Download - Web Security – I: HTTP Protocol++
![Page 1: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/1.jpg)
![Page 2: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/2.jpg)
…and other stuff
that make the web work
![Page 3: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/3.jpg)
Bits ‘bout Moi!
Senor Bipin Upadhyay
Developer, Directi Pvt. Ltd.
Lead, NULL Open Security Group – Mumbai Chapter
OWASP ESAPI-PHP Committer
Part of IHP (Honeynet Project)
Amateur Photographer
![Page 4: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/4.jpg)
I know Kung-fu…
![Page 5: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/5.jpg)
If Only it was true…
![Page 6: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/6.jpg)
Think about the possibilities…
![Page 7: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/7.jpg)
I know Kung-fu
![Page 8: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/8.jpg)
Me too..
![Page 9: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/9.jpg)
Me three..
![Page 10: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/10.jpg)
Sigh! But it ain’t true, yet!
![Page 11: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/11.jpg)
Agenda
http://icanhascheezburger.files.wordpress.com/2009/02/funny-pictures-cat-has-naps-on-his-agenda.jpg
![Page 12: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/12.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2965: Handling Statelessness
![Page 13: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/13.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2965: Handling Statelessness
![Page 14: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/14.jpg)
Bit of History
Mar’89 – T.B. Lee presents “Information Management: A Proposal”
Aug’91 – Announces WWW
Mar’93 – Mosaic announced
Mar’94 – Netscape found
Oct’94 – W3C found by T.B. Lee
![Page 15: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/15.jpg)
Web 2.0, uh!
http://www.wagnerblog.com/images/AjaxDarkSide.jpg
![Page 16: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/16.jpg)
HTTP: What is it?
Part of the Application Layer of TCP/IP protocol suite
![Page 17: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/17.jpg)
HTTP: What is it?
Part of the Application Layer of TCP/IP protocol suite
A set of grammatical rules for a client and server to communicate
http://www.flickr.com/photos/joshfassbind/4584323789/
![Page 18: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/18.jpg)
HTTP: What is it?
Part of the Application Layer of TCP/IP protocol suite
A set of grammatical rules for a client and server to communicate
HTTP is what powers the WWW
![Page 19: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/19.jpg)
…but
http://www.flickr.com/photos/quinnanya/4456123452/
![Page 20: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/20.jpg)
Why should I bother?
Because:
web development sucks
http://www.flickr.com/photos/sneeu/1589152071/
![Page 21: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/21.jpg)
Why should I bother?
Because:
web development sucks
Even your grandmom knows, ‘tis all about fundamentals
![Page 22: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/22.jpg)
Why should I bother?
Also:
facilitates debugging,
improves understanding of security & performance
![Page 23: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/23.jpg)
Why should I bother?
![Page 24: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/24.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2985: Handling Statelessness
http://www.flickr.com/photos/stephenpoff/2312981944/
![Page 25: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/25.jpg)
OSI & TCP/IP protocol suite
OSI is a reference model
http://blog.uad.ac.id/imam_riadi/files/2009/01/osi-layer.jpg
![Page 26: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/26.jpg)
OSI & TCP/IP protocol suite…
TCP/IP protocol suite is implementation of OSI
http://www.hill2dot0.com/wiki/index.php?title=Image:G0209_TCPIP_vs_OSI.jpg
![Page 27: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/27.jpg)
OSI & TCP/IP protocol suite…
Visual learning: Wireshark, baby
http://www.wireshark.org/
![Page 28: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/28.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2965: Handling Statelessness
![Page 29: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/29.jpg)
The Communication
My favorite interview question:
http://www.flickr.com/photos/terryhart/2890904949/
![Page 30: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/30.jpg)
The Communication
My favorite interview question:
What all happens between the time when:
we click on a hyperlink
and the page is completely rendered in a browser
![Page 31: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/31.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
![Page 32: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/32.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
![Page 33: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/33.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
Browser cache/ hosts file/ DNS server
null.co.in
![Page 34: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/34.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
Browser cache/ hosts file/ DNS server
74.53.228.212null.co.in
![Page 35: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/35.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
TCP Connection: There, bro?
SYN
![Page 36: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/36.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
SYN
SYN-ACK
TCP Connection: Yo!
![Page 37: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/37.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
SYN
SYN-ACK
ACK
TCP Connection: Cool!
![Page 38: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/38.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
HTTP: Got this file?
GET /
![Page 39: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/39.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
HTTP: Yup! Here ‘tis.
GET /
200 OK
index.html
![Page 40: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/40.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
HTTP: Can I have these as well?
GET /
200 OK
index.html
GET /js.js
GET /pic.jpg
![Page 41: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/41.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
HTTP: Sure!
GET /
200 OK
index.html
GET /js.js
GET /pic.jpg
200 OK
more content…
![Page 42: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/42.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
FIN
TCP Connection: Arigato, am done.
