1 / 11

Host and Application Security

Host and Application Security. Lesson 19: How the Web Works. Well we have to start somewhere. If we don’t know how something works we can’t possibly know how it doesn’t work. Why is the Web Important?. For an end-user machine, the Web is the largest vulnerability and infection vector

dezso
Download Presentation

Host and Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Host and Application Security Lesson 19: How the Web Works

  2. Well we have to start somewhere • If we don’t know how something works we can’t possibly know how it doesn’t work

  3. Why is the Web Important? • For an end-user machine, the Web is the largest vulnerability and infection vector • The Web is much more complex than we think it is – it’s far more than HTML

  4. Two Important Standards • Hypertext Markup Language (HTML) • Text with layout instructions • Hypertext Transfer Protocol (HTTP) • How we transport this stuff around

  5. HTTP • TCP/IP based protocol • Typically uses port 80 • Text-based, so can be used with telnet • Two most important functions: GET and POST • GET typically asks for content • POST typically sends some data from the web browser to the server

  6. GET • Example: • GET /pub/WWW/TheProject.html HTTP/1.1 Host: www.w3.org • See? Easy! • In fact, reading web pages from C++/Perl is trivially easy

  7. POST • Most commonly, from a form: • POST /path/script.cgi HTTP/1.0 From: rford@spam.spamUser-Agent: HTTPTool/1.0 Content-Type: application/x-www-form-urlencodedContent-Length: 32 home=xxxxx&favorite+flavor=plane

  8. All easy so far… • First, we had pictures in HTML… • Then we added support for lots of different kinds of content • Also, there’s Javascript, which runs client side in the context of the local browser

  9. Maintaining State • The problem with Web servers and clients is that it is hard to maintain state – think about a shopping card, for example • Why can’t we just use something simple the server already knows, like IP address? • Solution: Cookies

  10. Cookies by type • Session Cookie • Persistent Cookie • Secure Cookie • HTTPOnly • Third-party cookie • “Supercookie” • Zombie cookie

  11. Active Content • Flash • Silverlight • ActiveX • Java

More Related