Chapter #1 Introduction To Web Application (Fundamentals)

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 47

Chapter #1

Introduction to Web Application (Fundamentals)

Advanced Web Application & Management


Department of Information Science 2nd Year Students
By: Assefa C.
Advanced Web Application & Management 1
Lesson outlines
Definition of Web Application
How Web Application Works?
Functions of Web Application
Advantages of Web Applications
Client and Server Side components
Database Components
Web Communication Protocols (networking basics)
Web Security Concerns
Advanced Web Application & Management 2
Learning Objective
At the end of this chapter you will be able to:
Understand about the applications and purpose of
web application development.
 Identify the main requirements for developing a web
based applications.
Understand how a web based applications can work.

Advanced Web Application & Management 3


Definition of Web Application
Web applications are computer programs, which allows website
visitors to submit data to a database or retrieve data from a
database over the Internet using web browser. The data is then
presented on browser as information is generated dynamically.
Web Applications are dynamic web sites combined with server
side programming which provide functionalities such as
interacting with users, connecting to back-end databases, and
generating results to browsers.

Advanced Web Application & Management 4


Cont’d……
Some Examples of Web Applications are:-
 Online Banking
 Social Networking
 Online Reservations
 e-commerce (Shopping Cart Applications)
 Interactive Games
 Online Training
 Online Polls
 Blogs
 Online Forums and
 Content Management Systems, etc..

• Mention other examples of web applications that you know?


Advanced Web Application & Management 5
How the Web Application Works?

Server operating Systems, Web servers


& Scripting engine to manage requests
and responses, e.g. Apache

Client side
browser

Database engine,
E.g. MySQL, SQL,
Oracle

Company website visitor Advanced Web Application & Management 6


Functions of Web Applications

 Web applications have several functions. Among them, The


followings are some of the major function of web applications:-
 To Display records stored in the database.

 Uploading images or files to the database and retrieving them


from database.
 Creating and managing user profiles/accounts.

 Shopping cart for saving products.


 Web content management systems.

Advanced Web Application & Management 7


Advantages of Web Applications
There are many advantages of using web based applications. Some of

the most common advantages include the Following:-


 The development of web applications is cost effective.

 Web systems are accessible anytime, anywhere, via a PC/mobile phone

with an active Internet connection.

 The user interface (GUI) of web-based applications is easier to customize.

 Contents of web applications can be customized for presentation on any

device connected to the internet, including PDAs, tabs, mobile phones,

etc.
Advanced Web Application & Management 8
Cont’d….

 Installation and maintenance of web applications are less


complicated.
 The application will run on the browser regardless of the platform.
 No installation of software required.
 Many Web Apps are providing chat room facilities and the ability
to share work in real time.
 The support and maintenance of web applications require low
cost.

Advanced Web Application & Management 9


Web Application Development Technologies

 There are two main categories of coding, scripting and


programming for creating Web Applications:
1. Client Side Scripting/Coding
 Client Side Scripting:- is the type of code that is executed or
interpreted by browsers.
 Client Side Scripting is generally viewable by any visitor to a
site (from the view menu click on "View Source" to view the
source code).

Advanced Web Application & Management 10


Cont’d…..

 Some of the most common Client Side Scripting technologies are:


 HTML (Hyper Text Markup Language)
 CSS (Cascading Style Sheets)
 JavaScript
 Ajax (Asynchronous JavaScript and XML)
 jQuery (JavaScript Framework Library - commonly used in Ajax development)
 Moo Tools (JavaScript Framework Library - commonly used in Ajax
development)
 Dojo Toolkit (JavaScript Framework Library - commonly used in Ajax
development)

Advanced Web Application & Management 11


Cont’d…..
2. Server Side Scripting / Coding
 Server Side Scripting is the type of code that is executed or interpreted by the
web server.
 Server Side Scripting is not viewable or accessible by any visitor or general
public.

 Some of the most common Server Side Scripting technologies


are:-
 PHP (very common Server Side Scripting language - Linux / Unix/Windows
based Open Source - free redistribution, usually combines with MySQL
database).
 Zend Framework (PHP's Object Oriented Web Application Framework)

 ASP (Microsoft Web Server (IIS)WebScripting


Advanced Application & language)
Management 12
Cont’d…..

