Unit 2

2 Web application basics
Web application basics
© Copyright IBM Corporation 2015

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 1
Almost every business operates a website that includes web applications. In this unit, you learn
what a web application is and how it interacts with other software, as a foundation for
understanding how web application attacks work. You also learn how to use HTML and HTTP in the
most basic forms in preparation for attacking a site.
© Copyright IBM Corp. 2015 Student Notebook 33

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
References:
• RFC1945: http://www.rfc-base.org/rfc-1945.html
• Fiddler: http://www.telerik.com/download/fiddler
• Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
34 Web Application Security Fundamentals © Copyright IBM Corp. 2015

V7.0
Objectives
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe the common components of web applications
• Identify HTML and HTTP in the most basic forms
© Copyright IBM Corporation 2015 2
Objectives

Lesson 1 Common components of web applications
Lesson 1 Common components of web

applications
Lesson: Common components of web

applications
Web applications are a standard feature of websites for many organizations. In this lesson, you
learn how data can move between the following three tiers that comprise most web applications:
• Client tier
• Middle tier
• Data tier

V7.0
Uempty
What a web application is

A precise description of the difference between a website and a
web application does not exist, but there is a subtle distinction
• Website
Provides access to static documents
User input does not affect business functionality
• Web application
Builds on a website
Takes user input that affects back-end business logic
Uses a web server that typically interacts with other back-end servers,
such as an application server or a database server
What a web application is
The primary difference between a website and web application is that a website is static and a web
application reacts according to user input.

Web application components
Internet
Firewall
Database
Web server Application
Client tier
(presentation) server
(browser)
(business
logic)
Middle tier Data tier
Web application components
Though many variations are possible, a web application is commonly structured as a three-tiered
application. In its most common form, these tiers have the following characteristics:
• The client tier is the first tier.
• An engine using some dynamic web content technology is the middle tier.
• A database is the third tier.
The web browser sends requests to the middle tier, which services them by making queries and
updates against the database, and then generates a user interface.

V7.0
Uempty
Client tier
Client tiers have the following characteristics
• Are implemented in a web browser
• Consist of HTML presentation
• Can contain the following types of “semi” intelligent
components or scripts
Java™Script
ActiveX
Dynamic HTML
• Handle all user-level input and output
Client tier
At a minimum, the client tier consists of HTML and scripts.

Client tier: Hypertext Markup Language (HTML)

• HTML is a textual representation of a graphical page that consists of tags,
attributes, and values
• A vast number of HTML tags are available and each is rendered differently
• Most injection attacks involve breaking out of the current context and
starting a new context
• Less common attacks might involve creating a subcontext within the current
context or directly into the current context, which is impossible to stop
<html>
<head>
<title>My Homepage</title>
</head>
<body>
<p>Hello World</p>
</body>
</html>
Client tier: Hypertext Markup Language (HTML)
The vast number and combination of HTML tags make HTML vulnerable. In the example on the
slide, “my homepage” and “hello world” are data. Everything else is code.

V7.0
Uempty
Client tier: Scripting capabilities

Scripts have the following <html>
<body onmouseover="toggleBackColor()">
capabilities <script>
function toggleBackColor() {
• Implement user interactions if (document.body.bgColor=="#ff0000") {
document.body.bgColor="#ffffff";
with the website } else {
document.body.bgColor="#ff0000";
• Interact seamlessly with the }
website }
</script>
• Perform any action that is <H1>Hello World</H1>
</body>
related to the website </html>
• Launch signed and safe
ActiveX controls
Client tier: Scripting capabilities

Client tier: Same origin policy

• A script loaded from one origin cannot get or set properties of a
document from a different origin
• The term origin is defined using the following values
Domain name
Protocol
Port
• Scripts can access other frames only from the same origin
• Scripts can issue requests to documents from a different origin,
but cannot view the corresponding responses
Client tier: Same origin policy
One important restriction is that a JavaScript code origin from one domain cannot see any data that
originates from a different domain. This restriction is called the Same Origin Policy and protects
against unwanted data sharing between two sites.
Consider a scenario where an attacker creates a site with a script in it that “looks” at another
browser’s window. The other window might contain the personal data, such as bank account
details. The Same Origin Policy restricts the information coming from each domain to that domain
only. In summary, a script running on one domain cannot gain any data that comes from another
domain.

