COMP 112 Assignment 1: HTTP Servers



Similar documents
Network Technologies

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Using TestLogServer for Web Security Troubleshooting

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

HTTP Response Splitting

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

Web Security: SSL/TLS

Project 2: Penetration Testing (Phase II)

Firewalls and Software Updates

Cyber Security Workshop Ethical Web Hacking

7 Why Use Perl for CGI?

Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

DEERFIELD.COM. DNS2Go Update API. DNS2Go Update API

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Owner of the content within this article is Written by Marc Grote

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

OpenSta OpenSource for Web Load, HTTP Stress & Performance testing

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

Computer Networks. Lecture 7: Application layer: FTP and HTTP. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

CS 558 Internet Systems and Technologies

STABLE & SECURE BANK lab writeup. Page 1 of 21

Chapter 6 Virtual Private Networking Using SSL Connections

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Shellshock. Oz Elisyan & Maxim Zavodchik

Install MS SQL Server 2012 Express Edition

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

EECS 398 Project 2: Classic Web Vulnerabilities

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Building a Multi-Threaded Web Server

Chapter 27 Hypertext Transfer Protocol

Web Programming. Robert M. Dondero, Ph.D. Princeton University

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

CS 361S - Network Security and Privacy Fall Project #1

Playing with Web Application Firewalls

Malware Analysis Quiz 6

Perl/CGI. CS 299 Web Programming and Design

APACHE WEB SERVER. Andri Mirzal, PhD N

Step into the Future: HTML5 and its Impact on SSL VPNs

CS 161 Computer Security


Installation Guide For Choic Enterprise Edition

TCP/IP Networking An Example

Apache Server Implementation Guide

Security Correlation Server Quick Installation Guide

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Modified Reverse Proxy Website Vulnerability Test Results

1. Summary Recording triggered by SIP INFO Configurations on the phone How the SIP INFO works... 2

4 - TexShare and HARLiC CARDS ( Online Application Form) 5 REMOTE ACCESS TO DATABASES

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Streaming Media System Requirements and Troubleshooting Assistance

Cyber Security Challenge Australia 2014

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Project 2: Firewall Design (Phase I)

Using The HomeVision Web Server

Project 2: Web Security Pitfalls

Supervisor 10 Remote Access Users Guide Last Update: 10/27/14

Linux MDS Firewall Supplement

webapp.secure Installation and Setup Guide

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

What is Web Security? Motivation

WHAT IS A WEB SERVER?

CS 306/491-3 Linux Programming Spring 2015

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Hack Yourself First. Troy troyhunt.com

ExtraHop and AppDynamics Deployment Guide

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

File Transfer Examples. Running commands on other computers and transferring files between computers

MatrixSSL Getting Started

CHAPTER 7. ing with CGI

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

Advanced Web Security, Lab

Modern snoop lab lite version

Lecture 11 Web Application Security (part 1)

InduSoft Thin Client Setup and Troubleshooting Guide

Novell Identity Manager

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework)

C HAPTER E IGHTEEN T HE PGP, MAIL, AND CGI LIBRARIES. PGP Interface Library

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Check list for web developers

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

DNS Pinning and Web Proxies

Pwning Intranets with HTML5

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Lesson 7 - Website Administration

User-ID Features. PAN-OS New Features Guide Version 6.0. Copyright Palo Alto Networks

Transcription:

COMP 112 Assignment 1: HTTP Servers Lead TA: Jim Mao Based on an assignment from Alva Couch Tufts University Due 11:59 PM September 24, 2015 Introduction In this assignment, you will write a web server that understands the HTTP protocol. Your server will respond to two URLs: one which displays a list of browsers that have recently loaded the page, and one which displays information about you. These pages will not correspond to files, but will be constructed by your program in response to each request. The server should never quit. Requirements Write a program a1.c that does the following: Takes a single argument: a port number on which to listen for requests. Accepts TCP requests from web browsers and responds with a single HTML page of content based on the URL: The main page (/): Descriptions of the last 10 browsers that accessed it. For the browser details, you should display the client IP address, client hostname, and client user agent. Client user agent note should only list the user agent no cookies and other headers. An about page (about.html): Anything you d like to say about yourself. It doesn t have to be long. Return "HTTP/1.1 404 Not Found" as HTTP response if URL other than "/" or "about.html" is requested. Protects users from script injection attacks. The requirement for the main page is satisfied by keeping records in your server about the identities of the browsers that send you requests. You do 1

