0% found this document useful (0 votes)
7 views21 pages

Web Science

The document outlines the history, evolution, and technological foundations of the World Wide Web, detailing its development from Tim Berners-Lee's initial proposal in 1989 to the emergence of various web versions (Web 1.0, 2.0, and 3.0). It explains the core functions of web browsers and servers, including how they process requests and deliver content, as well as the structure and syntax of HTML and XML. Additionally, it discusses different approaches to web application development, emphasizing the balance between programmatic and template-based methods.

Uploaded by

you8814711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
7 views21 pages

Web Science

The document outlines the history, evolution, and technological foundations of the World Wide Web, detailing its development from Tim Berners-Lee's initial proposal in 1989 to the emergence of various web versions (Web 1.0, 2.0, and 3.0). It explains the core functions of web browsers and servers, including how they process requests and deliver content, as well as the structure and syntax of HTML and XML. Additionally, it discusses different approaches to web application development, emphasizing the balance between programmatic and template-based methods.

Uploaded by

you8814711
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 21

UNIT 1

1. History of the Web

 1989: Tim Berners-Lee proposed an information management system at CERN, leading


to the creation of the World Wide Web (WWW).
 Early Internet Technologies: Predecessors included FTP, Gopher, and Netnews.
 Hypertext Concept: Inspired by Ted Nelson's Xanadu project.
 Web’s Emergence: Integrated hypertext with internet protocols, creating a virtual
library accessible via URLs.

2. Evolution of the Web

 Web Expansion: Initially used in educational and research institutions before public
adoption.
 E-commerce Growth: Businesses leveraged the web for online transactions and
inventory management.
 Content Monetization: Shift between free (ad-supported) and paid content models.

3. Technological Foundations

 The web is built on Internet protocols (e.g., HTTP, HTML, TCP/IP).


 Web applications evolved from simple static web pages.

4. Introduction to Web Versions

Feature Web 1.0 Web 2.0 Web 3.0


Interactive web (User- Intelligent web
Definition Read-only web (Static)
generated) (Decentralized)
User Limited (Users only High (Users create & AI-driven, personalized
Interaction consume content) share content) experience
Technology HTML, CSS, Basic AJAX, APIs, Social Blockchain, AI, Semantic
Used JavaScript Media Platforms Web
Content Centralized (by web Shared (by users & Decentralized (data is shared,
Control admins) platforms) not owned)
Example Yahoo, Britannica Facebook, YouTube, Blockchain Apps, Metaverse,
Platforms Online Wikipedia Smart Contracts
5. Building Blocks of the Web

1. HTML (HyperText Markup Language) – Defines structure.


2. CSS (Cascading Style Sheets) – Controls design & layout.
3. JavaScript – Adds interactivity.
4. Web Browsers – Software for accessing the web (e.g., Chrome, Firefox).
5. Web Servers – Host websites & deliver content.
6. HTTP/HTTPS – Protocol for data transfer (HTTPS is encrypted).
7. APIs (Application Programming Interfaces) – Enable software interactions.
8. Databases – Store and retrieve website data (e.g., MySQL, MongoDB).
9. CSS Frameworks & JavaScript Libraries – Prebuilt design tools (e.g., Bootstrap,
React).
10. Responsive Web Design – Ensures adaptability to various devices.
11. Version Control Systems (Git) – Tracks and manages code changes.
12. Content Management Systems (CMS) – Simplifies content creation (e.g., WordPress).

6. Uniform Resource Locator (URL)

 Definition: A URL is the unique address of a webpage.


 Syntax:
protocol://hostname/filename
o Protocol: Rules for communication (e.g., HTTP, FTP).
o Hostname: Web server’s address.
o Path: Location of the file/resource.
o Query String: Optional parameters (e.g., ?id=123).
o Anchor: Directs to a specific section within a webpage (#section).

7. How URLs Work

1. User types a URL in the browser.


2. The browser sends a request to the web server.
3. The server processes the request and retrieves the requested webpage.
4. The browser displays the webpage to the user.

Core Functions of a Web Browser

A web browser is a software application that allows users to access and interact with content on
the World Wide Web. It interprets and renders web pages using various protocols and
technologies.
1. Rendering Web Pages

 Converts HTML, CSS, and JavaScript into a visual format.


 Uses a rendering engine (e.g., Blink for Chrome, Gecko for Firefox) to display pages correctly.