V7.0
Uempty
Client tier: Web 2.0

• Web 2.0 is not a new technology
Web 2.0 sites existed long before the term emerged
• Web 2.0 makes extensive use of JavaScript,
XMLHttpRequests, and client-side logic
Many new features are added, but new vulnerabilities are also possible
• Why Web 2.0 Security gets attention
Growth in usage Æ Growth in number of vulnerabilities
Web 2.0 trend Æ More research Æ More attack flows
Massive usage Æ Bigger risk (Samy MySpace worm)
Client tier: Web 2.0

Client tier: AJAX

• Asynchronous JavaScript And XML (AJAX) is a commonly
used technology
• AJAX changes the UI look and feel
No refresh
Everything is on one page, with no links to click
Faster interaction with the website
One-page application with lots of client logic
Client tier: AJAX

V7.0
Uempty
Middle tier: Presentation

• Presentation generates and presents web pages through the
following types of web servers
Apache
IIS
• It can also generate dynamic content based on the following
technologies
Active Server Pages (ASP)
Cold Fusion (CFM)
JavaServer Pages (JSP) technology
Perl Hypertext Preprocessor (PHP)
CGI/Perl scripts
• Presentation can be part of an application server
implementation such as IBM® WebSphere® Application Server
Middle tier: Presentation

Middle tier: Business logic

• Business logic is specific to business functionality
• It can be based on one of several technologies
Java EE
Microsoft.NET
Cold Fusion
PHP
Others
• Business logic performs code that accomplishes these tasks
Requires calculations
Manages access to corporate resources
Interfaces to data stores
Middle tier: Business logic

V7.0
Uempty
Data tier
• The data tier is sometimes referred to as the back-end tier
• It controls access to the following types of data
User and application-specific data
Corporate data
• It is usually based on the following types of Relational
Database Management Systems (RDBMS) technology
Microsoft SQL Server
Oracle
IBM® DB2®
Sybase
MySQL
Data tier

Lesson 2 Using basic forms of HTML and HTTP
Lesson: Using basic forms of HTML and

HTTP
In this lesson, you learn how to use HTML forms and the HTTP protocol to gather information that
can be used in an attack on an organization.
References:
• Fiddler: http://www.telerik.com/download/fiddler
• Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

V7.0
Uempty
Document referencing
Protocol Port Query
http://www.testsite.com:80/products/appscan/default.aspx?articleId=4
Host name Document path
URL Encoding: Data sent to a web application must be encoded

in a special format; because it is appended to the URL, it cannot
contain special characters such as a space, newlines,
ampersand (&), or equals sign (=)
The format is %HH, where HH is a hexadecimal representation
of the character needed
• Space is %20
• Double quote is %22
• Left parenthesis is %28
Document referencing
Note:
• A URL is a uniform resource locator.
• Everything after the question mark (?) is data appended to the document path.

HTML forms
GET
POST
HTML forms
A form is a control used to submit data to the website from the browser. It is contained in the HTML
<FORM> tags. Submitting a form results in an HTTP POST request that is sent to the server, where
the form data is appended to the POST request.

V7.0
Uempty
Hypertext Transfer Protocol (HTTP)

• HTTP is a communications protocol used to transfer
information on intranets and the World Wide Web
• Versions: 0.9, 1.0, 1.1
• RFCs (request for comments): 1945, 2068, 2616
• Describes the “language” used by browsers and web servers
Server
Client
Request
Response
Hypertext Transfer Protocol (HTTP)
HTTP is the protocol for the World Wide Web. It defines the language for requests and responses.
Note: GET and POST are defined by HTTP.
For more information about HTTP, refer to the following RFCs:


HTTP request/response examples
Request
Response
HTTP request/response examples
In this example, the request is sent from the client browser to the server. The request specifies the
resource it wants, along with other data. The response returns the resource requested or an error
code.

V7.0
Uempty
Basic HTTP request methods

• GET: retrieve a document
• POST: send data to the server
• HEAD: retrieve header information
• PUT, DELETE: store an entity-body at the URL, and delete a
URL
• TRACE: allows the client to see what is being received at the
other end of the request chain, and use that data for testing or
diagnostic information
• OPTIONS: a request for information about the communication
options available on the request/response chain identified by
the Request-URI
Web servers should only accept GET, POST, and HEAD – all
other methods are huge security risks
Basic HTTP request methods

HTTP response codes

•1XX: Informational
The client should continue with its request
•2XX: Successful
The client's request was successfully received, understood,
and accepted
•3XX: Redirection
Further action needs to be taken by the user agent in order to
fulfill the request
•4XX: Client error
•5XX: Server error
The server has erred or cannot perform the request
HTTP response codes

V7.0
Uempty
HTTP response codes examples
HTTP response codes examples

Client state management

• HTTP is stateless; continuity from one request to the next does not exist
• Maintaining state is a responsibility of the web application
• Session: putting individual user requests in context
• Session management mechanisms
Cookie
• A piece of data stored by the browser on behalf of the web server
• Typically set by the server
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=zsi0ij45xls3ccrlio523h55; path=/; HttpOnly
Set-Cookie: amSessionId=10228114238; path=/
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 9605
GET / POST query parameter

http://www.example.com/orderform.aspx?sessionID=LAKF0004984
Client state management
ASP.NET cookieless session IDs have the following attributes:

