110 likes | 254 Vues
Host and Application Security. Lesson 19: How the Web Works. Well we have to start somewhere. If we don’t know how something works we can’t possibly know how it doesn’t work. Why is the Web Important?. For an end-user machine, the Web is the largest vulnerability and infection vector
E N D
Host and Application Security Lesson 19: How the Web Works
Well we have to start somewhere • If we don’t know how something works we can’t possibly know how it doesn’t work
Why is the Web Important? • For an end-user machine, the Web is the largest vulnerability and infection vector • The Web is much more complex than we think it is – it’s far more than HTML
Two Important Standards • Hypertext Markup Language (HTML) • Text with layout instructions • Hypertext Transfer Protocol (HTTP) • How we transport this stuff around
HTTP • TCP/IP based protocol • Typically uses port 80 • Text-based, so can be used with telnet • Two most important functions: GET and POST • GET typically asks for content • POST typically sends some data from the web browser to the server
GET • Example: • GET /pub/WWW/TheProject.html HTTP/1.1 Host: www.w3.org • See? Easy! • In fact, reading web pages from C++/Perl is trivially easy
POST • Most commonly, from a form: • POST /path/script.cgi HTTP/1.0 From: rford@spam.spamUser-Agent: HTTPTool/1.0 Content-Type: application/x-www-form-urlencodedContent-Length: 32 home=xxxxx&favorite+flavor=plane
All easy so far… • First, we had pictures in HTML… • Then we added support for lots of different kinds of content • Also, there’s Javascript, which runs client side in the context of the local browser
Maintaining State • The problem with Web servers and clients is that it is hard to maintain state – think about a shopping card, for example • Why can’t we just use something simple the server already knows, like IP address? • Solution: Cookies
Cookies by type • Session Cookie • Persistent Cookie • Secure Cookie • HTTPOnly • Third-party cookie • “Supercookie” • Zombie cookie
Active Content • Flash • Silverlight • ActiveX • Java