reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Transcription

1 1 cse :23 Kyung-Goo Doh Chapter 3. Web Application Technologies reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002) 1. The HTTP Protocol. HTTP = HyperText Transfer Protocol. message-based model - a client sends a request message - the server returns a response message. connectionless HTTP message = (1 or more) headers a mandatory blank line optional message body (1) HTTP requests. example - p.36 GET /books/search.asp?q=wahh HTTP/1.1 Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg, application/xshockwaveflash, application/vnd.msexcel, application/vnd.mspowerpoint, application/msword, */* Referer: Accept-Language: en-gb,en-us;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: wahh-app.com Cookie: lang=en; JSESSIONID=0000tI8rk7joMx44S2Uu85nSWc_:vsnlc502. the first line GET : retrieve a resource from the web server has no message body = header only requested URL with an optional query string HTTP version being used. the rest Referer : URL from which the request originated User-Agent : provides information about the browser or other client software that generated the request Host : specifies the hostname Cookie : submits additional parameters that the server has issued to the client (2) HTTP responses. example - p.37 HTTP/ OK Date: Sat, 19 May :49:37 GMT Server: IBM_HTTP_SERVER/ Apache/ (Unix) Set-Cookie: tracking=ti8rk7jomx44s2uu85nswc Pragma: no-cache Expires: Thu, 01 Jan :00:00 GMT Content-Type: text/html;charset=iso Content-Language: en-us Content-Length: <!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN > <html lang= en > <head> <meta http-equiv= Content-Type content= text/html; charset=iso >.... the first line HTTP/1.1 : HTTP version being used 200 : numeric status code - successful

2 2 cse :23 Kyung-Goo Doh OK : the status of the response. the rest Server : web server software Set-Cookie : a cookie issued by the server Pragma : instructs the brwoser not to store the response in its cache Expires : the response content expired in the past andso should not be cached (3) HTTP methods. GET - designed for retrieval of resources - request parameters can be sent in the URL query string thus URL can be bookmarked. POST - designed for performing actions - request parameters can be sent in the URL query string and in the body of the message - browsers do not automatically reissue POST requests made by users. HEAD - same as GET, but no message body is returned in its response - just for checking if a resouce is there. TRACE - desiged for diagnostic purposes - responses the exact contents of the requested message - used to detect the effect of proxy servers between the cliend and server. OPTIONS - tells you what available HTTP methods are. PUT - attempts to upload the specified resource to the server (4) URLs (uniform resource locator) syntax: protocol://hostname[:port]/[path/]file[?param=value] example: (5) HTTP header (p.41). general headers - Connection - Content-Encoding - Content-Length - Content-Type - Transfer-Encoding. request headers - Accept - Accept-Encoding - Autorization - Cookie - Host - If-Modified-Since - if-none-match - Referer - User-Agent. response headers - Cache-Control - ETag - Expires - Location - Pragma - Server - Set-Cookie - WWW-Authenticate (6) cookies. the cookie mechanism enables the server to send items of data to the client, which the client stores and resubmits back to the server. cookies automatically resubmitted in each subsequent request

3 3 cse :23 Kyung-Goo Doh. how does it work? - a server issues a cookie using Set-Cookie response header Set-Cookie: tracking=ti8rk7jomx44s2uu85nswc - the user's browser will then automatically add the header to subsequent requests back to the same server Cookie: tracking=ti8rk7jomx44s2uu85nswc. Set-Cookie header can includes: - expires - domain - path - secure - HttpOnly (7) status codes 1xx Informational. 2xx The request was successful. 3xx The client is redirected to a different resource. 4xx The request contains an error of some kind. 5xx The server encountered an error fulfilling the request 100 Continue 200 Ok 201 Created 301 Moved Permanently 302 Found 304 Not Modified 400 Bad Request 401 Unauthorized 403 Forbidden 404 Bot Found 405 Method Not Allowed 413 Request Entity Too Large 414 Request URI Too Long 500 Internal Server Error 503 Service Unavailable (8) HTTPS. the same application-layer protocol as HTTP, but tunneled over SSL(Secure Sockets Layer) - secure transport mechanism TLS(Transport Layer Security) (9) HTTP proxies. HTTP proxy server : a server that mediates access between the client browser and the destination web server.. the proxy relays the requests to the relevant web servers, and forwards their responses back to the browser.. additional services : caching, authentication, access control.. toolkit for attacking web applications - a specialized kind of proxy server that sits between your browser and the target web site and allows you to intercept and modify all requests and responses, even those using HTTPS (10) HTTP Authentication. Basic - sends user credentials as a Base64-encoded string. NTLM - a challenge-response mechanism; uses a version of Windows NTLM protocol. Digest - a challenge-response mechanism; uses MD5 checksums of a nonce with the user s credentials. 2. Web Functionality (1) Server-Side Functionality. contents are generated dynamically by the server according to the client's request. sources of input: - the URL query string - HTTP cookies

4 4 cse :23 Kyung-Goo Doh - the body of requests using the POST method - or any part of the HTTP request. Technologies - Scripting languages such as PHP, VBScript, and Perl. - Web application platforms such as ASP.NET and Java. - Web servers such as Apache, IIS, and Netscape Enterprise. - Databases such as MS-SQL, Oracle, and MySQL. - Other back-end components such as file systems, SOAP-based web services, and directory services.. Java Platform, Enterprise Edition (Sun Microsystems). ASP.NET (Microsoft). PHP (personal home page) (2) Client-Side Functionality. all web applications are accessed via a web browser. HTML. hyperlinks. forms. JavaScript - why? - improve the application's performance - enhance usability (dynamically updated in response to user actions) - what? - validating user-entered data before submitted to the server - dynamically modifying the user interface in response to user actions - querying and updating the DOM(document object model) within the browser to control the browser's behavior. AJAX (Aysynchronous JavaScript and XML) - issue dynamic HTTP requests from within an HTML page partially. thick client components - Java applets - ActiveX controls - Shockwave Flash objects (3) State and Sessions. applications need to track the state of each user s interaction with the application across multiple requests example: a shopping application may allow users to - browse a product catalogue, - add items to a cart, - view and update the cart contents, - proceed to checkout, and - provide personal and payment details. the state is held within a session (server-side structure or client-side) 3. Encoding Schemes (1) URL encoding. contains only the printable characters in the US-ASCII character set. examples: %3d = %25 % %20 space %0a new line %00 null byte. characters that should be URL-encoded: space %? & = ; + # (2) Unicode encoding. a character encoding standard that is designed to support all of the writing systems used in the world. 16-bit Unicode encoding : %u prefix followed by the character s Unicode code point expressed in hexadecimal %u2215 / %u00e9 é

5 5 cse :23 Kyung-Goo Doh. UTF-8 : a variable-length encoding standard that employs one or more bytes to express each character %c2%a9 %e2%89%a0 (3) HTML encoding. a scheme used to represent problematic characters so that they can be safely incorporated into an HTML document - examples " &apos; & & < < > >. any character can be HTML-encoded - using its ASCII code in decimal form, for example: " &#39; - using its ASCII code in hexadecimal form (prefixed by an x), for example: " &#x27; (4) Base64 encoding. allows any binary data to be safely represented using only printable ASCII characters (5) Hex encoding. allows to transmit binary data