![Page 1: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/1.jpg)
MOBILE COMPUTING
Lecture-10Instructor : Mazhar Hussain
Web Applications
(INTRODUCTION, Architecture and Security)
1
![Page 2: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/2.jpg)
INTRODUCTION TO WEB
• Web features
• Clent/Server
• HTTP
• HyperText Markup Language
• URL addresses
• Web server - a computer program that is responsible for accepting HTTP requests from clients and serving them HTTP responses
• Web application - a dynamic extension of a web or application server
2
![Page 3: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/3.jpg)
WEB APPLICATIONS &
COMPONENTS
• Two types of web applications:
• Presentation-oriented (HTML, XML pages)
• Service-oriented (Web services)
• Web components provide the dynamic extension
capabilities for a web server:
• Java servlets
• JSP pages
• Web service endpoints
3
![Page 4: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/4.jpg)
WEB APPLICATION INTERACTION
• [client] sends an HTTP request to the web server
• [web server] HTTP request HTTPServletRequest
• This object is delivered to a web component, which can
interact with JavaBeans or a DB to generate dynamic
content
• [web component] generates an HTTPServletResponse or
pass the request to another web component
• [web server] HTTPServletResponse HTTP response
• [web server] returns HTTP response to the client
4
![Page 5: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/5.jpg)
WEB APPLICATION INTERACTION
5
![Page 6: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/6.jpg)
WEB COMPONENTS
• Servlets - Java classes that dynamically
process requests and construct responses
• JSP pages - text-based documents that
execute as servlets but allow a more natural
approach to creating static content
• Appropriate usage
• Servlets - service-oriented applications, control
functions
• JSP - generating text-based markup
(HTML, SVG, WML, XML)
6
![Page 7: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/7.jpg)
JAVA WEB APPLICATION
TECHNOLOGIES
Java Servlet technology is the foundation of all the web application technologies
7
![Page 8: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/8.jpg)
WEB CONTAINERS
• Web components are supported by the services of a runtime platform called a web container
• In J2EE, a web container "implements the web component contract of the J2EE architecture“
• Web container services:
• request dispatching
• security
• concurrency
• life-cycle management
• naming, transactions, email APIs
8
![Page 9: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/9.jpg)
WEB CONTAINER EXAMPLES
• Non-commercial• Apache Tomcat
• Jetty
• Commertial• Sun Java System Application Server
• BEA WebLogic Server
• Oracle Application Server
• WebSphere
• Open source• JBoss
9
![Page 10: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/10.jpg)
DEPLOYMENT
• Web components have to be installed or deployed
to the web container
• Aspects of web application behaviour can be
configured during application deployment
• The configuration information is maintained in a
XML file called a web application deployment
descriptor
10
![Page 11: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/11.jpg)
WEB APPLICATION DEVELOPMENT
• A web application consists of:
• Web components
• Static resource files (such as images)
• Helper classes and libraries
• The process for creating and running a web
application is different from that of traditional
stand-alone Java classes
11
![Page 12: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/12.jpg)
DEVELOPMENT CYCLE
1. Develop the web component code
2. Develop the web application deployment descriptor
3. Compile the web application components and helper classes referenced by the components
4. Optionally package the application into a deployable unit
5. Deploy the application into a web container
6. Access a URL that references the web application
12
![Page 13: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/13.jpg)
WEB MODULES
• According to Java EE architecture and Java
Servlet Specification:
• Web components and static web content files
such as images are called web resources
• A web module is the smallest deployable and
usable unit of web resources
• Web module corresponds to a web application
• A web module has a specific structure13
![Page 14: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/14.jpg)
WEB MODULE STRUCTURE
• The top-level directory
of a web module is the
document root of
the application
• The document root contains:
• JSP pages
• client-side classes
• client-side archives
• static web resources
14
![Page 15: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/15.jpg)
WEB MODULE STRUCTURE
• The document root
contains
a subdirectory /WEB-INF/
• web.xml: web application
deployment descriptor
• lib: JAR archives of
libraries called by
server-side classes
15
![Page 16: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/16.jpg)
WEB MODULE STRUCTURE
• classes: server-side classes:
• servlets
• utility classes
• JavaBeans components
• tags: tag files, which are
implementations of
tag libraries
16
![Page 17: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/17.jpg)
WEB APPLICATION
ARCHITECTURE
17
![Page 18: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/18.jpg)
CLIENT SERVER MODEL
18
![Page 19: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/19.jpg)
SERVER APPLICATIONS (SOFTWARE)
Management and maintenance of Data
including
User login data
Application data
Data processing
Centralized
Access via Login
19
![Page 20: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/20.jpg)
CLIENT APPLICATIONS (SOFTWARE)
Provides user interface
Stores some settings
Can do some data processing
Little to no application data storage
Same view of data no matter where you
login
20
![Page 21: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/21.jpg)
CLIENT-SERVER ADVANTAGES
Centralized Data Storage
No data redundancy (no duplication of data)
Reduces data dependencies
If data is stored on each user‟s system and each
system is different than data depends on how the
user system is designed
Data can not be shared easily if such dependencies
exist
21
![Page 22: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/22.jpg)
CLASSIC EXAMPLE: EARLY BANKING SYSTEMS
Network: Local Area Network (LAN)
covering local office branch.
