Web Security
1
Today
• Web architecture
– Basics of web security
2
What is the Web?
• A platform for deploying applications, portably and securely
3
Web security: two sides
• Web browser: (client side)
– Interacts with the user
– Fetches and renders pages from the server
– Worry about user’s own data, malware, keyloggers, …
• Web application code: (server side)
– Runs at web site: banks, e-merchants, blogs
– Written in PHP, ASP, JSP, Python, Ruby, Node.js, …
– Decides which page to serve to which users/requests (authorized users, dynamic content, etc)
– Worry about all users’ data, targeted attacks, …
4
A historical perspective
• The web is an example of “bolt-on security”
• Originally, the web was invented to allow
physicists to share their research papers
– Only textual web pages + links to other pages; no security model to speak of
• Then we added embedded images
– Crucial decision: a page can embed images loaded
from another web server
• Then, Javascript, dynamic HTML, AJAX, CSS, frames, audio, video, …
• Today, a web site is a distributed application
5
URLs
• Global identifiers of network-retrievable documents
• Example: http://ecen4133.org:80/tmp/test?foo=1337#top
host
Are URLs case-sensitive?
Fragment
Protocol
Path
Query
6
HTML
• Hypertext markup language (HTML)
– Describes the content and formatting of Web pages – Rendered within browser window
• HTML features
– Static document description language
– Supports linking to other pages and embedding images by reference
– User input sent to server via forms
• HTML extensions
– Additional media content (e.g., PDF, video) supported through plugins
– Embedding programs in supported languages (e.g., JavaScript, Java) provides dynamic content that interacts with the user, modifies the browser user interface, and can access the client computer environment
7
HTTP protocol
• HTTP is
– widely used – Simple
– Stateless
– Unencrypted
8
HTTP Protocol
Method File HTTP version
Headers
GET /index.html HTTP/1.1 Host: www.example.com
HTTP Request HTTP Reply
Browser
HTTP version
Web Server
Status code
Reason phrase
HTTP/1.1 200 OK
Date: Tue, 14 Feb 2012
Server: Apache/1.3.3.7
Last-Modified: Mon, 13 Feb 2012 Content-Length: 438
Set-Cookie: …
Content-Type: text/html; charset=UTF-8
Headers
Hello World!
Reviews
There are no reviews yet.