not need to open files or databases; you can do this in memory. Restarting your server will cause it to clear its memory, and that s fine. The key to this assignment is to keep things simple and to utilize your understanding of the TCP and HTTP protocols. HTTP and HTML Responses Every HTTP request is a stream of characters, separated by \n characters, which describe parts of the request. Many of these characters describe the browser that is asking for information. Similarly, your response should be a stream of characters. The simplest HTTP response is: HTTP/1.1 200 OK Content-type: text/plain hello world The first line is the protocol description, which defines how your program intends to communicate in the subsequent lines. The second line is the content type, which says you will respond in plain text. The blank line is a delimiter. It is required between the header and the payload. Technically, there are two \n characters here. The hello world is the text that the browser should display. To serve HTML, this pattern needs to be modified slightly: HTTP/1.1 200 OK Content-type: text/html <html><body><h1>hello world</h1></body></html> The browser details should all be in the HTML response your web server creates. The server doesn't need to output anything in the terminal, and we won't grade anything that shows up there. We will only be grading the HTML responses we receive when trying to visit a "page" on your web server. Please note: we are not looking for beautiful web pages. Do not spend time trying to properly return CSS in your response. Page 2 of 5

Format of Browser Info Please adhere exactly to the following format when displaying descriptions of the last 10 browsers that accessed your server: Client IP Address: Client Host Name: User-Agent: Example (pay attention to the spacing and letter case): Client IP Address: 43.23.53.1 Client Host Name: comp112-01.cs.tufts.edu User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Client IP Address: 26.30.95.21 Client Host Name: comp112-02.cs.tufts.edu User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) And so on. This will ensure your browser info is processed correctly by the grading script. Responding to Multiple URLs While keeping your program self-contained, it should respond to two different URLs with different results. One will provide browser statistics, while the other will provide a page about you. Link from each page to the other, using URLS local to your server. Completing this will require interpreting the HTTP GET portion of the request. Script Injection Attacks It is not a safe assumption that the browser that contacts your server is a traditional web browser. It could be a malicious program that sends intentionally corrupt headers for malicious reasons. One easy way for a malicious person to wreck your assignment is to contact your server and embed malicious HTML and/or JavaScript into the HTTP request headers (where it does not belong). If you display these headers as if they were text, your server won t be affected, but it can compromise and/or crash the browser of anyone visiting your server afterwards. Page 3 of 5

The best way to prevent this is to replace several dangerous HTML special characters that may appear in the request headers with their print equivalents: Character Replacement < < > > " In other words, if you receive a request header containing <, your server s output should contain < instead. This makes it impossible for scripts to run on your webpage. Where to Work Because you are writing a server, you may not work on your project from the homework server. Inside the departmental firewall (i.e. from a machine in Halligan, or from a public-facing server), please ssh to one of the following machines: comp112-01.cs.tufts.edu comp112-02.cs.tufts.edu comp112-03.cs.tufts.edu comp112-04.cs.tufts.edu comp112-05.cs.tufts.edu You may only work on your server from these machines. As you will learn in this course, every service runs on a port a number between 1 and 32767. You will be assigned ports that are yours alone. To receive your port assignments, use the /comp/112/bin/ports command, which was written by Alva Couch. ~ > /comp/112/bin/ports ahedbe01, your ports are 9020-9039 PLEASE BE SURE TO WORK ONLY ON COMP112 MACHINES. THANKS! ~ > When you test your services, you must stay within your own port range. Two services cannot share a port, so if you steal someone else s port, their service will behave strangely. Please be kind to your classmates, and do not steal their ports! Page 4 of 5

Testing The servers on which you will write your code are protected from the outside world by a firewall. Your server will not be visible from the public internet. To test your server, you must do so from a point within the Halligan network. You server will call functions from the network services library. When compiling, you will need to link against this library with the -lnsl flag: gcc -g a1.c -lnsl Start your program as follows, replacing 9020 with one of your port numbers:./a.out 9020 At this point, your service is running. To see if it s working, open a browser on any Halligan machine and visit http://comp112-01.cs.tufts.edu:9020. (This is assuming you re on the comp112-01 server.) This should connect to your program and display the list of browsers that have recently accessed your page. Similarly, http://comp112-01.cs.tufts.edu:9020/about.html should display information about you. If you are connecting remotely, you can also use the command-line wget and curl to test your server. Submission and Lateness Policy Submit your code by using provide: provide comp112 a1 a1.c Late submissions will be accepted up to three days past the deadline, with a penalty of 10% per day late. For circumstances that you believe warrant an additional extension, speak to Prof. Dogar. Useful Links http://www.linuxhowtos.org/c_c++/socket.htm http://www.cs.cmu.edu/~dga/15-441/s08/lectures/03-socket.pdf Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information