Document Details

LuckierSugilite5135

Uploaded by LuckierSugilite5135

University of Technology and Applied Sciences - Ibri

Tags

web application technologies http protocol web development networking

Summary

This document explains Web Application Technologies, focusing on the HTTP protocol. It delves into the request/response cycle, various HTTP methods, and the role of headers in web communication. The information is presented in a clear and structured manner with diagrams illustrating technical concepts.

Full Transcript

Topic 2 Web Application Technologies Objectives To examine the HTTP protocol To collect and monitor HTTP traffic To intercept and temper with HTTP request and response messages To understand the HTTP encoding scheme 2 TCP/IP and...

Topic 2 Web Application Technologies Objectives To examine the HTTP protocol To collect and monitor HTTP traffic To intercept and temper with HTTP request and response messages To understand the HTTP encoding scheme 2 TCP/IP and HTTP/S Fiberbit.com.tw. (2013). TCP/IP model vs OSI model -. [online] Available at: http://fiberbit.com.tw/tcpip-model-vs-osi-model/ 3 TCP/IP and HTTP/S 4 The HTTP Protocol It is the core communications protocol used to access the WWW and is used by all of today’s web applications. It uses a message-based model in which a client sends a request message and the server returns a response message. All HTTP messages (requests and responses) consist of one or more headers, each on a separate line, followed by a mandatory blank line, followed by an optional message body. No session formed, nothing remembered--no "state" 5 HTTP Request/Response Header 6 HTTP Request Header 7 HTTP Request Header 1 2 3 4 5 6 7 8 9 8 HTTP Request Header The HTTP method: GET to retrieve a resource from the web server. GET requests do not have a message body. POST to request the web server to accept the data enclosed in the body of the request message The requested URL: the name of the resource being requested, together with an optional query string containing parameters that the client is passing to that resource. The HTTP version being used. The only HTTP versions are 1.0 and 1.1, most browsers use version 1.1 by default. In version 1.1 the Host request header is mandatory. 9 HTTP Request Header Accept: Media type(s) that is(/are) acceptable for the response. See Content negotiation. Referer: is used to indicate the URL from which the request originated Accept-Language: List of acceptable human languages for response. See Content negotiation. User-Agent: is used to provide information about the browser or other client software that generated the request. 10 HTTP Request Header Accept-Encoding: list of acceptable encodings. See HTTP compression. Host: specifies the hostname that appeared in the full URL being accessed. Connection: control options for the current connection. Cookie: is used to submit additional parameters that the server has issued to the client. Note: see full list of HTTP header fields in Wikipedia 11 HTTP Methods: GET GET retrieves resources Can send parameters in the URL query string Users can bookmark the whole URL Whole URL may appear in server logs and in Referer headers Also on the browser's screen Don't put sensitive information in the query string HTTP Methods: POST POST performs actions Request parameters can be in URL query strong and in the body of the message Parameters in body aren't saved in bookmarks or most server logs A better place for sensitive data HTTP Methods: POST POST requests perform actions, like buying something Clicking the browser's Back button displays a box like this HTTP Response Header 15 HTTP Response Header The first line The HTTP version being used. A numeric status code indicating the result of the request. 200 is the most common status code; it means that the request was successful and that the requested resource is being returned. A textual “reason phrase” further describing the status of the response. This can have any value and is not used for any purpose by current browsers. 16 HTTP Response Header The Server header contains a banner indicating the web server software being used, and sometimes other details such as installed modules and the server operating system. The Set-Cookie header issues the browser a further cookie; this is submitted back in the Cookie header of subsequent requests to this server. The Pragma header instructs the browser not to store the response in its cache. The Expires header indicates that the response content expired in the past and therefore should not be cached. The Content-Type header indicates that the body of this message contains an HTML document. The Content-Length header indicates the length of the message body in bytes. Almost all HTTP responses contain a message body following the blank line after the headers. 