Internet infrastructure
Web servers
•
HTTP protocol
•
Request/reply operation
•
MIME-like format for both
– Requests
– Replies
•
Data model initially:
– File system like: /.../.../.../x.y
Importance of HTML, initially
•
Mark-up language
– Declarative GUI production
•
Supports hyperlinks
– Hide addressing•
Multi-media:
– Formatted text – Images – FormsURI
•
<protocol> “://” <address> <request>
•
Address: [user@]host[:port]
•
Request examples
– path?querystring
•
HTTP URL
– "http:" "//" host [ ":" port ] [ abs_path ]
•
Others
HTML essentials
•
Markup
– <TAG>...</TAG>
– <TAG ATT1=“val1” ATT2=“val2”>...</TAG>
•
Anchors
– <A HREF=“URL”>text/image</A>
•
Embedded content, example: images
HTML drawbacks
•
HTML is based on SGML
•
Lots of freedom and defaults: difficult to parse
•
Liberal parsing and interpretation in the
browsers
– Barely structure validation
– Proper nesting
XML
•
Drops some complexity of HTML
•
Must have end tag
•
Structure validation
•
Empty elements better defined
– <TAG/>
CSS and XSLT
•
HTML
– became more and more complex
– Introduced more and more formatting
– No longer what, but also how
•
Cascading Style Sheets:
– Separates layout from structure, again
•
XSLT:
Web clients
•
A.k.a. Browsers
•
Multi-protocol client
– HTTP, FTP, LDAP, ...
– Successor of Gopher clients
•
Multi-media
– Text
Extensions: client side
•
Javascript
– Scripting language
• To animate content
• To check forms
• To create dynamically content
– Java
• Active regions
Extensions: client side:
• activeX
– Programs with full access
– Trust based on signing
– Trust is unlimited: yes or no
– Integrates very well in the MS client platforms
• Plug-ins – Many examples – PDF plug-in – Flash (shockwave) • Helper applications – Separate applications
Extensions: server side
•
Dynamic content: early systems
– CGI: common gateway interface
• Launch external program for content generation
– SSI: server side includes
• http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.ht ml
CGI operation
•
Coupling: start separate process
– Loose coupling
– Independence of language, run-time, ...
•
API
– Parameter passing via process environment
– Caller sets relevant variables
•
Main drawback
SSI
• <!--#command tag1="value1“ tag2="value2" -->
• Main commands: – Include • virtual/file – Echo • document_name, date_local, ... • CGI variables – Exec • Cmd/CGI
SSI: grandfather of others
•
JSP: java server pages
•
ASP: active server pages
•
PHP: hypertext preprocessor
– www.php.net
•
Coldfusion
ASP: www.asptutorial.inf
•
<% ... %>
•
<% =date %> : insert current date
•
<% =monthname(month(now)) %>
•
Script within HTML:
<a href=“<%=weekdayname(weekday(now))%>.htm”> Link of the Day
ASP example script
The hour is <% if hour(now) = 0 then %> midnight. <% end if if hour(now) = 12 then %> noon. <% end ifif (hour(now) >= 1) and (hour(now) <= 11) then =hour(now) %> o'clock AM.
<% end if
if (hour(now) >= 13) and (hour(now) <= 23) then =hour(now) - 12 %> o'clock PM.