2. Fetching and Loading Web Content

 Uses HTTP/HTTPS to request data from web servers.


 Downloads and displays images, videos, and other media.

3. Interpreting Web Technologies

 Supports various web technologies like HTML5, CSS3, JavaScript, and WebAssembly.
 Enables interactive elements like forms, animations, and dynamic content.

4. Managing User Input and Navigation

 Processes URLs, search queries, and keyboard/mouse inputs.


 Provides back, forward, refresh, and bookmarking functionalities.

5. Security and Privacy

 Uses HTTPS and SSL/TLS encryption for secure communication.


 Implements sandboxing, phishing protection, and ad-blocking.

6. Caching and Performance Optimization

 Stores web pages and assets for faster loading.


 Supports lazy loading, prefetching, and compression techniques.

7. Extensibility and Customization

 Allows users to install extensions and plugins for added functionality (e.g., ad blockers,
password managers).
 Supports themes and developer tools for customization.

8. Multi-tab and Session Management

 Enables browsing multiple sites in separate tabs or windows.


 Restores previous sessions and tracks browsing history.

9. Synchronization Across Devices

 Syncs bookmarks, passwords, and browsing history across devices.


 Uses cloud services like Google Sync (Chrome), Firefox Sync, and iCloud (Safari).
10. Developer Tools and Debugging

 Provides Inspect Element, Console, and Network Monitoring for web development.
 Helps in debugging CSS, JavaScript, and API requests.

1. Web Browser

A web browser is software that allows users to access and interact with websites.
It acts as a bridge between the user (client) and the web server by sending requests and
displaying responses.

Examples of Web Browsers

 Google Chrome
 Mozilla Firefox
 Microsoft Edge
 Safari

Core Functions of a Web Browser

1. User Interface – Provides an interface for users to interact with websites.


2. Request Generation – Builds and sends HTTP requests to web servers.
3. Response Processing – Receives and processes responses from servers.
4. Networking – Manages internet connections and handles data transfer.
5. Content Interpretation – Processes and displays HTML, CSS, JavaScript, and images.
6. Caching – Stores website data to improve speed.
7. State Maintenance – Uses cookies to remember user preferences.
8. Authentication – Manages login credentials for secure sites.

2. Browser Sessions vs HTTP Sessions

Feature Browser Session HTTP Session

Managed by The browser The web server

Data Storage Stored temporarily (until browser closes) Stored on the server (until session expires)

Cookie Usage Stores HTTP session ID as a cookie Uses session ID to track user actions

Expiration Ends when the browser is closed Ends after inactivity timeout

3. Web Server
A web server is a software or hardware that processes requests and delivers web pages to
users.
It stores, processes, and serves web content using protocols like HTTP/HTTPS.

Functions of a Web Server

1. Receives Requests – Accepts HTTP requests from web browsers.


2. Processes Requests – Checks if the requested file is static (HTML, images) or dynamic (PHP,
JavaScript).
3. Sends Responses – Returns requested data or an error message.
4. Manages Connections – Handles multiple users at the same time.
5. Security & Authentication – Protects data using SSL/TLS encryption and user authentication.

4. HTTP Request Processing (Step-by-Step)

1. User Requests a Webpage


o The user types a URL or clicks a link.
o The browser sends an HTTP request to the web server.

2. Server Receives the Request


o The web server processes the request and checks if the requested page exists.
o If authentication is needed, the server prompts for login.

3. Server Sends a Response


o If the file exists, the server returns the HTML page.
o If not, it returns an error message (e.g., 404 Not Found).

4. Browser Renders the Page


o The browser reads the HTML, CSS, and JavaScript files.
o It loads images, styles, and scripts to display the webpage.
Chapter 2: Web Architecture
1. Web Browser

What is a Web Browser?

 A web browser is an application that allows users to access and navigate the World
Wide Web (WWW).
 Acts as an intermediary between the client (user) and the server to request and display
web content.
 Functions as a compiler that renders HTML pages containing text, images, styles, and
JavaScript.
 Examples: Google Chrome, Microsoft Edge, Mozilla Firefox, Safari.

History of Web Browsers

 1990: Tim Berners-Lee created the first web browser, World Wide Web (later renamed
Nexus).
 1993: Mosaic, the first browser to support images and text together, was developed by
Marc Andreessen and his team.
 1994: Netscape Navigator, an advanced commercial browser, was released.
 1995: Microsoft introduced Internet Explorer, pre-installed in Windows OS.
 Other modern browsers such as Mozilla Firefox, Google Chrome, and Safari emerged
with enhanced features.

