SlideShare a Scribd company logo

Web Architecture - Mechanism and Threats

Download as PPTX, PDF
Sumedt Jitpukdebodin, profile picture
Sumedt Jitpukdebodin

This document discusses web architecture, mechanisms, and threats. It describes the basic components of web architecture including HTML, HTTP, URIs, cookies, and the three-tier architecture. It also outlines some common web attacks like injection, XSS, and CSRF. Finally, it discusses security controls at the application layer through input validation, authentication, and sessions management and at the network layer using firewalls, IDS, WAF, and centralized logging.

Education
1 of 47
Downloaded 89 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.

More Related Content

PDF
Fundamentals of Web for Non-Developers
Lemi Orhan Ergin
 
PPT
Busy Architects Guide to Modern Web Architecture in 2014
Particular Software
 
PPT
Web Fundamentals
arunv
 
PPTX
Architecture Best Practices
AWS Germany
 
PPT
SOA and web services
Sreekanth Narayanan
 
PDF
Basic web architecture
Ralu Mihordea
 
ODP
RESTful Web Services
Imran M Yousuf
 
PDF
Introduction to Web Technology
Rob Bertholf
 
Fundamentals of Web for Non-Developers
Lemi Orhan Ergin
 
Busy Architects Guide to Modern Web Architecture in 2014
Particular Software
 
Web Fundamentals
arunv
 
Architecture Best Practices
AWS Germany
 
SOA and web services
Sreekanth Narayanan
 
Basic web architecture
Ralu Mihordea
 
RESTful Web Services
Imran M Yousuf
 
Introduction to Web Technology
Rob Bertholf
 

What's hot (20)

PPTX
Rest & RESTful WebServices
Prateek Tandon
 
PDF
High performance website
Chamnap Chhorn
 
PPT
Introduction To REST
Bhavya Siddappa
 
PPT
introduction to web technology
vikram singh
 
PPT
External Data Access with jQuery
Doncho Minkov
 
PPTX
Seo and analytics basics
Sreekanth Narayanan
 
PPTX
Restful web services ppt
OECLIB Odisha Electronics Control Library
 
PPTX
REST-API introduction for developers
Patrick Savalle
 
PDF
იოსებ ძმანაშვილი - The Web APIs
unihack
 
PPT
Introduction to the Web API
Brad Genereaux
 
PDF
The never-ending REST API design debate -- Devoxx France 2016
Restlet
 
PPTX
Representational State Transfer
Alexei Skachykhin
 
PDF
Restful web services by Sreeni Inturi
Sreeni I
 
PPTX
REST API Design for JAX-RS And Jersey
Stormpath
 
PPTX
Elegant Rest Design Webinar
Stormpath
 
PPTX
Web Technology Fundamentals
sunmitraeducation
 
PPTX
REST and ASP.NET Web API (Milan)
Jef Claes
 
PPT
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
 
PDF
5. HTML5
Jalpesh Vasa
 
PDF
Vskills angular js sample material
Vskills
 
Rest & RESTful WebServices
Prateek Tandon
 
High performance website
Chamnap Chhorn
 
Introduction To REST
Bhavya Siddappa
 
introduction to web technology
vikram singh
 
External Data Access with jQuery
Doncho Minkov
 
Seo and analytics basics
Sreekanth Narayanan
 
Restful web services ppt
OECLIB Odisha Electronics Control Library
 
REST-API introduction for developers
Patrick Savalle
 
იოსებ ძმანაშვილი - The Web APIs
unihack
 
Introduction to the Web API
Brad Genereaux
 
The never-ending REST API design debate -- Devoxx France 2016
Restlet
 
Representational State Transfer
Alexei Skachykhin
 
Restful web services by Sreeni Inturi
Sreeni I
 
REST API Design for JAX-RS And Jersey
Stormpath
 
Elegant Rest Design Webinar
Stormpath
 
Web Technology Fundamentals
sunmitraeducation
 
REST and ASP.NET Web API (Milan)
Jef Claes
 
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
 
5. HTML5
Jalpesh Vasa
 
Vskills angular js sample material
Vskills
 
Ad

Similar to Web Architecture - Mechanism and Threats (20)

