This log covers HTTP requests, responses, stateful web application and security.

How Internet Works

A URL is like that address or phone number you need in order to visit or communicate with your friend. 1

URL is the frequently used part of Uniform Resource Identifier (URI).

A URL (http://www.example.com:88/home?item=book) can break into 5 parts,

  • Schema, http
  • Host, www.example.com
  • Port (HTTP default port is 80), 88
  • URL Path, /home/
  • Query String Parameters, ?item=book

Requests

Request Method

A full list of HTTP request method definitions can be found at w3.org.

GET, used to retrieve a resource. There are size and security limitations to using GET request but the response can be anything.

POST, used to send data to a server or initiate action on the server. It can be used to send larger (image/video) and sensitive data (username/password) to the server.

The data send via POST request is contained in HTTP body. The body contains the data that is being transmitted in an HTTP message.

HTTP headers contains additional information during the request/response HTTP cycle. Headers are column-separated name-value pairs in plain text. Common request header fields are Host, User-Agent and Connection.

Responses

Response is data returned by the server.

HTTP Status code, a three-digit number that the server sends back after receiving a request.

A full list of HTTP Status code can be found at w3.org.

Common HTTP Status code are 200 (OK), 404 (Not Found), 500 (Internal Server Error), and 302 (Found).

302 (Found/Redirect), re-route the request from the original URL to a new URL.

Like request header, response header provide additional information about the resource being sent.

Stateful Web Application

Session

Server send a Session identifier (unique token) to client after authenticated. Whenever a client makes a request to the server, the client appends the token as part of the request. Passing unique token creates persistent connection between requests.

Things has to be done by server to use session,

  1. Every request must be inspected to see if it contains a session ID
  2. Verify session ID, compare with stored session data
  3. Retrieve the session data based on the session ID
  4. Recreate the application state

Cookies

A cookie is data that’s sent from the server and stored in the client during a request/response cycle.

The client side cookie is compared with the server-side session data on each request to identify the current session.

Session ID is stored on the client, and it is used as a key to the session data stored server side.

AJAX

Asynchronous JavaScript and XML (AJAX) sends requests to server asynchronously. The responses from requests are being processed by callback (a piece of logic).

Security

Both requests and responses are being sent as strings. Hackers can employ packet sniffing to read the messages.

Every request/response is encrypted before being transported on the network with HTTPS. HTTPS sends message via TLS (a cryptographic protocol) for encryption.

Same-origin Policy

Same-origin policy precents scripts from one site from manipulating documents from another site. It is an important guard against session hijacking. Documents in the same origin have the same,

  • Protocol
  • Host
  • Port number

Cross-origin resource sharing (CORS) is a mechanism allows resources from one domain to be requested from another domain. CORS works by adding new HTTP headers.

Session Hijacking

Session ID is stored on browser when username/password match. Both the attacker and user share the same session and can access the web application when attacker gets the session ID.

Countermeasures for session hijacking are,

  • Reseting sessions by creating new ID for every successful login
  • Setting an expiration time on sessions
  • Use HTTPS across the entire app

Cross-Site Scripting (XSS)

Attackers can craft ingeniously malicious HTML and JavaScript and be very destructive to both the server as well as future visitors of this page.

Malicious code would by pass the same-origin policy because the code lives on the site.

Countermeasures for XSS are,

  • Always sanitize user input, eliminate problematic input <script>
  • Escape all user input data when displaying
  1. https://launchschool.com/books/http/read/what_is_a_url