Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.

Published byChristal Wells Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security Forum at FIS OWASP CBT Project Lead OWASP Global Industry Committee Nishi.Kumar@owasp.org Keith Turpin The Boeing Company IT Technical Security Assessments Lead OWASP Secure Coding Practices Lead OWASP Global Projects Committee keith.turpin@owasp.org Kuai Hinojosa New York University Web Applications Specialist OWASP board member-New York and NJ Metro OWASP Global Industry Committee kuai.hinojosa@owasp.org kuai.hinojosa@owasp.org

2 2 Objectives Introduction to HTTP Client Side Technology Server Side Technology Introduction to Testing Tools

3 3 Introduction to HTTP The internet uses the HTTP network protocol. HTTP uses a Requests and Responses (Every Request from the client, for example a web browser, is reciprocated with a single Response from the web server.) HTTP Requests and Responses are composed of a header and a body of content, but the body is optional. A Request only contains information in the body when application parameters, like form values, are being sent to the server. A Response almost always contains information in the body, because this is the content the browser ends up displaying to the user.

4 4 A Request header can contain a number fields. The following are some of the most common: GET: Identifies the URL being requested and the HTTP protocol version Host: The name of the host server User-Agent: Tells the server what software and version the browser is Accept: Tells the server what kind of media the client accepts Referer: Tells the server the URL of the page the client last came from Cookie: Sends a back cookie to the server, if it has one for that server Introduction to HTTP

5 5 Here is an extract of the Request header that was sent when accessed www.google.com GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 (CK-zz) Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://news.google.com/nwshp?hl=en&tab=wn Cookie: PREF=ID=f6ef60580a614694... Introduction to HTTP

6 6 The Response header is normally shorter than the request and also contains a number optional fields. Here is an extract of the Response sent back, when accessed inside boeing.com HTTP Header HTTP/1.1 200 OK Date: Sun, 17 Apr 2011 19:54:28 GMT Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Length: 39239 HTTP Body The Response Body contains all the HTML and pointers to images, cascading style sheets and JavaScript files etc. Introduction to HTTP

7 7 The server response code tells the browser the status of the request. "200 OK" is probably the most common server response code, because it means everything worked as expected and the server responded with the requested web page. However, most users never see this and they are probably more familiar with what happens when they request a resource that the server can't find and they get response code "404 Not Found". Introduction to HTTP

8 8 Server response codes are broken up into five major categories, each of which contains a subset of more specific responses. The major categories are: 1.Informational: Indicates a provisional response that should be followed by another response. 2.Successful: Indicates that the client's request was successfully received, understood, and accepted. 3.Redirection: Indicates that the client was redirected to another URL, or that further action needs to be taken by the user agent. 4.Client Errors: Indicates that the client appears to have erred. 5.Server Errors: Indicates cases in which the server is aware that it has erred or is incapable of performing the request. Introduction to HTTP

9 9 HTML stands for Hypertext Markup Language. The current specification is HTML 5 which was published in January 2008. You can find out more at: www.w3.orgwww.w3.org HTML is not a programming language. It is a language for handling document structure and formatting. HTML allows web pages to have a better user interface. HTML supports active text and object linking. HTML tags are not case sensitive. HTML

10 10 HTML achieves formatting and structure through the use of tags. Tags are formally referred to as “elements”. An HTML tag is enclosed in-between the "less than" and "greater than" symbols: Tags usually come in pairs, but there are exceptions. The ending tag includes a "/" to distinguish it from a starting tag. Tags can have attributes that affect the tags rendering or function. For example: Some item being formatted HTML

11 11 This is the page title Test Page 1 Linking Text Basic Web Page

12 12 Basic Web Page - continued

13 13 Creating a Simple Form This is the page title This is a simple form example (In this example the submit does not function) User Name: Enter Password

14 14 Creating a Simple Form - continued

15 15 Sending Form Data with GET The “method” attribute of the FORM tag in an HTML form is used to set the method the form will use to send its data to the server. The methods specified are usually Get or Post. The Get method appends the form data to the end of the URL using name value pairs for the form field and data entered. If the form submits to “FormProcessor.asp”, then an HTTP request like the following is sent to the web server: ? Indicates the start of the form data elements = associates the field name and the data entered & separates form field data http://FormProcessor.asp ? YourFirstName = Johnathan & pass=Test

