A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones.

Slides:



Advertisements
Similar presentations
E-Commerce CMM503 – Lecture 8 Stuart Watt Room C2.
Advertisements

Overview Environment for Internet database connectivity
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DT228/3 Web Development WWW and Client server model.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Introduction to ASP.NET. 2 © UW Business School, University of Washington 2004 Outline Static vs. Dynamic Web Pages.NET Framework Installing ASP.NET First.
Layer 7- Application Layer
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Database Processing
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
DT211/3 Internet Development Application Internet Development Application.
Introduction to Web Interface Technology (CSE2030)
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing
© 2004, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
1 Web Database Processing. Web Database Applications Static Report Publishing a report is prepared from a database application and exported to HTML DB.
INTRODUCTION TO WEB DATABASE PROGRAMMING
IT 210 The Internet & World Wide Web introduction.
Computer Concepts 2014 Chapter 7 The Web and .
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Introduction to ASP.NET. Prehistory of ASP.NET Original Internet – text based WWW – static graphical content  HTML (client-side) Need for interactive.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.
MIS 301 Information Systems in Organizations Dave Salisbury ( )
Chapter 1: Introduction to Web
Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,
Chapter 16 The World Wide Web Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Describe several.
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
Chapter 6 The World Wide Web. Web Pages Each page is an interactive multimedia publication It can include: text, graphics, music and videos Pages are.
11/16/2012ISC329 Isabelle Bichindaritz1 Web Database Application Development.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 23 How Web Host Servers Work.
20-753: Fundamentals of Web Programming 1 Lecture 1: Introduction Fundamentals of Web Programming Lecture 1: Introduction.
HTML. Principle of Programming  Interface with PC 2 English Japanese Chinese Machine Code Compiler / Interpreter C++ Perl Assembler Machine Code.
MySQL and PHP Internet and WWW. Computer Basics A Single Computer.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Kingdom of Saudi Arabia Ministry of Higher Education Al-Imam Muhammad Ibn Saud Islamic University College of Computer and Information Sciences Chapter.
1 Welcome to CSC 301 Web Programming Charles Frank.
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
Web Programming Brian Toone 8/27/2014. Outline for today 1.Understanding the architecture of the web 2.Overview of programming languages – Client-side.
Creating Web Documents: How the Web works Client / Server Protocols Access methods Homework: Complete experiment & report on Discussion Forum.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.
Introduction and Principles Web Server Scripting.
Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.
Form Processing Week Four. Form Processing Concepts The principal tool used to process Web forms stored on UNIX servers is a CGI (Common Gateway Interface)
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
JavaScript and Ajax (Internet Background) Week 1 Web site:
COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
Tonga Institute of Higher Education IT 141: Information Systems
Section 6.3 Server-side Scripting
PHP / MySQL Introduction
Chapter 27 WWW and HTTP.
Tonga Institute of Higher Education IT 141: Information Systems
Tonga Institute of Higher Education IT 141: Information Systems
Web Servers (IIS and Apache)
Presentation transcript:

A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones

A Back-Stage Pass What does the web do? What is its purpose? It is a communications media; like print or paint or clay or even music… only digital. Digital = easy to create, change, copy, move. Easy = cheap to produce, cheap to distribute. As with any medium, “good don’t come cheap.” There are very few masters of more than one medium.

A Back-Stage Pass A bit of a history lesson Clarify some terms Understand how modern web systems work See where security breaks down Some basics…

Web Service Web Client (browser) DNS Server 1.User requests URL: 2.Browser / Operating System get the IP address from DNS Server. 3.Browser opens a connection to the web server’s address, specifying port #80, and issues a message: “GET /webconference”. (Messages use HTTP) 4.Web service looks in its /webconference directory. Because a specific file was not requested, the service checks its rules, and looks for a default name. 5.The web service then copies the file from its directory back to the browser, using HTTP. Disk Drive Internet A very general overview of how a web browser gets a web page…

Terms Client = computer that wants data Server = computer with the data Service = software that provides the data DNS = Domain Name Service IP = Internet Protocol HTTP = Hyper-Text Transfer Protocol HTML = Hyper-Text Markup Language

