Almost every business operates a website that includes web applications. In this unit, you learn
what a web application is and how it interacts with other software, as a foundation for
understanding how web application attacks work. You also learn how to use HTML and HTTP in the
most basic forms in preparation for attacking a site.
References:
• RFC1945: http://www.rfc-base.org/rfc-1945.html
• RFC2068: http://www.rfc-base.org/rfc-2068.html
• RFC2616: http://www.rfc-base.org/rfc-2616.html
• Fiddler: http://www.telerik.com/download/fiddler
• Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Uempty
Objectives
In this unit, you learn to perform the following tasks:
• Describe the common components of web applications
• Identify HTML and HTTP in the most basic forms
Objectives
Web applications are a standard feature of websites for many organizations. In this lesson, you
learn how data can move between the following three tiers that comprise most web applications:
• Client tier
• Middle tier
• Data tier
Uempty
The primary difference between a website and web application is that a website is static and a web
application reacts according to user input.
Internet
Firewall
Database
Web server Application
Client tier
(presentation) server
(browser)
(business
logic)
Though many variations are possible, a web application is commonly structured as a three-tiered
application. In its most common form, these tiers have the following characteristics:
• The client tier is the first tier.
• An engine using some dynamic web content technology is the middle tier.
• A database is the third tier.
The web browser sends requests to the middle tier, which services them by making queries and
updates against the database, and then generates a user interface.
Uempty
Client tier
Client tiers have the following characteristics
• Are implemented in a web browser
• Consist of HTML presentation
• Can contain the following types of “semi” intelligent
components or scripts
Java™Script
ActiveX
Dynamic HTML
• Handle all user-level input and output
Client tier
<html>
<head>
<title>My Homepage</title>
</head>
<body>
<p>Hello World</p>
</body>
</html>
The vast number and combination of HTML tags make HTML vulnerable. In the example on the
slide, “my homepage” and “hello world” are data. Everything else is code.
Uempty
One important restriction is that a JavaScript code origin from one domain cannot see any data that
originates from a different domain. This restriction is called the Same Origin Policy and protects
against unwanted data sharing between two sites.
Consider a scenario where an attacker creates a site with a script in it that “looks” at another
browser’s window. The other window might contain the personal data, such as bank account
details. The Same Origin Policy restricts the information coming from each domain to that domain
only. In summary, a script running on one domain cannot gain any data that comes from another
domain.
Uempty
Uempty
Uempty
Data tier
• The data tier is sometimes referred to as the back-end tier
• It controls access to the following types of data
User and application-specific data
Corporate data
• It is usually based on the following types of Relational
Database Management Systems (RDBMS) technology
Microsoft SQL Server
Oracle
IBM® DB2®
Sybase
MySQL
Data tier
In this lesson, you learn how to use HTML forms and the HTTP protocol to gather information that
can be used in an attack on an organization.
References:
• RFC1945: http://www.rfc-base.org/rfc-1945.html
• RFC2068: http://www.rfc-base.org/rfc-2068.html
• RFC2616: http://www.rfc-base.org/rfc-2616.html
• Fiddler: http://www.telerik.com/download/fiddler
• Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Uempty
Document referencing
Protocol Port Query
http://www.testsite.com:80/products/appscan/default.aspx?articleId=4
Document referencing
Note:
• A URL is a uniform resource locator.
• Everything after the question mark (?) is data appended to the document path.
HTML forms
GET
POST
HTML forms
A form is a control used to submit data to the website from the browser. It is contained in the HTML
<FORM> tags. Submitting a form results in an HTTP POST request that is sent to the server, where
the form data is appended to the POST request.
Uempty
Server
Client
Request
Response
HTTP is the protocol for the World Wide Web. It defines the language for requests and responses.
Request
Response
In this example, the request is sent from the client browser to the server. The request specifies the
resource it wants, along with other data. The response returns the resource requested or an error
code.
Uempty
Uempty
Uempty
Useful utilities
• Fiddler is a web debugging proxy that logs all HTTP(S) traffic
between your computer and the Internet
• Fiddler allows you to inspect all HTTP(S) traffic, set
breakpoints, and manipulate (fiddle with) incoming or outgoing
data
http://www.telerik.com/download/fiddler
• The Firefox Tamper Data utility is useful for parameter
tampering
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Useful utilities
Summary
Now you should be able to perform the following tasks:
• Describe the common components of web applications
• Identify HTML and HTTP in the most basic forms
Summary