WSEC 320 Lecture Notes 1
WSEC 320 Lecture Notes 1
WEB SECURITY
3
INTRODUCTION (CONT’D)
In general, a client-server architecture is an
architecture that has:
A client that sends a request.
A server that responds to a client's request.
4
INTRODUCTION (CONT’D)
5
INTRODUCTION (CONT’D)
A web server is a program which runs on the
server.
A web server processes all the requests coming
from the client.
A web server accepts a request and (if possible)
gives back an HTTP response accompanied by an
HTML page.
A web browser is a client-side application
which requests resources from web servers.
6
INTRODUCTION (CONT’D)
A web server can host a web application or a
website.
A website is just a a set of related web pages
located under a single domain name e.g.
must.ac.mw
A web application is web-based program or piece
of software designed to fulfill a particular
purpose e.g. saris.must.ac.mw
7
INTRODUCTION (CONT’D)
10
HTTP MESSAGES
Client
The HTTP client sends a request to the server in
the form of a request method, URI, and protocol
version, followed by a MIME-like message
containing request modifiers, client information,
and possible body content over a TCP/IP
connection.
Server
The HTTP server responds with a status line,
including the message's protocol version and a
success or error code, followed by a MIME-like
message containing server information, entity
metainformation, and possible entity-body 11
content.
HTTP MESSAGES (CONT’D)
HTTP request and HTTP response use a
generic message format of RFC 822 for
transferring the required data.
This generic message format consists of
following four items.
A Start-line
Zero or more header fields followed by CRLF
An empty line (i.e., a line with nothing preceding
the CRLF) indicating the end of the header fields
Optionally a message-body
12
HTTP MESSAGES (CONT’D)
Example HTTP request message (fetch
hello.html from www.mywebsite.com)
13
HTTP MESSAGES (CONT’D)
Example HTTP response message (from the
request in previous slide)
HTTP/1.1 200 OK
Date: Mon, 3 April 2023 12:28:53 GMT
Server: Apache/2.2.14 (Win64)
Last-Modified: Wed, 22 Feb 2023 19:15:56 GMT
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Hello, World!</h1>
</body> 14
</html>
HTTP MESSAGES (CONT’D)
HTTP headers can be grouped based on their
context:
Request headers contain more information about
the resource to be fetched, or about the client
requesting the resource.
Response headers hold additional information
about the response, like its location or about the
server providing it.
Representation headers contain information
about the body of the resource, like its MIME
type, or encoding/compression applied.
Payload headers contain representation-
independent information about payload data,
including content length and the encoding used 15
for transport.
HTTP MESSAGES (CONT’D)
A list of various HTTP headers can be
accessed at
https://en.wikipedia.org/wiki/List_of_HTTP_h
eader_fields
16
HTTP VS HTTPS
HTTPS stands for Hypertext Transfer Protocol
Secure.
Although it functions similarly to HTTP, HTTPS works
to protect communication between web servers and
browsers when transporting data.
HTTPS secures connections with a digital security
protocol that uses cryptographic keys to encrypt
and validate data.
Most common way for websites to use HTTPS and
have a secure domain is by obtaining a Secure
Sockets Layer (SSL) or Transport Layer Security (TLS)
certificate.
Although TLS is widely becoming the standard for
HTTPS, most SSL certificates support both
SSL/TLS protocols. 17
LIMITATIONS OF HTTPS
Deployment Limitations
HTTPS only works if one uses it.
One needs to specify HTTPS:// on every URL, including
URLs in documentation, email, advertisements, and
everything else.
Use Strict-Transport-Security and Content-Security-
18
LIMITATIONS OF HTTPS (CONT’D)
Privacy Limitations
SNI / IP-Address
When one connects to a server over HTTPS, the URL
they are requesting is encrypted and invisible to
network observers.
However, observers can see both the IP address they
19
LIMITATIONS OF HTTPS (CONT’D)
Server Limitations
Server Compromise
HTTPS only aims to protect the bytes in transit.
DOM mixing
Access to https resources can be mixed with http
resources.
20
LIMITATIONS OF HTTPS (CONT’D)
Client Identity Limitations
A man-in-the-middle attack can still occur when
a client application has been compromised by
malware, such that tampering or data leaks are
performed before encryption or after decryption.
The spyware could take the form of malware in
the OS, a malicious or buggy browser extension.
21
CONCLUSION
The Hypertext Transfer Protocol (HTTP) is a
TCP/IP based communication protocol, which is
used to deliver data (HTML files, image files,
query results etc) on the World Wide Web.
The HTTP protocol is a request/response protocol
based on the client/server based architecture
where web browser, robots and search engines,
etc. act like HTTP clients and Web server acts as
server.
HTTP request and HTTP response use a generic
message format of RFC 822 for transferring the
required data.
Although it functions similarly to HTTP, HTTPS
works to protect communication between web 22
servers and browsers when transporting data.
END OF LECTURE 1
THANK YOU!
23
REFERENCES & FURTHER READING
https://www.tutorialspoint.com/http/http_qu
ick_guide.htm
https://datatracker.ietf.org/doc/html/rfc6454
#page-7
24