ASP & SSI combined
<% if TheName="John" then %>
<!--#include virtual="/file1.html" -->
<% else %>
<!--#include virtual="/file2.asp" -->
<% end if %>
ASP
• Session management <% Session("permission")="YES" Session("username")="Joe" %> ... Hi <% =Session("username") %>!• shared application data
<% Application.Lock Application("pagevisits") = Application("pagevisits")+1 Application.Unlock %>
ASP: request & response
•
Request object
– Request.cookies(“key”);
•
Response object
Dynamic content styles
•
HTML + mark-up
– Preprocessor
– Mark-up: special delimiters for processing
– Code inside HTML
– ASP, PHP, coldfusion
•
Language embedding
– Program “scripts” containing HTML mark-up
Preprocessing
HTML + mark-up preprocessor HTML processes webservers Files/databaseLanguage embedding
script Script interpreter HTML processes webservers Files/databaseDynamic content: problems
•
Separation of duties
– Web designers
– Web developers
•
Preprocessing
– Web designers write code
•
Language embedding
JSP
•
http://java.sun.com/products/jsp/
•
Strongly related to servlet technology
•
Servlets:
– Java technology to handle web requests
Servlet runners
HTTP listener servlet runner To Back-end Persistent connections Client connectionsServlets
•
Standard Java interface
– Servlet
– HTTPServlet
•
Provides Request and Response objects
•
HTTPServlet: methods
– doGet
– doPost
– doPut
•
Servlets: sessions & applications
– HTTPSession object
JSP
•
Looks like a preprocessing page
– HTML with embedded tags
•
Executes as a servlet
– Language embedding flavor
•
Translation is automatic
JSP tags
•
See the JSP tag syntax pages:
– http://java.sun.com/products/jsp/pdf/card11.pdf
•
some tags
– Declaration:
• <%! Circle a = new Circle(2.0); %>
– Expression:
• <%= new java.util.Date() %>
JSP examples
insert date: <HTML> <BODY>
Hello! The time is now
<%= new java.util.Date() %> </BODY>
</HTML>
more complex example <BODY>
<% // This scriptlet declares and initializes "date"
System.out.println( "Evaluating date now" );
java.util.Date date = new java.util.Date();
%>
Hello! The time is now <% out.println( date );
JSP
•
Directives
<%@ page import="java.util.*" %> <%@ include file="hello.jsp" %>•
Defining methods
<%!Date theDate = new Date(); Date getDate()
{
System.out.println( "In getDate() method" ); return theDate;
} %>
Important concept: useBean
•
Beans: objects with simple interface
•
JSP writers: GUI designers
– Should not write code
– Should use beans
– Should include bean properties
JSP: beans
•
Beans:
– <jsp:useBean id="mymap" scope="session" class="email.Map" />
– <jsp:setProperty name="mymap" property="name" param="name" />
HTTP basics
•
Request:
– GET /x/y/h.html HTTP/1.0•
Reply
– 200 HTTP/1.0 OK – Message• Headers: content-type: text/html
Essential protocol features
• Basic authentication
– 401: authorization required
– Authorization header
• Redirects
– Initially to allow content migration
– Now: link control measures
• POST besides GET
– Full MIME-style content inside requests
• HTTP/1.1: RFC 2068
• Protocol version
– HTTP/x.y
Request syntax
Request-Line
*( general-header
| request-header
| entity-header
)
CRLF
[ message-body ]
Request-response
• Request Line
Method Request-URI HTTP-Version CRLF
Method:
• GET, HEAD, POST
• PUT, DELETE, TRACE
• OPTIONS • Request Header – Accept, Accept-Charset, Encoding, Accept-Language – Authorization, Proxy-Authorization, Host – If-Modified-Since • Response Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ]
status code
• 1xx: Informational - Request received, continuing process
• 2xx: Success - The action was successfully received, understood, and accepted
• 3xx: Redirection - Further action must be taken in order to complete the request
• 4xx: Client Error - The request contains bad syntax or cannot be fulfilled
Status Codes
1xx "100" ; Continue "101" ; Switching Protocols 2xx "200" ; OK "201" ; Created "202" ; Accepted "203" ; Non-Authoritative Information "204" ; No Content "205" ; Reset ContentStatus Code
