Web Application technologies
To be able to understand how different attacks on web applications are taking place we will go through a fast review over different web applications technologies. Our fast review will cover the two main categories: Client side
Http protocol issues: therefore Client side
The review will include information about Http request, response, headers and methods in addition to cookies and status codes and authentication therefore
Web Application technologies:
This part will cover general information about: therefore
Client-side functionalities and technologies: therefore Client side
We mean by client-side functionalities all technologies and functions that appear on the client side represented by the web browser. Client side
Server-side functionalities and technologies:
These parts covers all technologies executed on the server or located at the back end.
In this part, we will discuss only client-side functionalities
Http is hypertext transfer protocol it is the main protocol used on web, it was originally developed to retrieve text pages from web server developed after that to allow retrieving other types of media and web pages’ contents. It adopts Request Response approach which means that it is a connect-less protocol.
The protocol depends on the TCP protocol on the transport layer as it is a state full protocol. The HTTP protocol messages (request and response) as most of protocols messages are composed of two parts, Message Headers part containing one or more headers with optional values and Message Body part that optionally contains the payload of the message.
The following example shows an Http request message:
As you see the request begins with HTTP method that decides whether the request is meant to request a resource from the server (GET) or to send user input to server to be processed (POST)
As the example is using the GET method the message body is not necessary. Next is the uniform resource locator (URL) this part represent the address for the resource that needs to be fetched any extra parameters are passed after (?) sign and this part is called Query String.
The last part in in first line is the version of used HTTP protocol. In our example
we are using the most used version 1.1.
Next we will have a set of headers in the format of (header name : header
value) , headers will be separated by blank line.
Http protocol support many headers the following are the most commonly used:
Referrer: the resource from which the Request-URI was obtained
User-agent: contains information about the user agent originating the request
Host: this is the hostname necessary specially when virtual hosts exist onthe web server (more than one site on the same webserver).
Cookie: An HTTP cookie previously sent by the server with Set-Cookie
Accept: specify certain media types which are acceptable for the response
Accept-language: restricts the set of natural languages that are preferred
as a response to the request
Accept-encoding: restricts the content-coding that are acceptable in the
First line in HTTP Response contains the used version and the status code. In our example the version is 1.1 and the status code is (200) which refers to the fact that the requested resource was retrieved successfully, lot of other choices are available the most common are (404) for not ound and (403) for forbidden.
The main notation depends on the most left number:
(1) Is to provide information.
(2) When the request is successful
(3) This is the redirection code which means that the request will be redirected.
(4) When an error occurs.
The status code is followed by description of status code in our example case it is (OK).
Date header specifies the date of response.
Server header specifies the name of web server software that answer the request in our example it is Apache server
X-Powered-By: it is nonstandard header specifies the technology used to create the response.
Pragma: specifies wither to put the response in the cache or not
Expires: specifies when the cached content should expire, as you see in
that header the value is in the past which refers to the fact that the response content will not be cached.
Content-type and content-length: refer to the html contents contained in the response body and the length of body part of the message in bytes.
Set-Cookie: set the name and value of the cookie that will be sent to the
browser and resent afterwards with each request to this server.
Connection: it tells HTTP to keep alive, for additional messages, or close
the TCP connection.
Different HTTP methods:
As you see in the previous example that we use the GET method to retrieve resource from the server. Different other methods are available the most common are:
POST: GET and POST method are the most used methods while GET method send name of the requested resource in the header along with other parameters, POST method helps to send the information in the body part.
Post method helps to send information without disclosing it in the address bar as the GET method additionally it helps to send bigger information size noting that most web servers limit the size of header to less than 20K.
Head: this method is like GET method but it does not return any body part in the response.
Trace: this method works as an echo method were the response contains the exact same contents as the request message. It is mainly used for diagnoses purposes.
Options: returns a response containing allowed HTTP methods for specific resource.
Put: helps to upload a resource to the server, this method can be a
main source of attack if activated so it should be carefully controlled.
cookie approach is HTTP way to overcome the stateless issue for the protocol as it allows the server to store information on the client machine receiving a response through the set-cookie header then this pair of name value will be sent to the server with any request from the client to same domain.