 ASP.NET (Microsoft's Web Application Framework - successor of


ASP).
 ColdFusion (Adobe's Web Application Framework)

 Ruby on Rails (Ruby programming's Web Application Framework


- free redistribution)
 Perl (general purpose high-level programming language and Server
Side Scripting Language - free redistribution - lost its popularity to
PHP)
 Python (general purpose high-level programming language and
Server Side Scripting Advanced
language - free redistribution)
Web Application & Management 13
Client Side Scripting VS. Server-side Scripting

Client Side Scripting Languages Server-side Scripting Languages

 Client-side languages run on  Server-side scripting


the user’s machine. languages run on the server.
 Examples: HTML, JavaScript  Examples: PHP, ASP.NET
 Client-side scripts are affected  Server-side scripts are
by the processing speed of the affected by the processing
client or user’s computer. speed of the host server.

Advanced Web Application & Management 14


Client Side Scripting VS. Server-side Scripting
Client Side Scripting Languages Server-side Scripting Languages
 The web server executes the
 Response time of a client-side script
server side scripting that sends
is faster than a server side script as the page to the browser.
the client-side scripts are processed  Response time of a server-side
on the local computer. script is slower than a client
side script as the server side
 Client-side scripting could be
scripts are processed on the
blocked by the user. remote computer.
 Client side scripting can’t access the  Server-side scripting could not
file system that resides at the web
be blocked by the user.
 Server side scripting can
server.
access the file system residing
Advanced Web Application & Management
at the web server. 15
Web Application Frameworks

 Web Application Frameworks are sets of program libraries,


components and tools organized in an architecture system
allowing developers to build and maintain complex web
application projects using a fast and efficient approach.
 Web Application Frameworks are designed to streamline
programming and promote code reuse by setting forth folder
organization and structure, documentation, guidelines and libraries
(reusable codes for common functions and classes).

Advanced Web Application & Management 16


Web Application Frameworks – Benefits and
Advantages
 Program actions and logic are separated from the HTML, CSS and
design files. This helps designers (without any programming
experience) to be able to edit the interface and make design
changes without help from a programmer.
 Builds are based on the module, libraries and tools, allowing
programmers to easily share libraries and implement complex
functionalities and features in a fast and efficient manner.
 The structure helps produce best practice coding with consistent
logic and coding standards, and provides other developers the
ability to become familiar with the code in a short time.
Advanced Web Application & Management 17
Web Applications Lifecycle Model

 Web Application Lifecycle is the process of developing a web


application and involvement of the multiple teams that are
engaged in the development process. Each organization may set
forth its own unique style of operating.
 Some companies follow a certain standard model such as SDLC
(System Development Life Cycle) or Agile Software
Development Model.

Advanced Web Application & Management 18


Cont’d….
 SDLC is the traditional process of developing software or web applications
by including research to identify and define the application requirements,
information analysis, architectural design and specifications blueprint, team
involvement, programming, testing and bug fixing, system testing,
implementation and maintenance.
 Agile Software / Web Application Development is the iterative
development process and development process practices that focus on
collaboration of people involved and provide a better procedure to allow
revisions and evolution of web application requirements. Agile methodology
includes research, analysis, project management, design, programming,
implementation, frequent testing, adaptation and maintenance.

Advanced Web Application & Management 19


Web Application Development Process
 Web Application Development Process organizes a practical
procedure and approach in application development.
 The following list of procedures and suggested documents provide
a good outline for a Web Application Lifecycle and Process:
• Roadmap Document: Defining Web Application, Purpose, Goals and
Direction
• Researching and Defining Audience Scope and Security Documents
• Creating Functional Specifications or Feature Summary Document

Advanced Web Application & Management 20


Cont’d….
 Team Collaboration and Project Management Document
 Technology Selection, Technical Specifications, Illustrative
Diagram of Web Application Architecture and Structure,
Development Methodology, Versions Control, Backups, Upgrades,
Expansion and Growth Planning Document, Server Hardware /
Software Selection
 Third Party Vendors Analysis and Selection (Merchant Account
and Payment Gateway, SSL Certificate, Managed Server /
Colocated Server Provider, Fulfillment Centers, Website Visitor
Analytics Software, Third Party Checkout Systems, etc.)
Advanced Web Application & Management 21
Cont’d….

 Application Visual Guide, Design Layout, Interface Design, Wire


Framing
 Database Structure Design and Web Application Development

Advanced Web Application & Management 22


Web Application Testing
 Testing is an important part of the Web Application Development
process. On occasion, testing would consume more manpower and
time than development itself.
 Some of the most common testing needed for any web
application development process are:
 Quality Assurance and Bug Testing
 Multiple Browser Compatibility

 Application Security
 Performance - Load and Stress Testing

 Usability
Advanced Web Application & Management 23
Trends and Popularity

The demands for companies to build Web Applications are growing


substantially.
 If planned and built correctly, web applications can:
 Reach and service millions of consumers and businesses.

