Internet infrastructure Prof. dr. ir. André Mariën
(c) A. Mariën -
Web servers • HTTP protocol • Request/reply operation • MIME-like format for both – Requests – Replies
• Data model initially: – File system like: /.../.../.../x.y – Content: text/plain, text/html, text/gif
(c) A. Mariën -
Importance of HTML, initially • Mark-up language – Declarative GUI production
• Supports hyperlinks – Hide addressing
• Multi-media: – Formatted text – Images – Forms
(c) A. Mariën -
URI • “://” • Address: [user@]host[:port] • Request examples – path?querystring
• HTTP URL – "http:" "//" host [ ":" port ] [ abs_path ]
• Others – LDAP, IMAP, FTP, NEWS, MAILTO (c) A. Mariën -
HTML essentials • Markup – ... – ...
• Anchors – text/image
• Embedded content, example: images –
(c) A. Mariën -
HTML drawbacks • HTML is based on SGML • Lots of freedom and defaults: difficult to parse • Liberal parsing and interpretation in the browsers – Barely structure validation – Proper nesting
• Browser incompatibilities
(c) A. Mariën -
XML • • • •
Drops some complexity of HTML Must have end tag Structure validation Empty elements better defined –
• Replaces ASN.1 as structure description
(c) A. Mariën -
CSS and XSLT • HTML – became more and more complex – Introduced more and more formatting – No longer what, but also how
• Cascading Style Sheets: – Separates layout from structure, again
• XSLT: – Powerful rewriting tool for XML
(c) A. Mariën -
Web clients • A.k.a. Browsers • Multi-protocol client – HTTP, FTP, LDAP, ... – Successor of Gopher clients
• Multi-media – Text – Image
(c) A. Mariën -
Extensions: client side • Javascript – Scripting language • To animate content • To check forms • To create dynamically content
– Java • Active regions • Much more control
(c) A. Mariën -
Extensions: client side: activeX • • • •
Programs with full access Trust based on signing Trust is unlimited: yes or no Integrates very well in the MS client platforms
(c) A. Mariën -
Extensions: client side • Plug-ins – Many examples – PDF plug-in – Flash (shockwave)
• Helper applications – Separate applications – Launched – after confirmation – to handle specific content
(c) A. Mariën -
Extensions: server side • Dynamic content: early systems – CGI: common gateway interface • Launch external program for content generation
– SSI: server side includes • http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.ht ml • http://www.apacheweek.com/features/ssi
(c) A. Mariën -
CGI operation • Coupling: start separate process – Loose coupling – Independence of language, run-time, ...
• API – Parameter passing via process environment – Caller sets relevant variables
• Main drawback – Process started per request
(c) A. Mariën -
SSI • • Main commands: – Include • virtual/file
– Echo • document_name, date_local, ... • CGI variables
– Exec • Cmd/CGI
(c) A. Mariën -
SSI: grandfather of others • JSP: java server pages • ASP: active server pages • PHP: hypertext preprocessor – www.php.net
• Coldfusion • ...
(c) A. Mariën -
ASP: www.asptutorial.inf • • • •
: insert current date Script within HTML: Link of the Day
(c) A. Mariën -
ASP example script The hour is midnight. noon. = 1) and (hour(now) o'clock AM. = 13) and (hour(now) o'clock PM.
(c) A. Mariën -
ASP & SSI combined
(c) A. Mariën -
ASP Session management ... Hi !