More control can be applied on this method using different attributes like expire attribute that set the expiration date of the cookie and the domain attribute that can set the domain that the cookie is valid in.
Other attributes are path attribute which set the exact path where the cookie is valid. The secure attribute specifies the usage of cookies only over HTTPS.
Http Only is another attribute that prevent client side java scripts from accessing
cookies information directly and restrict access to http only.
One problem of HTTP protocol that it sends the contents in plain text mode so it will be easy for anyone eavesdropping on line to be able to disclose or alter the sent messages thus it is important to find a way to secure HTTP messages.
The most common approach is to use HTTPS protocol which depends mainly on tunneling HTTP messages through secure socket layer protocol (SSL) in order to apply encryption and hashing functionalities to assure messages confidentiality and integrity.
Http protocol itself has three main methods to provide authentication services to different users:
Basic: original and most compatible authentication scheme user credentials are sent with each request in Http header encoded as Base46- encoded string the less secure scheme.
NTLM: designed by Microsoft a challenge-response mechanism uses a version of the Windows NTLM protocol originally had problem but recently resolved it considered more secure than digest scheme.
Digest: added in version HTTP 1.1 .authentication is more secure than basic authentication as it never transfers the actual password across the network, but instead uses it to encrypt a “nonce” field value sent from the server.
Client-side functionalities -HTML
HTML stands for Hyper Text markup language. It is tag-based language with the main functionality to set the presentation structure of the document specifying how the document is going to be render by the browser.
HTML were amended frequently and new version were developed the current is HTML5 which has a special capability to deal with multimedia contents and enhance searching ability by adding semantic tags.
Other standards were also developed like XHTML which allows a strict control over HTML syntax as XML based document. therefore
The main feature provided by HTML in addition to controlling the format of a document is Hyperlinks, the functionality that help surfer to point and click to move from document to another or inside the same document.
Links are normally specified with the tag anchor <a> :
<a href=”http://www.skcomputerco.com/index.php?name=sami”>The Home
The tag above defines a link that specifies the resource named (index.php) and passes the parameter (name) with the value (sami). The information is sent in the HTTP header with GET method. therefore
In real applications the point and click interaction level becomes unable to fulfil the required functionality arbitrary data entry.HTML provides a special tag (Form) as a container and different types of (input) tag to allow different entry types. therefore
As illustrated in the previous example the markup code above will show the following form however
On submit the following request will be sent by the client(web browser) therefore
The request will be sent using POST method therefore
The data will be sent in the body part not header.
The content type is set to one of known content types. (application/xwww-form urlencoded) therefore
If the form contains a file the content type that should be used is(multipart/form-data)
Client-side functionalities – CSS
CSS is the acronym of Cascade Style Sheet, from the name we can know that CSS is responsible on styling the HTML file, but why bother if HTML itself contains main tags that can help in controlling the format of the document therefore
CSS has three main features that make its usage justified:
Enhance format reusability over all the website pages
Help to isolate the contents from presentation which makes interface customization easier which enable usage of multiple skins. therefore
New CSS version (CSS3) supports lots of powerful features like animation, rotation, transitions and lot of other features that are not available in pure HTML based format.
CSS Rules can be used in 3 main scenarios depending on where it was declared, inside or outside the document or as a part of style attribute value.
The three scenarios are: thereforetherefore
Inline usage: in this type of usage the CSS rule is defined as part of (Style) attribute of the HTML. The inline usage mainly helps in forcing a special style for a specific element but it does not reflect any benefit in term of reusability in the same document or multiple documents. therefore
<div style=”background-color:black;”></div> therefore
Internal usage: this type of usage depends on the declaration. of CSS rules in the HTML document head inside the style element. Rules declared using this approach are only usable in the same document and cannot be used in other documents.therefore
External usage: this type of usage is considered as the most efficient type. because it allows the reusability of CSS rules in multiple document. This benefit is attained by the fact that CSS rules are declared in a separated file that has the (css) extension. therefore
Client side functionalities – Java Script Client side
tag as external file or inline as shown in the code listing below.