 Generate substantial, multi-layer / multi-category income from


consumers, businesses and advertisers.
 Easily build business goodwill and assets based on audience
reach, popularity, technology and potential growth.

Advanced Web Application & Management 24


Trends and Popularity
 The followings are good reasons for companies to build web
applications:
 Companies want to streamline their internal departments and functions,
operations, sales and project management, etc.
 Companies want to take advantage of a web based application's flexibility
and versatility, by moving away from the traditional desktop application
platform to the web application platform
 Companies want to gain more clients or better service their current clients
by offering convenient services and solutions online.
 Companies want to build new web applications to offer innovative
services or solutions to online users and businesses
Advanced Web Application & Management 25
Advanced Web Application & Management 26
Advanced Web Application & Management 27
 URL Format:

Advanced Web Application & Management 28


Cont’d….
• The protocol identifies the format of the information being
accessed. 
• http indicates a Web page. 
• The domain name specifies the physical location of the
resource. 
• The name is translated to a unique Internet Protocol
address (IP address.) 
• The path and filename identifies the location of the
resource on the domain.  If not specified, the default Web
page for the domain will be retrieved. 
• This page is usually named index.html or default.html and
is located in folder defined by the system.
Advanced Web Application & Management 29
What is a Server?
 A computer that makes a service available to a network is
called a server. Or A computer on the network that
manages shared resources.
 A computer or other device that requests services from a
server is called a client.  The client-server based structure
is one of the most common types of network. 

Advanced Web Application & Management 30


Server Based Networks Server Security

 Centralized control of  Physical access to the server


resources  Specialized guard servers
 Utilize faster processors  Domain model
 More memory  Account names
 Extra peripherals  Passwords

 Firewalls

Advanced Web Application & Management 31


Server Based Advantages Server Based Disadvantages
 Central security/ accounts/
 Server failure results in unusable
access
 Simplify network network
administration  Server failure results in loss of
 Powerful/ efficient access to
resources
resources
 Single password for each  Expert staff to manage increases
user cost
 Best for high use, user,
networks  Dedicated hardware increases cost
 Dedicated software increases cost

Advanced Web Application & Management 32


Specialized Servers Application Servers
 Individual services supplied:  Server side of Client/Server
 Application Servers applications
 Communication Servers  Supply application services and
 Domain Controllers/Directory data
Servers
 Provide processing services
 Fax Servers
 Microsoft SQL Server runs on
 Mail Servers
Windows NT Server
 Web Servers

 File & Print Servers


Advanced Web Application & Management 33
Communication Servers Domain Controllers/Directory Servers

 Access beyond networks local  Locate, store, & secure


scope
information about network
 Inbound & outbound resource
 Allows computers, users,
access
 Dial in via modem groups, & resources to be

 Windows NT server Remote combined into domains.


Access Server  Domain access allows single
 Manages dial in network login to all allowed resources
connections

Advanced Web Application & Management 34


Fax Servers File and Print Servers
 Manage network fax traffic  File storage & File retrieval
 Receive incoming telephone faxes
 Access to network printers
 Distribute to network users
 Applications run locally
 Collect outgoing network faxes
 Send outgoing telephone faxes  Store data on server
 Window NT server is capable

Advanced Web Application & Management 35


Mail Servers Web Servers
 E-mail for network users  World Wide Web (WWW)
 Allow local exchange of
 File Transfer Protocol (FTP)
messages
 Gopher services
 Permit server based storage of
messages  Intranets
 Forward user messages to  NT Server Internet Information
destination
Server (IIS)
 Microsoft Exchange Server

Advanced Web Application & Management 36


Web Security Concerns
There are some security concerns of application that should be
kept in mind before going on to make a web-based system.
 Cross Site Scripting (XSS)
 Malicious File Execution

 Cross Site Request Forgery (CSRF)


 Information Leakage
 Broken Authentication

 Insecure Cryptographic Storage


 Insecure Communications

 Failure to Restrict URL Access


Advanced Web Application & Management 37
Cross Site Scripting (XSS)
 Cross Site Scripting (XSS) is execution of scripts in the victim's
browser for hijacking information. XSS allows hijacking user
sessions, defacing websites etc. The reason behind this flaw is
inappropriate validation of user-supplied data that an application
takes and sends to a web browser without encrypting or validating
the content.
 Malicious File Execution:
 Remote File Inclusion (RFI) gives hackers the chance to inject
hostile data, resulting in an incisive attack, such as a compromise
of the server. Malicious file execution attacks can be on XML,
PHP or any framework that receives files from users.