Key Browser Functionalities

 Requests web documents through URL inputs, hyperlinks, or form submissions.


 Processes responses received from web servers.
 Renders content such as HTML, CSS, and JavaScript within the browser window.
 Manages state using cookies and cached data.
 Handles authentication for secure sites.
 Interprets HTTP headers and status codes to manage redirects, errors, and security
protocols.

2. Web Server

What is a Web Server?

 A web server is a combination of software and hardware that processes and delivers web
pages to users.
 Uses HTTP and other protocols to manage requests and serve web content.
 Can handle multiple user requests simultaneously, ensuring high availability.
How a Web Server Works

1. User Request: The user enters a URL (e.g., http://mysite.com/page.html).


2. Server Processing:
o Identifies and maps the requested URL to a file or dynamic resource.
o Verifies authentication if required.
o Processes static or dynamic content.
3. Response Delivery: The server sends the requested file or dynamically generated
response back to the browser.
4. Rendering in Browser: The browser interprets and displays the content.

Static vs. Dynamic Content

 Static Content: Pre-existing files (HTML, CSS, images) directly served by the web
server.
 Dynamic Content: Generated in real-time using programming languages such as PHP,
Python, JSP, or ASP.

3. HTTP Protocol

What is HTTP?

 Hypertext Transfer Protocol (HTTP) is the foundation of web communication.


 Operates on the request-response model, where a client (browser) sends a request and
the server responds with the requested content.
 Stateless protocol: Each request is independent, and the server does not retain session
data unless explicitly maintained.

Structure of HTTP Messages

Request Message Structure

 Request Line: Contains method (GET, POST, PUT, etc.), requested URL, and HTTP
version.
 Headers: Provide additional request details (e.g., authentication, content type, caching
instructions).
 Body (Optional): Contains form data or uploaded content for methods like POST or PUT.

Response Message Structure

 Status Line: Contains HTTP version and response status code (200 OK, 404 Not Found,
500 Internal Server Error, etc.).
 Headers: Describe the content type, encoding, caching policies, etc.
 Body: Contains the actual response (HTML, JSON, etc.).
Common HTTP Methods

 GET: Retrieves a resource (e.g., requesting a webpage).


 POST: Sends data to a server (e.g., form submissions).
 PUT: Updates an existing resource.
 DELETE: Removes a specified resource.
 HEAD: Similar to GET but retrieves only response headers (without body).

Persistent vs. Non-Persistent HTTP Connections

 Non-Persistent: A separate connection is opened for each request, increasing overhead.


 Persistent: A single connection is maintained for multiple requests, improving efficiency
(default in HTTP/1.1).

Chapter 3: Approaches to Web Application Development


1. Programmatic Approaches

 Involves writing source code using scripting languages (Perl, Python, Tcl) or high-level
programming languages (Java) to create dynamic web applications.
 HTML content is embedded within the code, making this approach developer-centric rather
than designer-friendly.
 Challenges:
o Difficult for designers to modify layouts without developer intervention.
o Reduces design flexibility and slows down the creative process.
o Maintenance becomes cumbersome as both logic and presentation are intertwined.
 Example Technologies: CGI scripts, Java Servlets

2. Template-Based Approaches

 Focus: Prioritizes the structure and layout of web pages over programming logic.
 Uses templates that consist mostly of formatting elements, with minimal embedded scripting
for dynamic content.
 Key Features:
o Allows basic logic such as conditional statements, loops, and parameter substitution for
content injection.
o Provides a designer-friendly environment with greater flexibility and independence
from developers.
 Advantages:
o Web designers can create and modify layouts without requiring deep programming
knowledge.
o Easier to maintain due to the clear separation between formatting and functionality.
 Examples:
o Server-Side Includes (SSI)
o Adobe ColdFusion
o Apache Velocity

3. Debate on Template Programming

 Some argue that embedding scripting logic into templates diminishes their usability for
designers, turning them into limited programming languages.
 The ideal approach maintains a balance, ensuring templates empower designers without
requiring them to handle complex logic.
 A minimal set of logic constructs (such as loops and conditional statements) enables designers
to work independently while still allowing some dynamic content control.

