web security summer term 2012
play

Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP - PowerPoint PPT Presentation

Nov 29, 2022 •303 likes •675 views

IIG University of Freiburg Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 1 Table of Contents Principles Request

  1. IIG University of Freiburg Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 1

  2. Table of Contents Principles � Request � Request Headers GET requests The POST Request Response � Status Typical Responses Cookies Conclusion � Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 2

  3. World Wide Web Client Server Architecture Files URL = Request Browser Server HTML File = Response Client Server machine Resources PHP Servlets JSP Scripts .... Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 3

  4. HyperText Transfer Protocol HTTP Request ◮ Request for a page (giving its URL) ◮ for an image or any file ◮ contains the input of a form ◮ contains some settings of the browser Response ◮ The file (html or any file) ◮ Contains properties of the document ◮ Can lead to another URL Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 4

  5. Request Syntax METHODE URI PROTOCOL HEADER1: VALUE HEADER2: VALUE ... HEADERn: VALUE BODY OF THE MESSAGE .... Example (very simple) GET /index.html HTTP/1.1 host: altair:8000 Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 5

  6. Request A not so simple example GET http://www.hti.bfh.ch/ HTTP/1.1 Host: www.hti.bfh.ch User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) \\ Gecko/20020920 Netscape/7.0 Accept: text/xml,application/xml,application/xhtml+xml,\\ text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,\\ image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 Accept-Language: fr, fr-ch;q=0.83, en;q=0.66, en-us;q=0.50,\\ de;q=0.33, de-ch;q=0.16 Accept-Encoding: gzip, deflate, compress;q=0.9 Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.hta-bi.bfh.ch/ Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 6

  7. Request Headers Description of the client ◮ User-Agent: browser and OS description ◮ Accept: which documents are accepted (contains preference) ◮ Accept-Language idem for the languages (the server can send the page in the desired language) ◮ ... Description of the request ◮ Host usefull for virtual servers ◮ Proxy-Connection: keep-alive Allows more than one request in one connexion ◮ Keep-Alive: 300 set the time-out ◮ Referer: Which page contains the link that created the request Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 7

  8. Send information to the server Forms in HTML Example: <form method="POST" action="http://localhost/test.php"> <input type="text" name="text1"> <input type="hidden" name="text2" value="80"> <input type="submit" value="OK"> </form> <form method="GET" action="http://localhost/test.php"> <input type="text" name="text1"> <input type="hidden" name="text2" value="80"> <input type="submit" value="OK"> </form> Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 8

  9. Two types of forms Method = GET ◮ For GETTING a page ◮ Used for URL typed in the address bar ◮ Used for links ◮ Can send a small set of information ◮ The information MUST not reach the server ◮ It can be cached Method = POST ◮ For POSTING information to the server ◮ Can contain large data ◮ Must arrive to the server ◮ Can not be cached Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 9

  10. The GET Method The GET request ◮ The following is a GET request ◮ There is no content, ◮ The values are sent in the URL (they are URLEncoded) GET /test.php?text1=This+is+a+test&text2=80 HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.18 i686) Host: localhost:45678 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, Accept-Encoding: gzip Accept-Language: fr-FR, fr-CH, en, de-DE Accept-Charset: iso-8859-1,*,utf-8 Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 10

  11. URL encoding Codding ◮ ’+’ → SPACE ◮ ’%xx’ → Hex(xx) ◮ bie%40isbiel.ch+f%FCr+10%24 → bie@isbiel.ch f?r 10$ ◮ bie%40isbiel.ch+10%24+c%27est+10%25 → bie@isbiel.ch 10$ c’est 10% Automaticaly encoded in the FORM ◮ Couple : (variable, value). ◮ Possible to have more than one couple for the same variable (Radio and Checkboxes) chx1=chx1&chx1=deux&rad1=chx1&rad1=2 Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 11

  12. URL encoding (Cont.) Links in a page ◮ A link in a page executes a GET method ◮ You can set values for links too. You can insert any parameter in the URL. < a href=”example.php?name=toto” > Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 12

  13. The POST request ◮ The following is the request generated by Netscape 4.77 on a linux Platform. ◮ The content type is “ urlencoded ” ◮ The values are sent in the body of the request ◮ There is a description of the content ( Content-type: , Content-length: ) Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 13

  14. The POST request POST /test.php HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.18 i686) Host: localhost:45678 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, Accept-Encoding: gzip Accept-Language: fr-FR, fr-CH, en, de-DE Accept-Charset: iso-8859-1,*,utf-8 Content-type: application/x-www-form-urlencoded Content-length: 29 text1=This+is+a+test&text2=80 Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 14

  15. Response ◮ From the server to the client Is a response for the question contained in the request ◮ Contains a status Document OK, moved permanently, does not exist (404), the version in cache is still ok, ... ◮ And the desired document or information The body contains the document (html, gif, jpeg,...) The header contains meta information (date of production, validity, language, ...) Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 15

  16. Response, Example HTTP/1.1 200 OK Date: Mon, 27 Mar 2000 13:09:13 GMT Server: Apache/1.3.6 (Unix) PHP/3.0.11 Last-Modified: Thu, 09 Mar 2000 19:35:59 GMT ETag: "f013-d03-38c7fd1f" Accept-Ranges: bytes Content-Length: 3331 Connection: close Content-Type: text/html X-Pad: avoid browser bug <html> <head> <title>Norm@net Agence Interactive </title> .... Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 16

