Web Application Security 101 - 02 The Basics

  • View
    122

  • Download
    1

Embed Size (px)

DESCRIPTION

In part 2 of Web Application Security 101 we cover the basics of HTTP, HTML, XML, JSON, JavaScript, CSS and more in order to get you up to speed with the technology. This knowledge will be used during the rest of the course to explore the various security aspects effecting web applications today.

Text of Web Application Security 101 - 02 The Basics

  • TheBasicsHypertext Transfer Protocol And More.

  • HistoryOfHTTPSpecified in the early 90s.

    Very simple text-based protocol.

    Designed for transferring text-based documents.

  • HowItIsBuiltA request and a response.

    Request/response line, headers and a body.

    Lines delimited by the CRLF characters (0x0d, 0x0a)

  • TypicalHTTPRequestGET /path/to/something HTTP/1.1Host: hostnameUser-Agent: Mozilla/5.0 ...Accept: text/html,application/xhtml+xml,/;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://i/came/from/here

  • TypicalHTTPResponseHTTP/1.1 200 OKDate: Wed, 23 Nov 2013 10:10:10 GMTServer: Some ServerVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1337Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html;charset=UTF-8

    body

  • BrowserServerSpecify the method: GET, POST, HEAD, OPTIONS, etc.

    Specify the location: a URL/URI (Unified Resource Locator/Identifier).

    Tell the server more stuff how you want the data: headers.

    Provide optional body.

  • BrowserServerThe server responds with status code: 2xx (ok), 3xx, 4xx, 5xx (not ok).

    It is followed by extra information: headers.

    There is also optional body.

  • HTTPRequestDeconstructedMETHOD location VERSIONHeader1: Value1Header2: Value2

    body

  • HTTPResponseDeconstructedVERSION code MESSAGEHeader1: Value1Header2: Value2

    body

  • InSummaryPlain text format made of lines.

    Lines are segmented by the CRLF characters.

    Each part made of initial line, headers and a body.

    Guarantees simple implementation across different technologies.

  • SomeObservationsNo authentication!

    No encryption!

    No sessions!

    No streaming!

  • HTTPDevelopsThe spec is extended with HTTP/1.0 and later HTTP/1.1.

    Streaming, Authentication, Sessions, Virtual Hosts and more.

  • HTTPAuthenticationThere are several kinds: basic, digest, ntlm.

    Basic auth is based around base64 encoding.

    Digest is based around challange/response.

    NTLM is proprietary protocol developed by Microsoft.

  • HTTPEncryptionA layer underneath HTTP called SSL.

    SSL stands for Secure Socket Layer.

    It works as a wrapper around sockets.

  • HTTPSessionsThe HTTP protocol is completely stateless.

    Sessions enable state typically stored as cookies.

    Cookies are a simple storage provided by the browser.

    Cookies are restricted byte SOP (Same Origin Policies).

    Cookies also have various security flags: httpOnly and secure.

  • Enough?There is so much more to learn.

  • VirtualHostsInitially one HTTP server per box.

    This used to be very wasteful pre-virtualization era.

    The host header was introduced to enable multiple sites per box.

  • TransportMechanismsContent-Length: - the body has a length.

    Transfer-Encoding: chunked - the body is made of chunks.

  • TransportEncodingsapplication/x-www-form-urlencoded is used for sending forms.

    multipart/form-data is used for submitting files.

    application/json is used for uploading/downloading json.

    application/xml is used for uploading/downloading xml.

  • DataEncodingsURL encoding: % followed by the hex representation of a character.

    Entity encoding also known as XML encoding: &;.

    Base64 encoding: everything is represented by 64 characters ASCII.

  • GETvs.POSTHere is a GET request where parameters are in the URL:

    GET /path/delete.php?username=guest HTTP/1.1

    Here is a POST request where parameters are in the body:

    POST /path/delete.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 14

    username=guest

    Sometimes GET and POST are substitutable.

  • RESTArchitectural style of programming predominately for APIs.

    DELETE /username/guest HTTP/1.1

  • HTMLHyper Text Markup Language

  • XMLExtensible Markup Language

  • JSONJavaScript Object Notation

    {"key": "value"}

  • LabWe will learn how to apply all of this.

  • SimpleChallenges1. Make a simple GET request .

    2. Make a simple POST request .

    https://suite.websecurify.com/apps/rest#request=GET%20http://target/?a%3db%20HTTP/1.1%0d%0aHost:%20target%0d%0a%0d%0ahttps://suite.websecurify.com/apps/rest#request=POST%20http://target/%20HTTP/1.1%0d%0aHost:%20target%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%203%0d%0a%0d%0aa%3db%0d%0a
  • ModerateChallenges1. Make an authenticated request with basic auth .

    2. Make an authenticated request with cookies .

    3. Make a form data (file upload) request .

    https://suite.websecurify.com/apps/rest#request=GET%20http://target/?a%3db%20HTTP/1.1%0d%0aHost:%20target%0d%0aAuthorization:%20Basic%20dGVzdDp0ZXN0%0d%0a%0d%0ahttps://suite.websecurify.com/apps/rest#request=GET%20http://target/?a%3db%20HTTP/1.1%0d%0aHost:%20target%0d%0aCookie:%20sessionid%3dsessionid0%0d%0a%0d%0ahttps://suite.websecurify.com/apps/rest#request=POST%20http://target/?a%3db%20HTTP/1.1%0d%0aHost:%20target%0d%0aContent-Type:%20multipart/form-data,%20boundary%3dAaBbCcDdEeFf%0d%0a%0d%0a--AaBbCcDdEeFf%0d%0aContent-Disposition:%20form-data;%20name%3d%22a%22%0d%0a%0d%0ab%0d%0a--AaBbCcDdEeFf--%0d%0a%0d%0a
  • AdvancedChallenges1. Make a proxy request .

    https://suite.websecurify.com/apps/rest#request=GET%20http://target/?a%3db%20HTTP/1.1%0d%0aHost:%20target%0d%0a%0d%0a