4. Hybrid Approaches

 Definition: A combination of programmatic and template-based techniques that incorporate


scripting within structured web layouts.
 Provides greater flexibility than template-based approaches while maintaining a structured
design format.
 Examples:
o PHP (server-side scripting language widely used for web development)
o Microsoft Active Server Pages (ASP)
o Java Server Pages (JSP)
 Challenges:
o Mixing logic with presentation violates the principle of content and logic separation.
o Raises concerns over collaboration between designers and developers.
 Solution: Frameworks like Model-View-Controller (MVC) enforce the separation of application
logic from presentation, making hybrid approaches more manageable.
 Popular MVC Frameworks: Django, Ruby on Rails, ASP.NET MVC

Chapter 4: HTML and XML


1. Introduction to HTML

 HTML (HyperText Markup Language) is the fundamental language for creating structured web
content.
 Invented by Tim Berners-Lee at CERN in the late 1980s as a system for sharing and linking
documents online.
 In 1992, Mosaic, the first graphical web browser, was developed at UIUC, making HTML more
accessible.

2. Key Features of HTML

 Simple, open-standard language that is easy to learn and widely used.


 Compact file sizes ensure faster loading speeds and efficient web performance.
 Enables interactivity through hyperlinks, multimedia integration, and forms.
 Supported by all web browsers, allowing universal accessibility.

3. HTML Structure & Syntax

 <!DOCTYPE HTML>: Defines the HTML version to ensure consistent rendering across browsers.
 <html>: The root element enclosing all other tags.
 <head>: Contains metadata, links to stylesheets, and scripts for functionality.
 <body>: Includes all visible web page content such as text, images, videos, and interactive
elements.

4. HTML Forms

 Purpose: Used to collect and process user input via interactive fields.
 <form> tag serves as a container for input elements.
 Common Input Elements:
o <input>: Captures text, passwords, emails, numbers, and other data types.
o <label>: Associates descriptive text with input fields for clarity.
 Important Attributes:
o action: Specifies the URL where form data is submitted.
o method: Defines how data is sent (GET or POST).
o target: Determines how the response is displayed (e.g., new window, same page).
o enctype: Specifies encoding type when submitting data (e.g., multipart/form-
data).
o autocomplete: Enables auto-filling of previous inputs.
o novalidate: Prevents automatic form validation upon submission.

5. Introduction to XML

 XML (Extensible Markup Language) is a structured format for storing and transporting data.
 Unlike HTML, XML does not define presentation; it focuses on data storage and transfer.

6. Key Differences Between XML & HTML

 HTML is used for displaying content, whereas XML is used for carrying structured data.
 XML tags are customizable, allowing users to define their own schema, while HTML has
predefined tags.
 XML provides hierarchical data organization, making it ideal for structured information
exchange.

7. XML Structure & Syntax

 Prolog: Contains metadata about the XML document (e.g., XML version and encoding
information).
 Root Element: The top-level container that encloses all other elements.
 Elements: Define data points within the XML document using opening and closing tags.
 Attributes: Provide additional details within elements in name-value pairs.

8. XML Document Hierarchy

 XML follows a tree structure, with a root element at the top and nested child elements below.
 Rules for XML Documents:
o Must have a single root element.
o Elements must have properly nested opening and closing tags.
o Tags are case-sensitive (<Title> is different from <title>).

9. XML Parsing and DOM

 The Document Object Model (DOM) provides a structured way to access and manipulate XML
content.
 Web browsers use built-in XML parsers to convert XML data into an interactive object model.
 Example: Parsing XML in JavaScript
 <script>
 var text = "<bookstore><book><title>Everyday
Italian</title></book></bookstore>";
 var parser = new DOMParser();
 var xmlDoc = parser.parseFromString(text, "text/xml");
 console.log(xmlDoc.getElementsByTagName("title")
[0].childNodes[0].nodeValue);
 </script>

Output: Everyday Italian

UNIT 5

Security Development Lifecycle (SDL)


SDL is a structured approach to integrating security throughout the software development process. It
helps in identifying and mitigating security risks early, reducing vulnerabilities, and ensuring compliance
with security standards.

5.1 Introduction to SDL

Definition:
SDL is a security assurance process that ensures security is built into the software development lifecycle
rather than being added later. It was originally developed by Microsoft to address security concerns in
software development.