16 16 Sending Form Data with POST The Post method embeds the form data in the body of the HTTP request. So the URL only shows the location where the form data is being sent for processing. If the form submits to “FormProcessor.asp”, then an HTTP request like the following is sent to the web server: HTTP Header POST /FormProcessor.asp HTTP/1.1 Host: inside.boeing.com Content-length: 27 HTTP Body YourFirstName = Johnathan & pass=Test = Associates the field name and the data entered ? Separates form field data Content-length States the number of characters in the body of the request

17 17 Client side programming with JavaScript JavaScript is a client side programming language. That means it gets executed by the web browser. It can be used to create simple dynamic web pages or as an important component of a large, feature rich, web application. JavaScript can be triggered to run by several different events including, but not limited to:  A web page loads  The user clicks on something  The user moves their mouse over something on the page  A key is pressed on the keyboard.

18 18 Creating a Simple JavaScript Note: While HTML is not case sensitive, JavaScript is. JavaScript Example 1 This is the first JavaScript example. alert("Hello! This is a JavaScript Alert.") The element declares the presence of client side scripting. In this example the alert method is used to create a pop-up alert box with the message: Hello! This is a JavaScript Alert

19 19 Web page with JavaScript

20 20 Creating a Remote JavaScript File JavaScript can be included inline in an HTML document, as was done in the previous example, or it can be placed into a separate file and called from the HTML page using the element and the "src" (source) attribute. First we need to create a simple script to call from the main page: myscript.js alert("Hello! This is a JavaScript Alert.")

21 21 Creating an HTML File That Calls a Remote JavaScript Now we need to create a page that calls the remote file. JavaScipt Example 2 This is the second JavaScript example.

22 22 Web Page with JavaScript as a Separate File

23 23 Server Side Programming Overview Server side scripting and programming is a way for web application developers to embed or associate code with HTML documents. This code executes on the server before the server sends the response to the web client. Server side scripting offers some advantages :  Unlike client side programming, the developer has control of the environment where the code executes.  It can interact with other code on the server or act as middleware to interact with other systems, like databases, file servers and application servers.

24 24 Character Encoding for the Web Some characters cause problems when included in a URL. To address this, character encoding is used. URL character encoding utilizes the percent sign followed by a two character Hexadecimal value for the character being encoded. Here are some examples: HTML also uses encoding to display certain characters to the browser that the browser would otherwise have difficulty displaying. These characters are either represented by the ampersand followed by the number symbol, a numeric value from 32 – 255 and a semicolon or by the ampersand, an entity name and a semicolon. Some examples include: Space = %20#= %23 / = %2F>= %3E ?= %3F< = %3C Space= =   < = <= < ® = ® = ®

25 Use a proxy tool to intercept request or response: Web Scarab by OWAS Fiddler Http Analyzer This will require configuring a proxy setup in the browser. Intercepting Request and Response

26 Proxy Setup in Internet Explorer

27 Proxy Setup in Mozilla Firefox

28 Web Scarab by OWASP A proxy Tool

29 Web Goat by OWASP Teaches Web Application Security Issues

30 30

Download ppt "The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
Understand Web Page Development 98-361 Software Development Fundamentals LESSON 4.1.

Understand Web Page Development Software Development Fundamentals LESSON 4.1.
Project 1 Introduction to HTML.

Project 1 Introduction to HTML.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
HTTP Presented By: Holly Mortinson Amy Drout Kyle Balmer & Matt Conklin.

HTTP Presented By: Holly Mortinson Amy Drout Kyle Balmer & Matt Conklin.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Inline, Internal, and External FIle

Inline, Internal, and External FIle
How the World Wide Web Works

How the World Wide Web Works
HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.

HTML 1 Introduction to HTML. 2 Objectives Describe the Internet and its associated key terms Describe the World Wide Web and its associated key terms.
Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Similar presentations

Ads by Google