(c) A. Mariën -
ASP: shared application data Page views:
(c) A. Mariën -
ASP: request & response • Request object – Request.cookies(“key”);
• Response object – Response.cookies(“otherkey”);
(c) A. Mariën -
Dynamic content styles • HTML + mark-up – Preprocessor – Mark-up: special delimiters for processing – Code inside HTML – ASP, PHP, coldfusion
• Language embedding – Program “scripts” containing HTML mark-up – Perl scripts, servlets
(c) A. Mariën -
Preprocessing HTML + mark-up
processes webservers
preprocessor
HTML
Files/database
(c) A. Mariën -
Language embedding script
processes
webservers
Script interpreter
Files/database
HTML
(c) A. Mariën -
Dynamic content: problems • Separation of duties – Web designers – Web developers
• Preprocessing – Web designers write code
• Language embedding – Developers design pages
(c) A. Mariën -
JSP • http://java.sun.com/products/jsp/ • Strongly related to servlet technology • Servlets: – Java technology to handle web requests – Implemented with servlet runners
(c) A. Mariën -
Servlet runners
Client connections
HTTP listener
Persistent connections
(c) A. Mariën -
servlet runner
To Back-end
Servlets • Standard Java interface – Servlet – HTTPServlet
• Provides Request and Response objects • HTTPServlet: methods – doGet – doPost – doPut
(c) A. Mariën -
Servlets: sessions & applications • HTTPSession object • ServletContext: application context
(c) A. Mariën -
JSP • Looks like a preprocessing page – HTML with embedded tags
• Executes as a servlet – Language embedding flavor
• Translation is automatic • No interpretation during execution
(c) A. Mariën -
JSP tags • See the JSP tag syntax pages: – http://java.sun.com/products/jsp/pdf/card11.pdf
(c) A. Mariën -
JSP: some tags • Declaration: –
• Expression: –
• Directive: –
(c) A. Mariën -
JSP: insert date Hello! The time is now
(c) A. Mariën -
JSP: more complex example Hello! The time is now (c) A. Mariën -
JSP directives
(c) A. Mariën -
Defining methods Hello! The time is now (c) A. Mariën -
Important concept: useBean • Beans: objects with simple interface • JSP writers: GUI designers – Should not write code – Should use beans – Should include bean properties
• Beans: written by developers
(c) A. Mariën -
JSP: beans • Beans: – – –
(c) A. Mariën -
HTTP basics • Request: – GET /x/y/h.html HTTP/1.0
• Reply – 200 HTTP/1.0 OK – Message • Headers: content-type: text/html • Body: ...
(c) A. Mariën -
Essential protocol features • Basic authentication – 401: authorization required – Authorization header
• Redirects – Initially to allow content migration – Now: link control measures
• POST besides GET – Full MIME-style content inside requests
(c) A. Mariën -
HTTP • HTTP/1.1: RFC 2068 • protocol version – HTTP/x.y – currently: 0.9, 1.0, 1.1
(c) A. Mariën -
Request syntax Request-Line *( general-header | request-header | entity-header ) CRLF [ message-body ]
(c) A. Mariën -
Request Line Method Request-URI HTTP-Version CRLF
Method: – GET, HEAD, POST – PUT, DELETE, TRACE – OPTIONS
(c) A. Mariën -
Request Header • Accept, Accept-Charset, Accept-Encoding, Accept-Language • Authorization, Proxy-Authorization, Host • If-Modified-Since • Referer, User-Agent
(c) A. Mariën -
Response Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ]
(c) A. Mariën -
status code • 1xx: Informational - Request received, continuing process • 2xx: Success - The action was successfully received, understood, and accepted • 3xx: Redirection - Further action must be taken in order to complete the request • 4xx: Client Error - The request contains bad syntax or cannot be fulfilled • 5xx: Server Error - The server failed to fulfill an apparently valid request (c) A. Mariën -
Status Code 1xx • "100" ; Continue "101" ; Switching Protocols
(c) A. Mariën -
Status Code 2xx • "200" "201" "202" "203" "204" "205" "206"
; OK ; Created ; Accepted ; Non-Authoritative Information ; No Content ; Reset Content ; Partial Content
(c) A. Mariën -
Status Code 3xx "300" "301" "302" "303" "304" "305"
; Multiple Choices ; Moved Permanently ; Moved Temporarily ; See Other ; Not Modified ; Use Proxy
(c) A. Mariën -
Status Code 4xx "400" "401" "402" "403" "404" "405" "406" "407"
; Bad Request ; Unauthorized ; Payment Required ; Forbidden ; Not Found ; Method Not Allowed ; Not Acceptable ; Proxy Authentication Required (c) A. Mariën -
Status Code 4xx (Cont.) "408" "409" "410" "411" "412" "413" "414" "415"
; Request Time-out ; Conflict ; Gone ; Length Required ; Precondition Failed ; Request Entity Too Large ; Request-URI Too Large ; Unsupported Media Type (c) A. Mariën -