Key Objectives of SDL:

1. Reduce security vulnerabilities by integrating security at every phase of development.


2. Ensure compliance with industry standards (e.g., ISO 27001, NIST, OWASP).
3. Enhance software security by following best practices like secure coding.
4. Minimize costs by detecting and fixing security flaws early.

Phases of SDL:

1. Training: Developers and project teams are trained on security principles.


2. Requirements: Security requirements are defined before development starts.
3. Design: Threat modeling is conducted to identify potential security risks.
4. Implementation: Secure coding practices and static code analysis are performed.
5. Verification: Security testing, including penetration testing and fuzz testing.
6. Release & Deployment: Security review before final deployment.
7. Maintenance & Response: Security patches and updates are released.

Security Practices in SDL:

 Threat Modeling: Identifying, analyzing, and mitigating security threats early.


 Secure Coding Standards: Using frameworks like OWASP Secure Coding Practices.
 Security Testing: Static analysis, dynamic testing, and fuzz testing.
 Incident Response Plan: Preparing for potential security breaches.

5.2 AGILE SDL

Introduction to Agile SDL:

 Traditional SDL follows a waterfall model, making it hard to adapt to Agile methodologies.
 Agile SDL integrates security into rapid development cycles, ensuring that security is a
continuous and iterative process.

Key Components of Agile SDL:

1. Security User Stories:


o Security is treated as a feature and included in product backlog items.
o Example: "As a developer, I want to implement authentication to prevent unauthorized
access."
2. Threat Modeling in Sprints:
o Conduct quick threat modeling at the beginning of each sprint.
o Identify security risks associated with new features.
3. Automated Security Testing:
o Integrate security tools in CI/CD pipelines (e.g., SAST, DAST).
o Use tools like SonarQube, OWASP ZAP, and dependency scanners.
4. Security Code Reviews:
o Peer reviews focusing on security vulnerabilities.
o Security champions within teams to ensure secure development.
5. DevSecOps Approach:
o Shift security left in the development lifecycle.
o Automate security controls and compliance checks.

Benefits of Agile SDL:

 Faster security integration without disrupting Agile workflows.


 Early detection of security flaws within iterative development.
 Automation-driven security to improve efficiency and consistency.

UNIT 6

Server-Side Web Security (6 Hours)


Server-side web security is crucial for protecting web applications from various threats that exploit
database vulnerabilities. One of the most common threats is SQL Injection (SQLi), which allows attackers
to manipulate database queries and access sensitive information.

6.1 SQL Injection Attacks

Definition:

SQL Injection (SQLi) is a web security vulnerability that allows attackers to inject malicious SQL code into
input fields to manipulate database queries. This can lead to unauthorized data access, data corruption,
or even full database control.

Types of SQL Injection:

1. Classic SQL Injection: Directly injecting malicious SQL queries into input fields.
2. Blind SQL Injection: Extracting data based on conditional responses (e.g., true/false conditions).
3. Time-Based SQL Injection: Using time delays to determine if an application is vulnerable.
4. Union-Based SQL Injection: Using the UNION SQL operator to retrieve data from other tables.

Example of SQL Injection Attack:

Vulnerable Query:
sql
CopyEdit
SELECT * FROM users WHERE username = 'admin' AND password = 'password';
Malicious Input:
sql
CopyEdit
admin' --
Executed Query:
sql
CopyEdit
SELECT * FROM users WHERE username = 'admin' --' AND password = 'password';

👉 The -- makes the rest of the query a comment, bypassing authentication!

Prevention Methods:

 Use Prepared Statements (Parameterized Queries):

python
CopyEdit
cursor.execute("SELECT * FROM users WHERE username = ? AND password
= ?", (user, password))

 Use ORM Frameworks (e.g., SQLAlchemy, Hibernate).


 Implement Web Application Firewalls (WAF).
 Validate and Sanitize User Input.

6.2 Stored Procedure Attacks

Definition:

Stored procedures are SQL scripts stored in a database that execute predefined queries. If not secured
properly, they can be exploited like SQL Injection.

How Attackers Exploit Stored Procedures:

 Injecting malicious input into parameters.


 Exploiting dynamic SQL queries inside procedures.

Example of a Vulnerable Stored Procedure:


sql
CopyEdit
CREATE PROCEDURE GetUser(IN userInput VARCHAR(100))
BEGIN
SET @query = 'SELECT * FROM users WHERE username = ''' || userInput ||
'''';
PREPARE stmt FROM @query;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
END;

👉 If an attacker inputs admin' OR '1'='1, they can retrieve all users!