17 Other HTTP Methods HEAD returns only the header, not the body Can be used to check if a resource is available before GETing it OPTIONS shows allowed methods PUT uploads to server (usually disabled) Status Codes Groups Important Status Codes 200 OK - request succeeded, response body contains result 301 Moved Permanently - redirects the browser, client should use new URL in the future 302 Found - redirects browser temporarily. Client should revert to original URL in subsequent requests 304 Not Modified - browser should use cached copy of resource Important Status Codes 400 Bad Request - invalid HTTP request 401 Unauthorized - Server requires HTTP authentication. WWW-Authenticate header specifies the type(s) of authentication supported 403 Forbidden - no one is allowed to access resource, regardless of authentication 404 Not Found - requested resource does not exist 500 Internal Server Error - unhanded exception in an app, such as a PHP error HTTPS HTTP over SSL (Secure Sockets Layer) Actually now TLS (Transaction Layer Security) All versions of SSL are deprecated Protects data with encryption Protects data in motion, but not at rest or in use How the HTTPS Works? 23 HTTP Proxies An HTTP proxy is a server that mediates access between the client browser and the destination web server. When a browser has been configured to use a proxy server, it makes all its requests to that server. The proxy relays the requests to the relevant web servers and forwards their responses back to the browser. Proxies may provide caching, authentication, and access control 24 HTTP Proxies 25 Server-Side Functions 1) Querying the database Java Platform 2) Operations over databases ASP.NET 3) Access/Write a file on server. 4) Interact with other servers. 5) Structure web applications. XML PHP 6) Process user input. For example if user SQL input is a text in search box, run a search algorithm on data stored on server and send the results. 26 JSP Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic, platform- independent method for building Web-based applications. JSP have access to the entire family of Java APIs, including the JDBC API to access enterprise databases. Standard for large-scale enterprise applications Lends itself to multitiered and load-balanced architectures Well-suited to modular development and code reuse Runs on Windows, Linux, and Solaris JSP Tutorial (tutorialspoint.com) 27 Perl Perl is a general-purpose programming language originally developed for text manipulation and now used for a wide range of tasks including system administration, web development, network programming, GUI development, and more. Perls database integration interface DBI supports third-party databases including Oracle, Sybase, Postgres, MySQL and others. Perl works with HTML, XML, and other mark-up languages. Perl supports Unicode. Perl supports both procedural and object-oriented programming. Perl - Introduction (tutorialspoint.com) 28 PHP The PHP Hypertext Preprocessor (PHP) is a programming language that allows web developers to create dynamic content that interacts with databases. PHP is basically used for developing web based software applications. PHP is a server side scripting language that is embedded in HTML. It is used to manage dynamic content, databases, session tracking, even build entire e-commerce sites. It is integrated with a number of popular databases, including MySQL, PostgreSQL, Oracle, Sybase, Informix, and Microsoft SQL Server. PHP supports a large number of major protocols such as POP3, IMAP, and LDAP. PHP Tutorial (tutorialspoint.com) 29 ASP.NET ASP.NET is an open-source web framework, created by Microsoft, for building modern web apps and services with.NET. ASP.NET is cross platform and runs on Windows, Linux, macOS, and Docker. ASP stands for Active Server Pages 30 Ruby Simple and productive server-side scripting language. Ruby, an object-oriented language, can help new and expert programmers write code faster. Ruby features functional programming elements and syntax like Python and Perl. 31 Node.js Node.js is a server-side scripting language and a runtime environment. Node.js is quite easy to start with. It’s a go-to choice for web development beginners. With a lot of tutorials and a large community It provides vast scalability for applications. Node.js, being single-threaded, is capable of handling a huge number of simultaneous connections with high throughput. Non-blocking thread execution makes Node.js even faster and more efficient. Node.js is written in C and C++, which makes it speedy and adds features like networking support. Cross-platform support allows you to create SaaS websites, desktop apps, and even mobile apps, all using Node.js. 32 Python Python can run on any operating system as a Django: server-side language. A high-level, batteries-included web framework. Web development in Python is a versatile and Follows the "don't repeat yourself" (DRY) and "convention over configuration" principles. popular choice for building dynamic websites Comes with an ORM (Object-Relational and web applications. Mapping), templating engine, and an admin interface. Python provides a robust ecosystem of Excellent for building robust, feature-rich web frameworks, libraries, and tools that simplify the applications quickly. development process and enable developers to Flask: create scalable and efficient web solutions A lightweight and flexible micro-framework. Gives developers more control over These frameworks cater to a range of components, allowing them to choose their preferences and project requirements, from full- preferred tools and libraries. Suitable for small to medium-sized projects stack frameworks like Django to micro- and applications where simplicity and frameworks like Flask and Bottle. customization are priorities. The choice depends on factors such as project size, complexity, developer preference, and specific feature requirements. 