© Copyright IBM Corporation 2014


Data tier
• Sometimes referred to as the “back end” tier
• Controls access to
 User and application specific data
 Corporate data
• Usually based on Relational Database Management Systems (RDBMS)
technology
 Microsoft® SQL Server
 Oracle
 IBM® DB2®
 Sybase, MySQL, and so on

© Copyright IBM Corporation 2014


Document referencing
• Uniform Resource Locator (URL)
• Example:
http://www.watchfire.com:80/products/appscan/default.aspx?articleId=4
 http:// is the protocol (HTTPS, FTP, Gopher, file)
 www.watchfire.com is the host name
 :80 is the port ()
 /products/appscan/default.aspx is the document path
 Everything after the question mark (“?”) is called the QUERY portion of the
URL (that is, the data appended to the path)
• Note:
 URL Encoding: data sent to a Web application has to be encoded in a special
format. Because it is appended to the URL itself, it cannot contain special
characters such as a space, newlines, ampersand (&), equals (=), and so on .
The format is %HH, where HH is a hexadecimal representation of the
character needed.
• Space is %20
• Double quote is %22
• Left parenthesis is %28

© Copyright IBM Corporation 2014


HTML forms

GET

POST

© Copyright IBM Corporation 2014


HTTP: Hypertext Transfer Protocol
• HTTP is a communications protocol used to transfer information on
intranets and the World Wide Web
• Versions: 0.9, 1.0, 1.1
• RFCs (request for comments): 1945, 2068, 2616
• Describes the “language” used by browsers and Web servers

Server
Client
Request

Response

© Copyright IBM Corporation 2014


HTTP request/response examples

Request

Response

© Copyright IBM Corporation 2014


HTTP request methods (basics)
• GET: retrieve a document
• HEAD: retrieve header information
• POST: send data to the server
• PUT, DELETE: store an entity-body at the URL, and delete a
URL
• TRACE: allows the client to see what is being received at the
other end of the request chain, and use that data for testing
or diagnostic information
• OPTIONS: a request for information about the
communication options available on the request/response
chain identified by the Request-URI.

© Copyright IBM Corporation 2014


HTTP response codes
• 1XX: Informational. The client SHOULD continue with its request.
• 2XX: Successful. The client's request was successfully received, understood,
and accepted.
• 3XX: Redirection. Further action needs to be taken by the user agent in order to
fulfill the request.
• 4XX: Client Error.
• 5XX: Server Error. The server is aware that it has erred or is incapable of
performing the request.

© Copyright IBM Corporation 2014


HTTP response codes examples

© Copyright IBM Corporation 2014


Client state management
• HTTP is stateless: no continuity from one request to the next
• Maintaining state is a responsibility of the Web application
• Session: putting individual user requests in context
• Session management mechanisms
 Cookie
• A piece of data stored by the browser on behalf of the Web server
• Typically set by the server
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=zsi0ij45xls3ccrlio523h55; path=/; HttpOnly
Set-Cookie: amSessionId=10228114238; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 9605

 GET / POST query parameter


• http://www.example.com/s(lit3py55t21z5v55vlm25s55)/orderform.aspx

© Copyright IBM Corporation 2014


Useful Utilities
• Fiddler is a Web debugging proxy that logs all HTTP(S) traffic
between your computer and the Internet

• Fiddler allows you to inspect all HTTP(S) traffic, set


breakpoints, and "fiddle" with incoming or outgoing data
 Download: http://www.fiddler2.com/fiddler2/version.asp

• Firefox ‘Tamper Data’ utility also useful for parameter


tampering

© Copyright IBM Corporation 2014


Summary
In this module you learned:

• To describe the common components of Web applications


 Client tier: HTML and scripting
• Same Origin Policy is very important
 Middle tier: Web server and application server
 Data tier: Database back-end

• To think of HTML and HTTP in their most basic forms, just like a hacker
would
 HTML forms: GET versus POST requests
 HTTP request/response
 Client state management

© Copyright IBM Corporation 2014

You might also like