Status Code 5xx "500" "501" "502" "503" "504" "505"
; Internal Server Error ; Not Implemented ; Bad Gateway ; Service Unavailable ; Gateway Time-out ; HTTP Version not supported
(c) A. Mariën -
Headers • General headers: – Connection, proxying, cache
• Response headers: – Authentication, redirection, caching
• Entity headers: – Content related
(c) A. Mariën -
General Headers • • • • •
Cache-Control Date Pragma Transfer-Encoding Via
(c) A. Mariën -
Response Header • • • •
Location Proxy-Authenticate Server WWW-Authenticate
(c) A. Mariën -
Entity Header • Content-Base, Content-Encoding, ContentLanguage, Content-Length, Content-Location, Content-Type • ETag • Expires, Last-Modified
(c) A. Mariën -
Authentication: Generic • client -> request • server reply: 401 unauthorized – Plus server header: how-to – WWW-authenticate: [, ]
• client -> request – Repeats request but adds authorization information – Authorization:
(c) A. Mariën -
Basic Authentication: Scheme • Server reply: • 401 unauthorized • WWW-Authenticate: Basic realm="WallyWorld”
– Client request • Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
(c) A. Mariën -
Basic Authentication • base64(UID:password): – “QWxhZGRpbjpvcGVuIHNlc2FtZQ==“
• Note – Base64 is encoding, not encryption
• digest authentication: see RFC 2069
(c) A. Mariën -
End-to-end and Hop-by-hop Headers • End-to-end headers: transmitted to the ultimate recipient • Hop-by-hop headers: meaningful only for a single transport-level connection
(c) A. Mariën -
HTTP/1.1 hop-by-hop Headers • Connection • Keep-Alive • Public • Proxy-Authenticate • Transfer-Encoding All other headers: end-to-end
(c) A. Mariën -
Proxies • Incoming (reverse) proxies • Outgoing proxies – Secure hop – Authorization enforcement
• Caching proxy
(c) A. Mariën -
Proxies client
client
Outgoing Proxy
internet
client
(c) A. Mariën -
Reverse Proxy
Web Server
Outgoing proxy • Proxy protocol – Request contains URL – GET http://server/... HTTP/1.0
• Proxy authentication – Browser control
(c) A. Mariën -
Reverse proxy • Normal HTTP protocol • No specific authentication • Fits in security zone concept – Network zone containing proxy – service zone containing web server – Application zone containing application server
(c) A. Mariën -
WEB APPLICATION FIREWALLS
(c) A. Mariën -
What is a WAF? • OWASP: – “a security solution on the web application level which - from a technical point of view - does not depend on the application itself” – Broad: covers many technological solutions • Separate “hardware” boxes (appliances) • Reverse proxy filters • …
• WASC – "An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack."
(c) A. Mariën -
References • https://www.owasp.org/index.php/Category: OWASP_Best_Practices:_Use_of_Web_Applica tion_Firewalls • http://www.modsecurity.org/ – Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN - 0596007248 – Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN 0321321286 (c) A. Mariën -
Fundamental issue • the web was not designed for such complex applications which are currently state of the art. • Core protocol: HTTP – HTTP is not stateful • sessions or stateful applications must be defined separately and implemented securely.
• high degree of complexity of the web scripts, frameworks and web technologies frequently used leads to vulnerabilities (c) A. Mariën - Ubizen
Features Problem
Countermeasure
Cookie protection
Cookies can be signed, encrypted, completely hidden or replaced Cookies can be linked to the client IP
Information leakage
Cloaking filter: outgoing pages can be cleaned (error messages, comments, undesirable information)
Session riding (CSRF)
URL encryption / token
Session timeout
Timeout for active and inactive (idle) sessions can be specified
Parameter tampering
Parameter URL encryption (GET), parameter encryption (GET and POST) Site usage enforcement: sequence of URLs can be fixed or can be detected
Data validation (relating to field/content/context/appl)
length, constant value/range of values whitelist and/or blacklist canonalisation of the data (c) A. Mariën - Ubizen
Concerns • Yet-another-proxy argument: – increased complexity of the IT infrastructure)
• Keeping the WAF configured – Training the WAF – Follow releases of • the web application • The frameworks
– Testing
• False positives – In-stream, so can block business
• More complex troubleshooting • Cost-effectiveness – Just do it in the applications? (c) A. Mariën - Ubizen