33 Client-Side Functions 1) Interact with temporary storage 2) Make interactive web pages 3) Interact with local storage 4) Sending request for data to server 5) Send request to server 6) work as an interface between server and user 34 JavaScript JavaScript (js) is a light-weight object-oriented programming language which is used by several websites for scripting the webpages. It is an interpreted, full-fledged programming language that enables dynamic interactivity on websites when applied to an HTML document. Javascript is the most popular programming language in the world and that makes it a programmer’s great choice. Once you learnt Javascript, it helps you developing great front-end as well as back-end software using different Javascript based frameworks like jQuery, Node.JS etc. 35 AJAX AJAX stands for Asynchronous JavaScript and XML. AJAX is a new technique for creating better, faster, and more interactive web applications with the help of XML, HTML, CSS, and Java Script. Ajax uses XHTML for content, CSS for presentation, along with Document Object Model and JavaScript for dynamic content display. AJAX is a web browser technology independent of web server software. 36 More about AJAX AJAX allows web pages to be updated asynchronously by exchanging small amounts of data with the server behind the scenes. This means that it is possible to update parts of a web page, without reloading the whole page. Classic web pages, (which do not use AJAX) must reload the entire page if the content should change. Examples of applications using AJAX: Google Maps, Gmail, Youtube, and Facebook tabs. 37 How AJAX Works 1. An event occurs in a web page (the page is loaded, a button is clicked) 2. An XMLHttpRequest object is created by JavaScript 3. The XMLHttpRequest object sends a request to a web server 4. The server processes the request 5. The server sends a response back to the web page 6. The response is read by JavaScript 7. Proper action (like page update) is performed by JavaScript 38 XML XML (Extensible Markup Language) is used to describe data. The XML standard is a flexible way to create information formats and electronically share structured data via the public internet, as well as via corporate networks. XML's primary function is to create formats for data that is used to encode information for documentation, database records, transactions and many other types of data. XML data may be used for creating different content types that are generated by building dissimilar types of content. XML Essentials - W3C 39 Sample of an XML file 40 SOAP SOAP is the short form of Simple Object Access Protocol. It uses XML messaging syntax to exchange information among computers via internet. SOAP can extend HTTP for XML messaging. It provides data transport for web services. It can exchange complete documents or call remote procedure. It can be used to broadcast a message. SOAP is platform and language independent. SOAP is not tied to any particular transport protocol. SOAP As an example, An application can send a SOAP request to a server that has web services enabled— such as a real-estate price database—with the parameters for a search. The server then returns a SOAP response with the resulting data, Since the generated data comes in a standardized machine- parsable format, the requesting application can then integrate it directly. Web Services and SOAP (Simple Object Access Protocol) SOAP uses HTTP and XML to exchange data JSON - JavaScript Object Notation Client-side JavaScript uses the XMLHttpRequest API to request data from a server JSON is lightweight data-interchange format. JSON is easy to read and write than XML. JSON is language independent. JSON supports array, object, string, number and values In JSON, data is represented in key-value pairs, and curly braces hold objects, where a colon is followed after each name. The comma is used to separate key-value pairs. Square brackets are used to hold arrays, where each value is comma-separated. Same-Origin Policy Prevents content from different origins interfering with each other in a browser Content from one website can only read and modify data from the same website Ex: scripts on Facebook can't read or write to data on your online banking page When this process fails, you get Cross-Site Scripting, Cross-Site Request Forgery, and other attacks URL Encoding Also known as percent-encoding, is a method to encode arbitrary data in a URL using only the limited US-ASCII characters. URLs may contain only printable ASCII characters To transfer other characters, or problematic ASCII characters, over HTTP, they must be URL- encoded What is HTTP request smuggling? Tutorial & Examples | Web Security Academy (portswigger.net) References Stuttard, Dafydd, and Marcus Pinto. Web Application Hacker's Handbook : Finding and Exploiting Security Flaws, Wiley, 2011. 47

Use Quizgecko on...
Browser
Browser