![Page 43: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/43.jpg)
Brower InternetzProxy LBWeb
ServerDB
Server
Client Server (null.co.in)
FIN
FIN-ACK
TCP Connection: Sayonara!
![Page 44: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/44.jpg)
The Communication
…. or simply
![Page 45: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/45.jpg)
The Communication
Web 2.0 has shrunk the client and server distinction
Conventionally, client sends an HTTP request
Server responds with an HTTP response
![Page 46: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/46.jpg)
The Communication: HTTP Request
Request Line
Request Method
Requested Resource
HTTP Version used
Headers
General Headers
Request Headers
Entity Headers
Content (Optional)
![Page 47: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/47.jpg)
The Communication: HTTP Response
Status Line
HTTP version(s) understood by server
Status code (3 digit numerical value)
Status description
Headers
General Headers
Response Headers
Entity Headers
Content (Optional)
![Page 48: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/48.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2965: Handling Statelessness
http://www.saynotocrack.com/wp-content/uploads/2007/06/flinstones-anatomy.jpg
![Page 49: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/49.jpg)
Anatomy
HTTP Request and Response are comprised of various components:
Request Methods
Response Status Codes
Request Headers
Response Headers
General Headers
Entity Headers
Content (MIME Media Types)
![Page 50: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/50.jpg)
Anatomy: Request Methods
Humans can convey emotions in several ways
Why should HTTP clients lag!!!
HTTP methods describe the type of communication
GET POST HEAD OPTIONS
TRACE PUT DELETE CONNECT
![Page 51: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/51.jpg)
Anatomy: Response Status Codes
Indicate the server’s mood corresponding to a request
Combination of a numerical code, and a short description
Cab be categorized in 5 categories:
1xx -- Informational
2xx -- Successful
3xx -- Redirection
4xx -- Client Error
5xx -- Server Error
![Page 52: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/52.jpg)
Anatomy: Request Headers
Specific to an HTTP Request
Carry information about the client, and the type of request
Facilitates better understanding between client and server
Host Accept-Language If-Modified-Since Referer
User-Agent Authorization If-None-Match Expect
Accept Proxy-Authorization
If-Range From
Accept-Charset Max-Forwards If-Unmodified-Since
TE
Accept-Encoding If-Match Range
![Page 53: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/53.jpg)
Anatomy: Response Headers
Specific to an HTTP Response
Carry information about the server, and the type of response
Accept-Ranges ETag Retry-After WWW-Authenticate
Age Location Server Proxy-Authenticate
Vary
![Page 54: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/54.jpg)
Anatomy: General Headers
Carry information about the HTTP transaction
Can be a part of request, as well as response
Cache-Control Keep-Alive Pragma Via
Connection Upgrade Trailer Warning
Transfer-Encoding Date
![Page 55: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/55.jpg)
Anatomy: Entity Headers
Carry information about the content
Mainly a part of HTTP response
Allow Content-Language Content-Location Content-Range
Content-Encoding Content-Length Content-MD5 Content-Type
Expires Last-Modified
![Page 56: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/56.jpg)
Anatomy: Content
IANA maintains a list of valid content types
It is specified by the Content-Type Entity header
Categorized in 9 MIME Media types:
application audio example image
message model multipart text
video
![Page 57: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/57.jpg)
Agenda
Intro: What & Why???
OSI model: Back to the basics
10000 feet view: How the web works
RFC 2616: Anatomy
RFC 2965: Handling Statelessness
![Page 58: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/58.jpg)
Handling Statelessness
HTTP is a stateless protocol
![Page 59: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/59.jpg)
Handling Statelessness
HTTP is a stateless protocol
i.e., server’s got a bad memory
![Page 60: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/60.jpg)
Handling Statelessness
Cookies to rescue
http://www.flickr.com/photos/lij/283869088/
![Page 61: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/61.jpg)
Handling Statelessness
Cookies:
are text files stored by client browser
maintain session by storing information
are non-executable
![Page 62: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/62.jpg)
Handling Statelessness
Cookie attributes:
name=value
expires=value
domain=value
path=value
Secure
HttpOnly --not a part of spec
![Page 63: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/63.jpg)
Conclusion
The single biggest problem in communication
is the illusion… that it has taken place.
--George Bernard Shaw
![Page 64: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/64.jpg)
Conclusion
The single biggest problem in communication
is the illusion… that it has taken place.
--George Bernard Shaw
Think about it
![Page 65: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/65.jpg)
Q&A!!!
Got queries? Raise your hands.
![Page 66: Web Security – I: HTTP Protocol++](https://reader033.vdocuments.net/reader033/viewer/2022052619/5559ff33d8b42ad00a8b4da1/html5/thumbnails/66.jpg)
Arigato!
Contact info:
Om—At—[projectbee.org/null.co.in]
http://projectbee.org/
Twitter - @bipinu
Flickr -- projectbee