Server: Mainframe-like server “in the
back” running custom banking system
Client: Windows PC with client interface
for each bank teller.
Data is the same no matter what teller
you go to.
Data is NOT the same if you go to another
branch unless servers exchanged some
data at night.
22
![Page 23: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/23.jpg)
CLASSIC EXAMPLE: EARLY BANKING SYSTEMS
The Obvious Future:
Change the LAN to a wide area network covering
all the branches.
Get rid of the individual servers at each branch
Have clients connect to central server where ALL
the banking data is stored.
23
![Page 24: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/24.jpg)
CLASSIC EXAMPLE: EARLY BANKING SYSTEMS
The Obvious Problems:
Large banks could have thousands of tellers
connecting to the central server.
Combining data from all branches requires
severs with lots of storage capacity.
Branch data could be stored in different formats.
Lack of Standardization.
24
![Page 25: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/25.jpg)
3-TIERED SYSTEMS
25
![Page 26: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/26.jpg)
3-TIERED SYSTEM
Database Tier (Database Server)
Data storage and low level data manipulation
Server Tier (Application Server)
Manage client connections and data processing
Client Tier (Client Software installed locally)
User interface and some data processing
26
![Page 27: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/27.jpg)
ADVANTAGE OF 3-TIER SYSTEMS
Central Database Server accessed by multiple Application Servers
In turn, each Application Server could independently manage thousands of users
Database Server is specially designed to do its job Database Operations: Update, Insert, Remove,
etc.
Lots of disk storage and memory needed
Application Servers can be added to support more users or DIFFERENT APPLICATIONS Server Operations: Complex application-
dependent computations
Lots of processor power needed
27
![Page 28: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/28.jpg)
INTERNET VS. WWW
Internet is the
infrastructure that
makes the WWW
work.
Packet Switching
TCP/IP Protocol
Physical
Infrastructure
Fiber-optics lines, wires
Satellites, Cable
Modems
Routers, Hubs,
Network Cards, WiFi
systems, etc.
WWW is just one of
many “virtual
networks” built on the
Internet.
Websites: http, https,
etc.
Email: pop, imap, etc.
Other systems: ftp,
instant messaging,
etc.
Note: Even to this day
companies have “private
virtual networks” that use
the Internet, but are
proprietary, locked-down.
28
![Page 29: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/29.jpg)
WWW – ULTIMATE CLIENT-
SERVER SYSTEM
Already Standardized
Built on the Widest Area Network you could imagine, i.e., The Internet
Standardized Clients that are free to use
IE, Firefox, Safari, etc.
Lots of Servers already in place
Apache, Windows Server (IIS), etc.
Database Servers
Umm, this was initially missing
29
![Page 30: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/30.jpg)
FIRST WEB APPLICATIONS
1993 – Rob McCool proposed a framework called CGI (Common Gateway Interface)
Data passed from a web browser to the server GET - passed via URL variables
POST - passed via HTML forms
Web server daemon (httpd) could then make remote system calls
Example Web server could run a C++ program and
write the output to public HTML folder
Web server would send response back with location of the output.
30
![Page 31: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/31.jpg)
FIRST WEB APPLICATIONS
Using CGI, web server could run
C++ programs
Perl Programs
Fortran Programs
C++ has library functions that allow you to connect to a number of different databases:
Oracle
Sybase
DB2
31
![Page 32: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/32.jpg)
FIRST WEB APPLICATIONS
Problem:
To develop web applications you need to know
Exactly how your server is configured
HTML forms
GET and POST conventions
C++ database libraries
SQL language
32
![Page 33: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/33.jpg)
FIRST MAJOR IMPROVEMENT
1995 – JJ Allaire developed “a hack” that
allowed a web servers to communicate
with other systems, namely a database
system.