PDF
Web architecture mechanism and threats
Sumedt Jitpukdebodin
 
PDF
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Arun Gupta
 
PDF
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
PPTX
Conf2013 bchristensen thebig_t
Beau Christensen
 
PPT
Unit 1 b
Sheetal Verma
 
PPTX
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
PDF
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Puneet Sachdev
 
PDF
HTTP_Header_Security.pdf
ksudhakarreddy5
 
PDF
E-Business And Technology Essay
Pamela Wright
 
PPT
Asynchronous architecture (Node.js & Vert.x)
Yu Kwangjong
 
PDF
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Melanie Brandt
 
PPT
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
PDF
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
ufpb
 
PPTX
Oracle REST Data Services
Chris Muir
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
Java Web Application Security - Denver JUG 2013
Matt Raible
 
PPT
Defcon9 Presentation2001
Miguel Ibarra
 
PPT
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
PPTX
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
PPTX
Ed presents JSF 2.2 at a 2013 Gameduell Tech talk
Edward Burns
 
Web architecture mechanism and threats
Sumedt Jitpukdebodin
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Arun Gupta
 
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
Conf2013 bchristensen thebig_t
Beau Christensen
 
Unit 1 b
Sheetal Verma
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Puneet Sachdev
 
HTTP_Header_Security.pdf
ksudhakarreddy5
 
E-Business And Technology Essay
Pamela Wright
 
Asynchronous architecture (Node.js & Vert.x)
Yu Kwangjong
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Melanie Brandt
 
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
ufpb
 
Oracle REST Data Services
Chris Muir
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Java Web Application Security - Denver JUG 2013
Matt Raible
 
Defcon9 Presentation2001
Miguel Ibarra
 
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Ed presents JSF 2.2 at a 2013 Gameduell Tech talk
Edward Burns
 
Ad

More from Sumedt Jitpukdebodin (13)

PDF
How to create your own hack environment
Sumedt Jitpukdebodin
 
PDF
Phishing
Sumedt Jitpukdebodin
 
PDF
Which side are you
Sumedt Jitpukdebodin
 
PDF
Endpoint is not enough
Sumedt Jitpukdebodin
 
PDF
Antivirus is hopeless
Sumedt Jitpukdebodin
 
PPTX
Purple team is awesome
Sumedt Jitpukdebodin
 
PDF
R u hacked
Sumedt Jitpukdebodin
 
PDF
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
PDF
Security awareness training
Sumedt Jitpukdebodin
 
PDF
Hacking with paper
Sumedt Jitpukdebodin
 
PDF
DDoS handlering
Sumedt Jitpukdebodin
 
PDF
Incident response before:after breach
Sumedt Jitpukdebodin
 
PDF
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
How to create your own hack environment
Sumedt Jitpukdebodin
 
Phishing
Sumedt Jitpukdebodin
 
Which side are you
Sumedt Jitpukdebodin
 
Endpoint is not enough
Sumedt Jitpukdebodin
 
Antivirus is hopeless
Sumedt Jitpukdebodin
 
Purple team is awesome
Sumedt Jitpukdebodin
 
R u hacked
Sumedt Jitpukdebodin
 
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Security awareness training
Sumedt Jitpukdebodin
 
Hacking with paper
Sumedt Jitpukdebodin
 
DDoS handlering
Sumedt Jitpukdebodin
 
Incident response before:after breach
Sumedt Jitpukdebodin
 
What should I do when my website got hack?
Sumedt Jitpukdebodin
 

Recently uploaded (20)

PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Institutional Correction lecture only . . .
limvtheghins
 
Pre independence Education in Inndia.pdf
goofy5603
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 

Web Architecture - Mechanism and Threats

  • 1. Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
  • 2. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 3. Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 4. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 5. Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 6. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 7. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 8. URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 9. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 10. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 11. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 12. HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 13. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 14. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 15. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 16. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 17. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 18. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 19. Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 20. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 21. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 22. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 23. AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 24. AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 25. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 26. JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 27. JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 28. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 29. XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 30. XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 31. XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 32. XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 33. Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 34. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 35. SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 36. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 37. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 38. Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 39. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 40. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 41. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 42. Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 43. Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 44. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 45. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 46. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 47. Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.