Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Published byJazmyn Hayton Modified over 9 years ago

Similar presentations

Presentation on theme: "Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"— Presentation transcript:

1 Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University http://adamdoupe.com

2 Adam Doupé, Security and Vulnerability Analysis Overview We've seen how the web works –URIs –HTTP –HTML We looked at how to dynamically generate HTML pages –Server-side code languages –SQL databases We've looked at how to dynamically modify HTML on the client's machine –JavaScript

3 Adam Doupé, Security and Vulnerability Analysis How to Design a Web Application Depends on the framework you use CGI applications –One single file that responds to multiple path infos (ala Assignment 1 Part 3) –Multiple files that each respond to their own path PHP applications –Typically many files that correspond 1-1 with a URL ASP applications –Classic ASP is the same as PHP

4 Adam Doupé, Security and Vulnerability Analysis "Natural" PHP code <?php session_start(); $_SESSION['username'] = 'admin'; $username_param = $_GET['username']; if ($username_param != $_SESSION['username']) { if ($_SESSION['username'] != 'admin') { echo " Sorry, you can only view your own comments. "; exit(0); } } $username = $_SESSION['username']; ?>

5 Adam Doupé, Security and Vulnerability Analysis "Natural" PHP code CS 177 Comments Welcome for debugging purposes you are: Here are the comments <?php $db = sqlite_open("comments.sqlite"); $query = "select * from comments where username = '". sqlite_escape_string($username_param). "';"; $res = sqlite_query($query, $db); if ($res) { while ($entry = sqlite_fetch_array($res, SQLITE_ASSOC)) { ?> - <?php } ?>

6 Adam Doupé, Security and Vulnerability Analysis "Natural" PHP code Make your voice heard! " method="POST"> Logout <?php } else { ?> Error <?php } ?>

7 Adam Doupé, Security and Vulnerability Analysis Spaghetti Code How maintainable is this code? –Imagine all the files are like this –You want to change how comments are stored, giving them extra metadata –You must change every single SQL query in every PHP files that touches the comments, as well as all the outputs HTML output intermixed with SQL queries intermixed with PHP code

8 Adam Doupé, Security and Vulnerability Analysis Tight Coupling URLs to Scripts The natural way to design a web application is to map every (vaild) URL to a specific script that gets executed URLs look like: –http://example.com/add_comment.php –http://example.com/view_comments.php –http://example.com/users/view_users.php –http://example.com/admin/secret.php And map directly to the following file structure –add_comment.php –view_comments.php –users/view_users.php –admin/secret.php Is this necessary?

9 Adam Doupé, Security and Vulnerability Analysis

10 Model-View-Controller User Interface design framework –A way to separate the concerts of a GUI –Originally created in the early '90s Popularized by Ruby on Rails to structure the server-side code of web applications

11 Adam Doupé, Security and Vulnerability Analysis

12 Separation of Concerns Model –Handles all the "business logic" of the application –Stores the application state View –Responsible for generating a view for the user of the data from the model –Usually a simple templating system to display the data from the model Controller –Responsible for taking input from the user, fetching the correct data from the model, then calling the correct view to display the data –Should be very simple

13 Adam Doupé, Security and Vulnerability Analysis Object Relational Mapping As a programmer, you don't need to worry about the database or "SQL" language Rails (ActiveRecord) – user = User.create(name: "David", occupation: "Code Artist") – david = User.find_by(name: 'David') – david.destroy() – Article.where('id > 10').limit(20).order('id asc')

14 Adam Doupé, Security and Vulnerability Analysis Routing Define a mapping between URLs and server-side functions Also define parameters that get passed to the function from the URL Rails example: class BooksController < ApplicationController def update @book = Book.find(params[:id]) if @book.update(book_params) redirect_to(@book) else render "edit" end

15 Adam Doupé, Security and Vulnerability Analysis Routing class BooksController < ApplicationController def index @books = Book.all end

16 Adam Doupé, Security and Vulnerability Analysis Templating Define the view as a simplified language –Input: well-defined variables or dictionaries –Output: HTML (or JSON or XML, …) Ruby on Rails uses ERB: Listing Books … …

17 Adam Doupé, Security and Vulnerability Analysis Modern Web Application Frameworks Many different frameworks for all languages (not a comprehensive list) Ruby –Ruby on Rails Python –Django –Flask PHP –CakePHP ASP –ASP.NET MVC Java –Spring MVC

18 Adam Doupé, Security and Vulnerability Analysis Homework Submission System

Download ppt "Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"

Similar presentations

PHP I.

PHP I.
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Copyright © 2004 ProsoftTraining, All Rights Reserved. Lesson 11: Advanced Web Technologies.

Copyright © 2004 ProsoftTraining, All Rights Reserved. Lesson 11: Advanced Web Technologies.
Introduction to JavaScript

Introduction to JavaScript
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
DT228/3 Web Development WWW and Client server model.

DT228/3 Web Development WWW and Client server model.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Multiple Tiers in Action

Multiple Tiers in Action
Active Server Pages Chapter 1. Introduction Understand how browsers and servers interacted when the Web was young Understand what early Internet and intranet.

Active Server Pages Chapter 1. Introduction Understand how browsers and servers interacted when the Web was young Understand what early Internet and intranet.
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.

Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.
CS 638 Web Programming Lifecycle examples Supplement to segment 4.

CS 638 Web Programming Lifecycle examples Supplement to segment 4.
Web Integration to an Appx Backend Server. Unix web servers + CGI Win2K web servers + ASP Win2K web servers + ODBC Processing requests Generating HTML.

Web Integration to an Appx Backend Server. Unix web servers + CGI Win2K web servers + ASP Win2K web servers + ODBC Processing requests Generating HTML.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.

Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.
August 20061 Chapter 1 - Essential PHP spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science and Technology.

August Chapter 1 - Essential PHP spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science and Technology.

Similar presentations

Ads by Google