Advanced Web Application & Management 38


Cross Site Request Forgery (CSRF)
 CSRF is a big problem as it can be as strong as the web
application that it attacks. It might force the browser, when a user
is logged-in, to transfer a pre authenticated request to a specific
vulnerable web application. The application then pushes the
victim's browser to execute a hostile action that benefits the hack.
 Information Leakage
 An application can unintentionally leak information about its
internal workings and configuration, or violate privacy because of
a variety of problems. The attackers can take the advantage of this
weakness to conduct more serious attacks or to steal sensitive
data.

Advanced Web Application & Management 39


Broken Authentication
 This problem is caused by improper protection of session tokens
and account credentials. In this case, the attackers could

compromise keys, passwords or authentication tokens.

 Insecure Cryptographic Storage


 This type of flaws become threat for application when hackers use
inappropriately protected data to perform identity theft and other
crimes (e.g. credit card fraud). Using poor cryptographic
protection in web applications causes this type of flaws.

Advanced Web Application & Management 40


Insecure Communications
 This type of flaw appears from the potential leakage of sensitive
data across the network communication infrastructure. The cause
behind this flaw is failing to encrypt network traffic while

protecting sensitive communications.

 Failure to Restrict URL Access


 This type of flaw is caused by web applications that just protect
important and sensitive functionality while restricting the display
of URLs to unauthorized illegal users. It allows hackers to
perform unauthorized actions by accessing those URLs directly.
Advanced Web Application & Management 41
Recommendations for Security
Some recommendations for making strong and secured web
applications.
 Validate All Input Parameters

 HTTP Trust Issues

 Keep Sensitive Session Values on the Server

 Encrypt Sensitive Pages

 Session Management

 Access Restriction

 Perform Threat Modelling

 Web Application Firewalls


Advanced Web Application & Management 42
Validate All Input Parameters
 A central module should be developed to validate input parameters
and check every input parameter against a distinct format that
specifies which types of input exactly will be allowed. Special
characters coming from the input form also should be filtered.

 HTTP Trust Issues


 Web application programmers should not trust form fields, HTTP
REFERER headers or cookies for security decisions since this type
of data can be compromised. these parameters coming in from a
client browser is not reliable without using robust cryptographic
techniques to verify the integrity of HTTP headers.
Advanced Web Application & Management 43
Keep Sensitive Session Values on the Server
 Storing sensitive information is a client browser’s cookies is not a
good practice. The sensitive information should be kept on the
server. If there is a need to store sensitive values in a client
browser, powerful cryptographic techniques should be used to
protect the privacy of the data.

 Encrypt Sensitive Pages


 The pages having sensitive information must be encrypted during
transmission with proper algorithms and keys, such as SSL and
TLS. To attain and show sensitive information, Signed Java applets
or ActiveX can be used.
Advanced Web Application & Management 44
Session Management
 Session management plays an important role on securing website. The session ID must
be complicated, long and contain random unpredictable numbers. The session ID also
should be changed repeatedly during a session. It makes the session ID complicated to
find by reducing the duration that a session ID remains valid. Furthermore, a session
ID must not be stored in persistent cookies, URLs, HTTP headers or hidden HTML
fields.

 Access Restriction
 Access restriction is one of the common way to hide sensitive information of web
application. There should be specific privileges for different types of user, including
end-user, admin etc. When an application makes system calls to access certain
programs, the calls should not be to actual directory paths or file names. Because it
may allow hackers to expose system-level information when they get access to the
source code. Advanced Web Application & Management 45
Perform Threat Modelling
 A threat modelling process allows to identify threats,
vulnerabilities, potential attacks of the web application. For
building a secure application, It is essential to have the
understanding of threats against the application.

 Web Application Firewalls


 The Web Application Security Consortium defines a web application
firewall (WAF) as “an intermediary device, sitting between a web-
client and a web server, analyzing OSI Layer-7 messages for
violations in the programmed security policy”. Firewalls help manage
network access to network ports authorized by the organization.
Advanced Web Application & Management 46
Reading Assignments

Read the basics about the following topics and present in the
class room.
• Types of application with their basic characteristics
• Web-based Application Architectures
• Application Design
• N-tier Designs

• User Interface Versus Business Logic


• Object-oriented Modeling For Web Applications Using UML
& WAE Advanced Web Application & Management 47

You might also like