Key:
Instead of using “a middle-man” C++, Perl,
Java, etc.
Developer could directly add code to the their
web pages
Using a special Markup Language, this code
could be embedded in any web page.
Worked seamlessly with HTML forms
Server process code directly
33
![Page 34: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/34.jpg)
WEB APPLICATION SECURITY
34
![Page 35: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/35.jpg)
OVERVIEW
Background
Web app vulnerabilities
Securing web apps
35
![Page 36: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/36.jpg)
BACKGROUND
36
![Page 37: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/37.jpg)
HTTP
Request
Response
Server
www.mybank.com
(64.58.76.230)
Port: 80
Client PC
(10.1.0.123)
Hypertext Transfer Protocol
• “Hypertext Transfer Protocol (HTTP) is a
communications protocol for the transfer of
information on intranets and the World Wide
Web. Its original purpose was to provide a
way to publish and retrieve hypertext pages
over the Internet.”
• http://en.wikipedia.org/wiki/HTTP
37
![Page 38: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/38.jpg)
HTTP REQUEST - GET
Form data encoded in the URL
Most common HTTP method used on the web
Should be used to retrieve information, not for actions
that have side-effects
38
![Page 39: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/39.jpg)
HTTP REQUEST - GET
GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13)
Gecko/20080311 Firefox/2.0.0.13
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;
q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.mysite.com/
39
![Page 40: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/40.jpg)
HTTP REQUEST - GET
http://www.google.com/search?hl=en&lr=&c2coff=1&rls=GGLG%2CGGLG%3A2005-26%2CGGLG%3Aen&q=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26lr%3D%26c2coff%3D1%26rls%3DGGLG%252CGGLG%253A2005-26%252CGGLG%253Aen%26q%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fhl%253Den%2526lr%253D%2526c2coff%253D1%2526rls%253DGGLG%25252CGGLG%25253A2005-26%25252CGGLG%25253Aen%2526q%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fsearch%25253Fsourceid%25253Dnavclient%252526ie%25253DUTF-8%252526rls%25253DGGLG%25252CGGLG%25253A2005-26%25252CGGLG%25253Aen%252526q%25253Dhttp%2525253A%2525252F%2525252Fwww%2525252Egoogle%2525252Ecom%2525252Fsearch%2525253Fsourceid%2525253Dnavclient%25252526ie%2525253DUTF%2525252D8%25252526rls%2525253DGGLG%2525252CGGLG%2525253A2005%2525252D26%2525252CGGLG%2525253Aen%25252526q%2525253Dhttp%252525253A%252525252F%252525252Fuk2%252525252Emultimap%252525252Ecom%252525252Fmap%252525252Fbrowse%252525252Ecgi%252525253Fclient%252525253Dpublic%2525252526GridE%252525253D%252525252D0%252525252E12640%2525252526GridN%252525253D51%252525252E50860%2525252526lon%252525253D%252525252D0%252525252E12640%2525252526lat%252525253D51%252525252E50860%2525252526search%252525255Fresult%252525253DLondon%25252525252CGreater%252525252520London%2525252526db%252525253Dfreegaz%2525252526cidr%252525255Fclient%252525253Dnone%2525252526lang%252525253D%2525252526place%252525253DLondon%252525252CGreater%252525252BLondon%2525252526pc%252525253D%2525252526advanced%252525253D%2525252526client%252525253Dpublic%2525252526addr2%252525253D%2525252526quicksearch%252525253DLondon%2525252526addr3%252525253D%2525252526scale%252525253D100000%2525252526addr1%252525253D%2526btnG%253DSearch%26btnG%3DSearch&btnG=Search
40
![Page 41: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/41.jpg)
HTTP REQUESTS - POST
Data is included in the body of the request.
Should be used for any action that has side-effects
• Storing/updating data, ordering a product, etc…
41
![Page 42: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/42.jpg)
HTTP REQUESTS - POST
POST http://www.mysite.com/kgsearch/search.php HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311
Firefox/2.0.0.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.mysite.com/
catid=1
42
![Page 43: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/43.jpg)
FAMOUS QUOTE OF THE DAY
“Every program has at least two purposes: the one
for which it was written, and another for which it
wasn't.”
