Web Applications Architecture Review Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Hello, everyone, and welcome back to the course. Identifying Web attacks through logs
00:05
After our brief review of Web application architecture, er, let's now talk about http and TCP
00:12
first, consider this affirmation.
00:14
One of the differences between TCP and UDP is that TCP establishes a connection through a process called a three way handshake.
00:22
Is this affirmation true or false?
00:26
This affirmation is true.
00:28
The three way handshake is the process that TCP uses to establish the connection between the client and the server.
00:35
UDP does not do this. It only sends the packets.
00:39
That's why TCP is called connection oriented and UDP is connection lists.
00:45
Later, we will talk about the impact of TCP to a handshake in the log. Analysis.
00:51
Let's start talking about learning objectives
00:53
in this video. The learning objectives are a brief review of http, followed by our view of the I P and TCP model. After I'll present our infrastructure lab.
01:03
Let's start talking about http
01:06
http. Means hypertext transfer protocol.
01:10
Here's the definition of what a protocol is.
01:12
A protocol is a set of rules to allow communication.
01:15
The set of rules is defined in RFC. You can check it in this Web page.
01:21
As we said before with http, the clients will send questions to the server. The server will then answer
01:26
the http is how the clients and server talk
01:30
two things are really important to know.
01:33
First,
01:34
http methods are sent by the clients, and they tell the Web server what the clients want to do.
01:40
The second one is the status code.
01:42
The status code is a way in which Web servers tell clients what the server did with the request.
01:49
In summary,
01:51
the browser will send a get and it goes through a network.
01:53
The Web server receives it and answers back With a status code,
01:57
the Web client will get the answer and show you the page.
02:01
The method is like a comment
02:04
http Status code is a result of this comment.
02:07
So what are these http methods
02:13
Here is a table of methods. The most commonly used are get and post methods
02:19
get request results like a file image or some other resource.
02:23
Post send something to the Web server like user names or passwords.
02:29
RFC classifies the methods with some properties.
02:32
One of these properties is if the method is safe,
02:36
a safe method is one that is read. Only.
02:38
The methods should not change anything on the Web server,
02:42
However, as we, as we have seen in this course,
02:45
get could be used to perform attacks like brute force attacks or http floods.
02:51
Other properties can be found in Section 4.2 of the RFC.
02:55
Now the status code.
02:58
The status code will tell us how the Web server processes the client requests.
03:01
The most common codes are inside. Five families of code
03:06
the one hundreds. These are informational codes
03:09
to hundreds are codes for successful operations,
03:13
300 mean re directions.
03:15
Four hundreds mean client error. IE. The client performed an incorrect request,
03:21
and the 500 indicate a server error. The Web server could not answer the request because of an error.
03:27
This can be caused by attacks, mis configuration or overload.
03:34
In this slide, I will review the most common status codes.
03:38
It's important to know some of them.
03:39
Let's discuss some
03:42
the 200 means. Okay,
03:44
this means that the Web server answered and the client would get the answer.
03:47
302 is the most common for re directions.
03:52
This happens when 11 Web page sends you to another.
03:54
For example,
03:55
after you put in your user name and password, the Web application could send you to another Web. Page
04:01
404 occurs when the Web server doesn't find the requested resource. It could be a typing error from the user. Wrong Web page called in the Code or someone trying to find information.
04:12
You can check all the codes in the RFC
04:15
after this brief review of http. Let's talk about T c p I, P
04:20
http is an application protocol like DNS or SMTP.
04:26
Since http is an application protocol, it uses the application layer, and it is located at the top of both the OS I and T C P I. P. Models.
04:36
Http uses lower layers to reach a destination like clients and servers.
04:43
Usually,
04:44
http uses TCP poor 80
04:46
other ports like
04:47
80 80 are possible as well.
04:50
If you see an s after http, the s stands for secure.
04:56
It means that the http is transferred encrypted.
04:59
The most common port to https is 443
05:02
Like http, it's possible to see the https running in a lot of TCP ports.
05:10
Now,
05:11
why should we care about t c p i p if the web server and clients and use http
05:17
As I said
05:18
http uses TCP i p
05:21
to clarify. Here we have a package capture for a communication between a client and a Web server.
05:28
The first three lines are the TCP I p communication, the three way handshake.
05:32
The TCP I P communication is handled by the Web server operational system.
05:38
The http doesn't care about
05:40
if a client is a Web browser, it will say to the operational system that a three way handshake will occur and the operational system will reach out to the Web browser saying, Hey, we're connected with the server.
05:51
You can use this connection to send your http information.
05:58
Then the next line is the http request here again,
06:01
this means that http and https communications Onley start after the TCP three way handshake.
06:10
The Web server will only log the http or https requests
06:15
for this communication. The Web server will only show one logline
06:20
to finish.
06:21
Here are the two apologies that we will use during our course.
06:25
We have an attacker machine in a vulnerable Web application.
06:29
The Web application is the a WASP broken web application project application
06:34
between the attacker and the application, there is a firewall.
06:40
Everything here is virtual.
06:42
The process will be that we will use the attack our machine to attack the web application.
06:46
After the attack, you start the logs, you analyze them to identify the attack.
06:55
We also have a Web server on the Internet To get some real locks.
06:59
Thes longs will be used as an example.
07:00
Now
07:01
answer the question
07:03
length Web server status code on the left with its description on the right
07:12
Here you have the answers.
07:14
Just to remember the 200 means success or okay,
07:18
for the next question, consider this scenario.
07:20
You are a stock analyst
07:23
and someone shows to you a package capture a package capture below.
07:27
Suppose that you need the Web server locks.
07:30
How many lines will you have in the Web server log for this communication
07:33
A two lines. Be four lines. See one line or D zero lines.
07:44
The answer is letter C one line.
07:46
As we said before the http communication starts after the three way handshake,
07:51
we only have one http request.
07:55
What that means is that we only have one logline
08:01
in this video we talked about http and two important components.
08:05
Http methods sent by the clients to the Web server and http status code sent from the Web server to the clients as the answer.
08:13
Finally,
08:13
we reviewed a little TCP I p Protocol and how it's related to http.
08:18
In the next video,
08:20
we will talk about logs and their importance.
08:22
We will identify key information in the Web server logs
08:26
after we will do some analysis on the most common Web server software logs like Apache and G. I X and Microsoft I I. S
Up Next
Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By