Web Service Web Client (browser) Internet Corrupted DNS Server Things you need to keep in mind: DNS lookups take time and network bandwidth (usually not much, but consider scaling factors) and DNS Servers can be hacked to re-direct clients. The web server with the real data is never contacted. EVIL Web Server What’s the address for = www.psu.edu Give me the data Data: please enter your credit card number…

Web Service Internet Things you need to keep in mind: Web servers generally allow anonymous access to their data resources. This is accomplished by aliasing the unknown internet user as an account known to the server. (IUSR_Servername, Apache, Anonymous) Data access uses this account’s permissions in the operating system. Disk Drive This conversation is anonymous (but can be forced to be authenticated, creating intra/extra- nets) This conversation is aliased with a known account name

Web Service Web Client (browser) Internet Certificate Authority Service Encryption & Authentication Disk Drive 1.Client requests secure connection to service ( port 8080) 2.Service responds: “here is my public key” 3.Client to certificate authority: “I am trying to contact a service, here is the key it gave me.” 4.Certificate authority to client: “looks good to me.” 5.Client to web service:

Terms Encryption Authentication PKI –Public Key –Private Key Certificate HTTPS

Web Service Internet Disk Drive A closer look at web services CGI programs allow dynamic webpage content; HTML is built when a page is requested, instead of existing statically on disk. Simple uses would be hit-counters, real-time server reports, generating from web-based forms, etc. Compiled program executes quickly, and code can be kept elsewhere. Compiled Program using The Common Gateway Interface (CGI)

Web Service Internet Disk Drive A closer look at web services Microsoft’s answer to CGI Programs saved as.DLL files Web service recognized hits to particular file types as requests for ISAPI- generated data. Used in MS’s web-based server administration system. Compiled Program using Internet Services Application Program Interface (ISAPI; sometimes called ISAPI filters)

Web Service Internet Disk Drive A closer look at web services Cold Fusion’s model: put the web service and the command interpreter in one program. This allowed mixing of HTML and program code within a single file. Primary use is for database-driven web pages. Command Interpreter

Web Service Internet Disk Drive A closer look at web services Microsoft introduced Active Server Pages (ASP), which will interpret code in Visual Basic Script (or Java Script) language. Allowed mixing HTML and programming code. Implemented as an ISAPI.DLL file, building on their previous system. Took advantage of their large base of VB programmers. ISAPI filter that Interprets programming code (ASP, PHP)

Web Service Internet Disk Drive Other Options ISAPI filter that Interprets programming code Compiled Program

Web Service Internet Disk Drive Tying to databases Compiled program or ISAPI filter Database Service

Web Service Internet Disk Drive Tying to databases ISAPI filter that Interprets programming code ODBC/JDBC Database Service (MS-SQL, MySQL, etc.)

Terms CGI ISAPI Filter ASP/PHP/JSP ODBC/JDBC CF

Web Service Internet Disk Drive Security Concerns Compiled program or ISAPI filter Database Service Scripts are typically run in the context of the web service user (usually an anonymous account) Database services usually maintain their own accounts and security permissions (with some really open defaults) Communication between the script and the DB must use a DB account

Web Client IE, Netscape/Mozilla Crawlers Varying platform capabilities (PDA’s, etc.) Internet Client-side operations Know your audience. Define your audience & give warnings. You may have to accommodate non-optimal client platforms (and connections)

Browser HTML variants Scripting languages (JavaScript, VB-Script) Plug-ins to handle non-HTML files MIME mappings to launch other applications Java Internet Client-side operations Browser & other applications launched through the browser run in the context of the user, and will be constrained by the user’s permissions. Many clients work very similarly to web browsers, with scripting, plug-ins, MIME mappings, etc. The big difference is their built-in ability to send messages, allowing worm propagation. Biggest security concern is the user

Web Client Data-seeking programs Internet What about XML? XML is just another language like HTML XML can be used to hold data, independently of presentation Data is transferred in XML- encoded format It is up to the client program to do something with the data. Maybe display it; maybe process it; maybe just store it. Put these technologies together and you get “Web Services” Allows for authoritative sources of data Basis for.NET and J2EE architectures.

Lessons: Know your specific architecture. Web developers, web and DB admins, and network admins must all cooperate to secure the server side. Don’t tell people who don’t need to know. (“…what every hacker wants!”) Understand the contexts where programs will run. The servers/services, accounts used at each step, and target clients are all important.

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.