3xx "300" ; Multiple Choices "301" ; Moved Permanently "302" ; Moved Temporarily "303" ; See Other "304" ; Not Modified "305" ; Use Proxy 4xx "400" ; Bad Request "401" ; Unauthorized "402" ; Payment Required "403" ; Forbidden "404" ; Not Found"405" ; Method Not Allowed "406" ; Not Acceptable
Status Codes
4xx (Cont.) "408" ; Request Time-out "409" ; Conflict "410" ; Gone "411" ; Length Required "412" ; Precondition Failed"413" ; Request Entity Too Large "414" ; Request-URI Too Large "415" ; Unsupported Media
Type
5xx
"500" ; Internal Server Error "501" ; Not Implemented "502" ; Bad Gateway "503" ; Service Unavailable "504" ; Gateway Time-out "505" ; HTTP Version not supported
Headers
•
General headers:
– Connection, proxying, cache
•
Response headers:
– Authentication, redirection, caching
•
Entity headers:
Headers
• General Headers – Cache-Control – Date – Pragma – Transfer-Encoding – Via • Response Header – Location – Proxy-Authenticate – Server – WWW-Authenticate • Entity Header – Base, Encoding, Language, Length, Content-Location, Content-Type – ETag – Expires, Last-ModifiedAuthentication
Generic
• client -> request
• server reply: 401 unauthorized
– Plus server header: how-to
– WWW-authenticate: <scheme> <realm> [, <param>]
• client -> request
– Repeats request but adds authorization information
– Authorization: <credential>
Basic Authentication Scheme
• Server reply: • 401 unauthorized • WWW-Authenticate: Basic realm="WallyWorld” – Client request • Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== • base64(UID:password): – “QWxhZGRpbjpvcGVuIHNlc2FtZQ==“ • Note
– Base64 is encoding, not encryption • digest authentication: see RFC 2069
End-to-end and Hop-by-hop
Headers
• End-to-end headers: transmitted to the ultimate recipient
• Hop-by-hop headers: meaningful only for a single
transport-level connection • HTTP/1.1 hop-by-hop Headers – Connection – Keep-Alive – Public – Proxy-Authenticate – Transfer-Encoding
Proxies
•
Incoming (reverse) proxies
•
Outgoing proxies
– Secure hop
– Authorization enforcement
Proxies
Outgoing Proxy internet Reverse Proxy Web Server client client clientOutgoing proxy
•
Proxy protocol
– Request contains URL
– GET http://server/... HTTP/1.0
•
Proxy authentication
Reverse proxy
•
Normal HTTP protocol
•
No specific authentication
•
Fits in security zone concept
– Network zone containing proxy
– service zone containing web server
What is a WAF?
• OWASP:
– “a security solution on the web application level which - from a
technical point of view - does not depend on the application itself”
– Broad: covers many technological solutions
• Separate “hardware” boxes (appliances)
• Reverse proxy filters
• …
• WASC
– "An intermediary device, sitting between a web-client and a
web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack."
References
•
https://www.owasp.org/index.php/Category:
OWASP_Best_Practices:_Use_of_Web_Applica
tion_Firewalls
•
http://www.modsecurity.org/
– Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN - 0596007248
– Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN -
Fundamental issue
•
the web was not designed for such complex
applications which are currently state of the
art.
•
Core protocol: HTTP
– HTTP is not stateful
• sessions or stateful applications must be defined separately and implemented securely.
•
high degree of complexity of the web scripts,
Features
Problem Countermeasure
Cookie protection Cookies can be signed, encrypted, completely hidden or replaced Cookies can be linked to the client IP
Information leakage Cloaking filter: outgoing pages can be cleaned (error messages, comments, undesirable information) Session riding (CSRF) URL encryption / token
Session timeout Timeout for active and inactive (idle) sessions can be specified
Parameter tampering
Parameter URL encryption (GET), parameter encryption (GET and POST)
Site usage enforcement: sequence of URLs can be fixed or can be detected
Concerns
• Yet-another-proxy argument:
– increased complexity of the IT infrastructure)
• Keeping the WAF configured
– Training the WAF
– Follow releases of
• the web application
• The frameworks
– Testing
• False positives
– In-stream, so can block business
• More complex troubleshooting