  17. Syntax STATUS-LINE HEADER1: value HEADER2: value HEADER3: value BODY OF THE DOCUMENT Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 17

  18. Status Line Format Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase Status-Code: The Status-Code element is a 3-digit integer result code of the attempt to understand and satisfy the request. Reason-Phrase The Reason-Phrase is intended to give a short textual description of the Status-Code. The Status-Code is intended for use by automata and the Reason-Phrase is intended for the human user. Examples HTTP/1.1 200 OK HTTP/1.1 404 Not Found HTTP/1.1 501 Method Not Implemented Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 18

  19. Status Code 1xx: Informational - Request received, continuing process 2xx: Success - The action was successfully received, understood, and accepted 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 19

  20. Status Code (Cont.) Informational "100" : Continue "101" : Switching Protocols Success "200" : OK "201" : Created "202" : Accepted "203" : Non-Authoritative Information "204" : No Content "205" : Reset Content "206" : Partial Content Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 20

  21. Status Code (Cont.) Redirection "300" : Multiple Choices "301" : Moved Permanently "302" : Found "303" : See Other "304" : Not Modified "305" : Use Proxy "307" : Temporary Redirect Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 21

  22. Status Code (Cont.) Client Error "400" : Bad Request "401" : Unauthorized "402" : Payment Required "403" : Forbidden "404" : Not Found "405" : Method Not Allowed "406" : Not Acceptable "407" : Proxy Authentication Required "408" : Request Time-out "409" : Conflict "410" : Gone "411" : Length Required "412" : Precondition Failed "413" : Request Entity Too Large "414" : Request-URI Too Large "415" : Unsupported Media Type "416" : Requested range not satisfiable "417" : Expectation Failed Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 22

Recommend

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

641 views • 24 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

486 views • 25 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American Lingo Chips Crisps French Fries Chips Trash Can Rubish Bin Backpack Rucksack Bathroom/Restroom Toilet/Lou Soccer Football Cleats Boots Bus

449 views • 16 slides
Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL EXAM

826 views • 80 slides
Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Technische Universit at M unchen Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term 2012 Michael Bader: Algorithms of Scientific Computing Discrete Cosine Transform (DCT), Summer Term 2012 1

233 views • 19 slides
Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive writing Amazon Diary; (advertising, debates, Reading and writing letters to persuade); instructions. A range of poetry texts The Lightning Thief

193 views • 16 slides
Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

CSE 332 Data Abstractions: Sorting It All Out Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are We have covered stacks, queues, priority queues, and dictionaries Emphasis on providing one

1.09k views • 83 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee Forsyth Construction and Engineering Welcome to the Summer 2012 edition of In Site. This edition covers the following topics: NEC3 issues for

220 views • 9 slides
Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

University Facilities Management September 14, 2012 Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities Management worked hard over the summer refreshing and repairing campus facilities and grounds in

447 views • 13 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term 2019 Summer Term Additional Headcount Task payments will be made by 19 July. We will let you know via the Broadcast alerts as usual when

577 views • 24 slides
Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda Overview of Summer Lunches Successes Data Points Current Challenges Next steps 2 Overview: What is the Summer Lunch

511 views • 11 slides
Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC

Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC

Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator Security in HPC HPC is especially a target for hackers and malicious acts Why? Security in HPC PresCge CompuCng resources Financial Gain Break

617 views • 25 slides
Security requirements Term Secuirty requirement A need or restriction from a user, a

Security requirements Term Secuirty requirement A need or restriction from a user, a

Security requirements Term Secuirty requirement A need or restriction from a user, a stakeholder or the environment related to the goal to improve the system security. Holistic security requirement engineering, Computers &amp; Security

216 views • 17 slides
Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

TEMPUS PROMENG Practice oriented Master Programmes in Engineering in RU, UA and UZ Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne Waver, Belgium Tuesday 21/8: 9 am, welcome to the summer

349 views • 8 slides
Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in

Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in

Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator Security in HPC HPC is especially a target for hackers and malicious acts Why? Security in HPC Prestige Computing resources Financial Gain

446 views • 30 slides
Statistical Machine Learning Lecture 08: Regression Kristian Kersting TU Darmstadt Summer Term

Statistical Machine Learning Lecture 08: Regression Kristian Kersting TU Darmstadt Summer Term

Statistical Machine Learning Lecture 08: Regression Kristian Kersting TU Darmstadt Summer Term 2020 K. Kersting based on Slides from J. Peters Statistical Machine Learning Summer Term 2020 1 / 55 Todays Objectives Make you understand

674 views • 66 slides
Logic Roland Meyer TU Kaiserslautern Summer Term 2014 Roland Meyer (TU Kaiserslautern) Logic

Logic Roland Meyer TU Kaiserslautern Summer Term 2014 Roland Meyer (TU Kaiserslautern) Logic

Logic Roland Meyer TU Kaiserslautern Summer Term 2014 Roland Meyer (TU Kaiserslautern) Logic Summer Term 2014 1 / 189 Logic Lecture: Mi 11.45 - 13.15 Uhr 52-207 Informations http://concurrency.informatik.uni-kl.de/teaching.html The

2.09k views • 189 slides
5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village

5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village

5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village of Half Moon Bay Summer Village of Jarvis Bay Red Deer County Alberta Environment and Water Summer Village of Norglenwold Alberta Sustainable

282 views • 14 slides

More recommend