• ASP.NET modifies the links contained in all requested pages that use a path relative to the
application (explicit paths are not modified) by embedding a session ID value in the links just
before sending each page to the browser.
• The session state is maintained as long as the user follows the path of links that the ASP.NET
application provides. However, if the client rewrites a URL supplied by the application, ASP.NET
might not be able to resolve the session ID and associate the request with an existing session,
resulting in a new session being started for the request.
• The session ID is embedded in the URL after the slash that follows the application name and
before any remaining file or virtual directory identifier. This allows ASP.NET to resolve the
application name before involving the SessionStateModule in the request.

V7.0
Uempty
Useful utilities
• Fiddler is a web debugging proxy that logs all HTTP(S) traffic
between your computer and the Internet
• Fiddler allows you to inspect all HTTP(S) traffic, set
breakpoints, and manipulate (fiddle with) incoming or outgoing
data
http://www.telerik.com/download/fiddler
• The Firefox Tamper Data utility is useful for parameter
tampering
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Useful utilities
To download Fiddler, refer to http://www.telerik.com/download/fiddler.
To download Tamper Data, refer to https://addons.mozilla.org/en-US/firefox/addon/tamper-data/.

Summary
Summary
Now you should be able to perform the following tasks:
• Describe the common components of web applications
• Identify HTML and HTTP in the most basic forms
Summary


Unit 2

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Unit 2

Diunggah oleh

Hak Cipta:

Format Tersedia

2 Web application basics

Web application basics

© Copyright IBM Corporation 2015

© Copyright IBM Corp. 2015 Student Notebook 33

34 Web Application Security Fundamentals © Copyright IBM Corp. 2015

© Copyright IBM Corporation 2015 2

© Copyright IBM Corp. 2015 Student Notebook 35

Lesson 1 Common components of web

Lesson: Common components of web

© Copyright IBM Corporation 2015 3

36 Web Application Security Fundamentals © Copyright IBM Corp. 2015

What a web application is

© Copyright IBM Corporation 2015 4

What a web application is

© Copyright IBM Corp. 2015 Student Notebook 37

Web application components

Middle tier Data tier

© Copyright IBM Corporation 2015 5

Web application components

38 Web Application Security Fundamentals © Copyright IBM Corp. 2015

© Copyright IBM Corporation 2015 6

At a minimum, the client tier consists of HTML and scripts.

© Copyright IBM Corp. 2015 Student Notebook 39

Client tier: Hypertext Markup Language (HTML)

© Copyright IBM Corporation 2015 7

Client tier: Hypertext Markup Language (HTML)

40 Web Application Security Fundamentals © Copyright IBM Corp. 2015

Client tier: Scripting capabilities

© Copyright IBM Corporation 2015 8

Client tier: Scripting capabilities

© Copyright IBM Corp. 2015 Student Notebook 41

Client tier: Same origin policy

© Copyright IBM Corporation 2015 9

Client tier: Same origin policy

42 Web Application Security Fundamentals © Copyright IBM Corp. 2015

Client tier: Web 2.0

© Copyright IBM Corporation 2015 10

Client tier: Web 2.0

© Copyright IBM Corp. 2015 Student Notebook 43

Client tier: AJAX

© Copyright IBM Corporation 2015 11

Client tier: AJAX

44 Web Application Security Fundamentals © Copyright IBM Corp. 2015

Middle tier: Presentation

© Copyright IBM Corporation 2015 12

Middle tier: Presentation

© Copyright IBM Corp. 2015 Student Notebook 45

Middle tier: Business logic

© Copyright IBM Corporation 2015 13

Middle tier: Business logic

46 Web Application Security Fundamentals © Copyright IBM Corp. 2015

© Copyright IBM Corporation 2015 14

© Copyright IBM Corp. 2015 Student Notebook 47

Lesson 2 Using basic forms of HTML and HTTP

Lesson: Using basic forms of HTML and

© Copyright IBM Corporation 2015 15

48 Web Application Security Fundamentals © Copyright IBM Corp. 2015

Host name Document path

URL Encoding: Data sent to a web application must be encoded

© Copyright IBM Corp. 2015 Student Notebook 49

© Copyright IBM Corporation 2015 17

50 Web Application Security Fundamentals © Copyright IBM Corp. 2015

Hypertext Transfer Protocol (HTTP)

GET / POST query parameter