Prevention Methods:

 Avoid Dynamic SQL in Stored Procedures.


 Use Parameterized Queries in Stored Procedures:

sql
CopyEdit
CREATE PROCEDURE GetUser(IN userInput VARCHAR(100))
BEGIN
SELECT * FROM users WHERE username = userInput;
END;

 Implement Role-Based Access Control (RBAC).

6.3 SQL Column Truncation

Definition:

SQL Column Truncation occurs when user input is truncated due to a column’s length limit, leading to
security risks such as privilege escalation or account takeover.

How It Works:

 If a database column has a character limit (e.g., VARCHAR(10)), an attacker can exploit it by
registering a username that gets truncated but still matches another user’s credentials.

Example of an Attack:

1. A website allows usernames up to 10 characters (VARCHAR(10)).


2. Legitimate user: administrator → Stored as administr (truncated).
3. Attacker registers: administrX → Also stored as administr.
4. If login checks only match the first 10 characters, the attacker can bypass authentication!

Prevention Methods:

 Enforce strict input validation before storing user data.


 Use UNIQUE constraints with case-sensitive and full-length checks.
 Hash passwords securely to prevent authentication bypass.
Summary of Key Preventive Measures:

Attack Type Prevention Techniques

SQL Injection Use parameterized queries, ORM frameworks, WAFs

Stored Procedure Attack Avoid dynamic SQL, use parameterized stored procedures

SQL Column Truncation Enforce strict input validation, implement unique constraints

UNIT 7
7.1 Access Control

Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It ensures that only authorized individuals can access specific data or systems.

7.1.1 Horizontal Rights Management

 Definition: Horizontal access control restricts users from accessing data that belongs to other
users at the same privilege level.
 Example: In a web application, a user should only be able to access their own profile but not
another user’s profile.
 Security Issues:
o Insecure Direct Object References (IDOR): Attackers can manipulate URLs or request
parameters to gain unauthorized access to other users’ data.
o Session Hijacking: Unauthorized access due to stolen session tokens.
 Mitigation:
o Implement role-based or attribute-based access control (RBAC/ABAC).
o Use secure session management techniques.
o Validate user permissions before returning requested data.

7.1.2 Vertical Rights Management

 Definition: Vertical access control restricts users from accessing functionalities beyond their
assigned privilege level.
 Example: A normal user should not be able to perform administrative actions like modifying
system configurations.
 Security Issues:
o Privilege Escalation: Attackers exploit system vulnerabilities to gain higher access.
o Misconfigured Access Control: Improperly assigned roles allow unauthorized users to
execute privileged functions.
 Mitigation:
o Implement the Principle of Least Privilege (PoLP).
o Use multi-factor authentication (MFA) for sensitive operations.
o Perform regular access control audits.
7.2 Authentication

Authentication is the process of verifying a user's identity before granting access to resources.

7.2.1 Loophole in Password Security

 Common Issues:
o Weak passwords (e.g., "123456", "password") are easily guessed.
o Reused passwords across multiple platforms increase the risk of credential stuffing
attacks.
o Brute force attacks exploit weak authentication mechanisms.
o Phishing attacks trick users into revealing passwords.
 Mitigation Strategies:
o Enforce password complexity rules (length, special characters, uppercase/lowercase).
o Implement account lockout mechanisms after multiple failed login attempts.
o Use Multi-Factor Authentication (MFA) for added security.
o Educate users on phishing awareness.

7.2.2 Complex Password Security and Password Recovery

 Complex Password Security:


o A strong password policy should include:
 Minimum length of 12-16 characters.
 Combination of uppercase, lowercase, numbers, and special characters.
 Avoiding dictionary words and personal information.
o Best Practices:
 Use password managers to generate and store secure passwords.
 Implement password hashing with strong algorithms (e.g., bcrypt, Argon2).
 Rotate passwords periodically.
 Password Recovery Mechanisms:
o Security Questions: Avoid using predictable questions like "What is your pet's name?"
o Email/SMS-Based Reset:
 Ensure email/SMS channels are secured against interception.
o Multi-Factor Authentication (MFA):
 Use secondary authentication methods like OTP, biometric verification.
o Recovery Codes: Generate backup codes for account recovery.
o Account Lockout after multiple failed recovery attempts: Prevents brute-force recovery
attempts.

