Web Applications Architecture Review Part 2

00:00

Hello, everyone, and welcome back to the course. Identifying Web attacks through logs

00:05

After our brief review of Web application architecture, er, let's now talk about http and TCP

00:12

first, consider this affirmation.

00:14

One of the differences between TCP and UDP is that TCP establishes a connection through a process called a three way handshake.

00:22

Is this affirmation true or false?

00:26

This affirmation is true.

00:28

The three way handshake is the process that TCP uses to establish the connection between the client and the server.

00:35

UDP does not do this. It only sends the packets.

00:39

That's why TCP is called connection oriented and UDP is connection lists.

00:45

Later, we will talk about the impact of TCP to a handshake in the log. Analysis.

00:51

Let's start talking about learning objectives

00:53

in this video. The learning objectives are a brief review of http, followed by our view of the I P and TCP model. After I'll present our infrastructure lab.

01:03

Let's start talking about http

01:06

http. Means hypertext transfer protocol.

01:10

Here's the definition of what a protocol is.

01:12

A protocol is a set of rules to allow communication.

01:15

The set of rules is defined in RFC. You can check it in this Web page.

01:21

As we said before with http, the clients will send questions to the server. The server will then answer

01:26

the http is how the clients and server talk

01:30

two things are really important to know.

01:33

First,

01:34

http methods are sent by the clients, and they tell the Web server what the clients want to do.

01:40

The second one is the status code.

01:42

The status code is a way in which Web servers tell clients what the server did with the request.

01:49

In summary,

01:51

the browser will send a get and it goes through a network.

01:53

The Web server receives it and answers back With a status code,

01:57

the Web client will get the answer and show you the page.

02:01

The method is like a comment

02:04

http Status code is a result of this comment.

02:07

So what are these http methods

02:13

Here is a table of methods. The most commonly used are get and post methods

02:19

get request results like a file image or some other resource.

02:23

Post send something to the Web server like user names or passwords.

02:29

RFC classifies the methods with some properties.

02:32

One of these properties is if the method is safe,

02:36

a safe method is one that is read. Only.

02:38

The methods should not change anything on the Web server,

02:42

However, as we, as we have seen in this course,

02:45

get could be used to perform attacks like brute force attacks or http floods.

02:51

Other properties can be found in Section 4.2 of the RFC.

02:55

Now the status code.

02:58

The status code will tell us how the Web server processes the client requests.

03:01

The most common codes are inside. Five families of code

03:06

the one hundreds. These are informational codes

03:09

to hundreds are codes for successful operations,

03:13

300 mean re directions.

03:15

Four hundreds mean client error. IE. The client performed an incorrect request,

03:21

and the 500 indicate a server error. The Web server could not answer the request because of an error.

03:27

This can be caused by attacks, mis configuration or overload.

03:34

In this slide, I will review the most common status codes.

03:38

It's important to know some of them.

03:39

Let's discuss some

03:42

the 200 means. Okay,

03:44

this means that the Web server answered and the client would get the answer.

03:47

302 is the most common for re directions.

03:52

This happens when 11 Web page sends you to another.

03:54

For example,

03:55

after you put in your user name and password, the Web application could send you to another Web. Page

04:01

404 occurs when the Web server doesn't find the requested resource. It could be a typing error from the user. Wrong Web page called in the Code or someone trying to find information.

04:12

You can check all the codes in the RFC

04:15

after this brief review of http. Let's talk about T c p I, P

04:20

http is an application protocol like DNS or SMTP.

04:26

Since http is an application protocol, it uses the application layer, and it is located at the top of both the OS I and T C P I. P. Models.

04:36

Http uses lower layers to reach a destination like clients and servers.

04:43

Usually,

04:44

http uses TCP poor 80

04:46

other ports like

04:47

80 80 are possible as well.

04:50

If you see an s after http, the s stands for secure.

04:56

It means that the http is transferred encrypted.

04:59

The most common port to https is 443

05:02

Like http, it's possible to see the https running in a lot of TCP ports.

05:10

Now,

05:11

why should we care about t c p i p if the web server and clients and use http

05:17

As I said

05:18

http uses TCP i p

05:21

to clarify. Here we have a package capture for a communication between a client and a Web server.

05:28

The first three lines are the TCP I p communication, the three way handshake.

05:32

The TCP I P communication is handled by the Web server operational system.

05:38

The http doesn't care about

05:40

if a client is a Web browser, it will say to the operational system that a three way handshake will occur and the operational system will reach out to the Web browser saying, Hey, we're connected with the server.

05:51

You can use this connection to send your http information.

05:58

Then the next line is the http request here again,

06:01

this means that http and https communications Onley start after the TCP three way handshake.

06:10

The Web server will only log the http or https requests

06:15

for this communication. The Web server will only show one logline

06:20

to finish.

06:21

Here are the two apologies that we will use during our course.

06:25

We have an attacker machine in a vulnerable Web application.

06:29

The Web application is the a WASP broken web application project application

06:34

between the attacker and the application, there is a firewall.

06:40

Everything here is virtual.

06:42

The process will be that we will use the attack our machine to attack the web application.

06:46

After the attack, you start the logs, you analyze them to identify the attack.

06:55

We also have a Web server on the Internet To get some real locks.

06:59

Thes longs will be used as an example.

07:00

Now

07:01

answer the question

07:03

length Web server status code on the left with its description on the right

07:12

Here you have the answers.

07:14

Just to remember the 200 means success or okay,

07:18

for the next question, consider this scenario.

07:20

You are a stock analyst

07:23

and someone shows to you a package capture a package capture below.

07:27

Suppose that you need the Web server locks.

07:30

How many lines will you have in the Web server log for this communication

07:33

A two lines. Be four lines. See one line or D zero lines.

07:44

The answer is letter C one line.

07:46

As we said before the http communication starts after the three way handshake,

07:51

we only have one http request.

07:55

What that means is that we only have one logline

08:01

in this video we talked about http and two important components.

08:05

Http methods sent by the clients to the Web server and http status code sent from the Web server to the clients as the answer.

08:13

Finally,

08:13

we reviewed a little TCP I p Protocol and how it's related to http.

08:18

In the next video,

08:20

we will talk about logs and their importance.

08:22

We will identify key information in the Web server logs