-Alan J. Perlis
43
![Page 44: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/44.jpg)
GET V. POST SECURITY
There information contained in parameters can tell a
user a lot about how your application works
GET parameters are easily visible in the address bar
POST parameters are hidden from the average user
• Users can still view source code
• Users can still view the packets
• Users can still intercept & modify web requests
44
![Page 45: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/45.jpg)
WEB SITES
Browser
No applications
Static pages
Hard coded links
Web Server
45
![Page 46: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/46.jpg)
WEB APPLICATIONS
Browser
Web Servers
Presentation Layer
Media Store
Very complex architectures, multiple platforms, multiple protocols
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Web Services
Application Server
Business Logic
Content Services
Network
HTTP
Web Application
46
![Page 47: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/47.jpg)
WEB APPLICATIONS BREACH THE
PERIMETER
Internet DMZTrusted Inside
Corporate Inside
HTTP(S)
Allows HTTP port 80
Allows HTTPS port 443
Firewall only allows applications on the web server to talk to application server.
Firewall only allows application server to talk to database server.
IIS
SunOne
Apache
ASP
.NET
WebSphere
Java
SQL
Oracle
DB2
Browser
47
![Page 48: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/48.jpg)
“As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
The Web ApplicationSecurity Gap
“As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.”
Application Developers and QA Professionals Don‟t Know Security
WHY WEB APPLICATION VULNERABILITIES
OCCUR
Security
Professionals
Don’t Know The
Applications
48
![Page 49: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/49.jpg)
WEB APPLICATION VULNERABILITIES
“If builders built buildings the way programmers wrote programs, then
the first woodpecker that came along would destroy civilization.”
-Weinberg's Second Law
49
![Page 50: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/50.jpg)
Technical Vulnerabilities Result of insecure programming techniques
Mitigation requires code changes
Detectable by scanners
http://example/order.asp?item=<script>alert(„p0wned‟)</script>&price=300.00
Logical Vulnerabilities Result of insecure program logic
Most often to due to poor decisions regarding trust
Mitigation often requires design/architecture changes
Detection often requires humans to understand the context
http://example/order.asp?item=toaster&price=30.00
WEB APPLICATION VULNERABILITIES
50
![Page 51: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/51.jpg)
WEB APPLICATION VULNERABILITIES
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Web application vulnerabilities occur in multiple areas.
51
![Page 52: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/52.jpg)
Platform
Known Vulnerabilities
Platform:
Known vulnerabilities can
be exploited immediately
with a minimum amount of
skill or experience – “script
kiddies”
Most easily defendable of all
web vulnerabilities
MUST have streamlined
patching procedures
WEB APPLICATION VULNERABILITIES
52
![Page 53: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/53.jpg)
Administration
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration:• Less easily corrected than known
issues
• Require increased awareness
• More than just configuration, must
be aware of security flaws in actual
content
• Remnant files can reveal
applications and versions in use
• Backup files can reveal source code
and database connection strings
WEB APPLICATION VULNERABILITIES
53
![Page 54: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/54.jpg)
AdministrationAdministration
Application Programming:• Common coding techniques do not
necessarily include security
• Input is assumed to be valid, but not tested
• Unexamined input from a browser can inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
Application
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
WEB APPLICATION VULNERABILITIES
54
![Page 55: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/55.jpg)
HOW TO SECURE WEB APPLICATIONS
Incorporate security into the lifecycle
Apply information security principles
to all software development efforts
Educate
Issue awareness, Training, etc…
55
![Page 56: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/56.jpg)
HOW TO SECURE WEB APPLICATIONS
Incorporating security into lifecycle
Integrate security into application
requirements
Including information security
professionals in software
architecture/design review
Security APIs & libraries (e.g. ESAPI,
Validator, etc.) when possible
Threat modeling
Web application vulnerability
assessment tools
56
![Page 57: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/57.jpg)
HOW TO SECURE WEB APPLICATIONS
Educate Developers – Software security best practices
Testers – Methods for identifying vulnerabilities
Security Professionals – Software development, Software
coding best practices
Executives, System Owners, etc. – Understanding the
risk and why they should be concerned
57
![Page 58: Smartphone Application Development … · WEB APPLICATION INTERACTION • [client] sends an HTTP request to the web server• [web server] HTTP request HTTPServletRequest• This](https://reader034.vdocuments.site/reader034/viewer/2022052018/6031903de1d3c73efb563f33/html5/thumbnails/58.jpg)
QUESTIONS/COMMENTS?
58