UNIT 8
8.1 SOAP (Simple Object Access Protocol)

What is SOAP?
SOAP is a protocol for exchanging structured information between applications over the internet. It uses
XML messages to request and respond to services.

How SOAP Works?

1. Client sends a request – The request is sent in XML format over HTTP, HTTPS, SMTP, or other
protocols.
2. Server processes the request – The web service interprets the SOAP request and performs the
requested operation.
3. Response is sent back – The server returns an XML-formatted response containing the
requested data.

Components of SOAP:

 Envelope – Defines the start and end of a SOAP message.


 Header – Contains metadata like authentication or transaction details.
 Body – Holds the actual request or response data.
 Fault – Handles errors that occur during communication.

Importance of SOAP

 Platform-independent – Works across different operating systems and programming languages.


 Secure – Uses WS-Security for encryption and authentication.
 Reliable – Ensures message delivery using built-in error handling.

Where is SOAP Used?

 Banking systems – Secure transactions and payments.


 Enterprise applications – Used in ERP, CRM, and government services.
 Healthcare industry – Exchange of medical records securely.

8.2 WSDL (Web Services Description Language)

What is WSDL?

WSDL is an XML-based language that describes how a SOAP web service can be accessed and used. It
acts as a contract between the client and the server, defining available services, data formats, and
protocols.

How WSDL Works?

1. A web service provider creates a WSDL file describing the service.


2. The client reads the WSDL to understand how to interact with the service.
3. The client uses this information to generate SOAP requests.
Components of WSDL

 Types – Defines data types (like string, integer, etc.).


 Message – Defines the request and response message formats.
 PortType – Defines available operations.
 Binding – Specifies protocols (e.g., HTTP, SMTP).
 Service – Specifies the service’s network location (URL).

Importance of WSDL

 Provides a machine-readable service description.


 Helps clients automatically generate code to consume web services.
 Supports interoperability between different platforms.

Where is WSDL Used?

 Used by developers and API consumers to understand web services.


 Integrated in enterprise software like ERP systems to facilitate data exchange.

8.3 UDDI (Universal Description, Discovery, and Integration)

What is UDDI?

UDDI is a registry where businesses can publish and discover web services. It acts like a phonebook for
web services, helping clients find services dynamically.

How UDDI Works?

1. Service providers register their WSDL and service information in a UDDI registry.
2. Clients search for services using UDDI queries.
3. Once a service is found, the client retrieves the WSDL and uses SOAP to interact with it.

Components of UDDI

 White Pages – Contains basic business details (name, contact).


 Yellow Pages – Categorizes businesses based on industry.
 Green Pages – Provides technical details about web services.

Importance of UDDI

 Helps businesses find and integrate web services.


 Provides a global repository for reusable web services.
 Promotes interoperability across different platforms.
Where is UDDI Used?

 Enterprise applications needing to discover services dynamically.


 E-commerce platforms for integrating payment and logistics services.
 Cloud-based services to register and locate APIs.

8.4 Demo of Web Services

Steps to Demonstrate a SOAP Web Service

1. Set up a web service using Java (JAX-WS), .NET, or Python (Zeep library).
2. Define the WSDL for the service.
3. Develop a client to consume the SOAP service.
4. Test with SOAP UI – A tool to send SOAP requests and view responses.

Example: Currency Conversion Web Service

 Client sends a SOAP request:

xml
CopyEdit
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:cur="http://currency.example.com/">
<soapenv:Body>
<cur:GetExchangeRate>
<cur:FromCurrency>USD</cur:FromCurrency>
<cur:ToCurrency>INR</cur:ToCurrency>
</cur:GetExchangeRate>
</soapenv:Body>
</soapenv:Envelope>

 Server responds with exchange rate:

xml
CopyEdit
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<cur:GetExchangeRateResponse>
<cur:Rate>82.50</cur:Rate>
</cur:GetExchangeRateResponse>
</soapenv:Body>
</soapenv:Envelope>
Summary of Web Services
Feature SOAP WSDL UDDI

XML-based protocol for XML format describing web Registry for discovering web
Definition
communication services services

Role Handles message exchange Defines service structure Stores service details

Security Highly secure (WS-Security) Not a security feature Public registry

Usage Banking, healthcare, enterprises API documentation Dynamic service discovery

You might also like