Web Applications Architecture Review Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
Hello, everyone, and welcome back to the course. Identifying Web attacks through logs
00:05
After our brief review of Web application architecture, er, let's now talk about http and TCP
00:12
first, consider this affirmation.
00:14
One of the differences between TCP and UDP is that TCP establishes a connection through a process called a three way handshake.
00:22
Is this affirmation true or false?
00:26
This affirmation is true.
00:28
The three way handshake is the process that TCP uses to establish the connection between the client and the server.
00:35
UDP does not do this. It only sends the packets.
00:39
That's why TCP is called connection oriented and UDP is connection lists.
00:45
Later, we will talk about the impact of TCP to a handshake in the log. Analysis.
00:51
Let's start talking about learning objectives
00:53
in this video. The learning objectives are a brief review of http, followed by our view of the I P and TCP model. After I'll present our infrastructure lab.
01:03
Let's start talking about http
01:06
http. Means hypertext transfer protocol.
01:10
Here's the definition of what a protocol is.
01:12
A protocol is a set of rules to allow communication.
01:15
The set of rules is defined in RFC. You can check it in this Web page.
01:21
As we said before with http, the clients will send questions to the server. The server will then answer
01:26
the http is how the clients and server talk
01:30
two things are really important to know.
01:33
First,
01:34
http methods are sent by the clients, and they tell the Web server what the clients want to do.
01:40
The second one is the status code.
01:42
The status code is a way in which Web servers tell clients what the server did with the request.
01:49
In summary,
01:51
the browser will send a get and it goes through a network.
01:53
The Web server receives it and answers back With a status code,
01:57
the Web client will get the answer and show you the page.
02:01
The method is like a comment
02:04
http Status code is a result of this comment.
02:07
So what are these http methods
02:13
Here is a table of methods. The most commonly used are get and post methods
02:19
get request results like a file image or some other resource.
02:23
Post send something to the Web server like user names or passwords.
02:29
RFC classifies the methods with some properties.
02:32
One of these properties is if the method is safe,
02:36
a safe method is one that is read. Only.
02:38
The methods should not change anything on the Web server,
02:42
However, as we, as we have seen in this course,
02:45
get could be used to perform attacks like brute force attacks or http floods.
02:51
Other properties can be found in Section 4.2 of the RFC.
02:55
Now the status code.
02:58
The status code will tell us how the Web server processes the client requests.
03:01
The most common codes are inside. Five families of code
03:06
the one hundreds. These are informational codes
03:09
to hundreds are codes for successful operations,
03:13
300 mean re directions.
03:15
Four hundreds mean client error. IE. The client performed an incorrect request,
03:21
and the 500 indicate a server error. The Web server could not answer the request because of an error.
03:27
This can be caused by attacks, mis configuration or overload.
03:34
In this slide, I will review the most common status codes.
03:38
It's important to know some of them.
03:39
Let's discuss some
03:42
the 200 means. Okay,
03:44
this means that the Web server answered and the client would get the answer.
03:47
302 is the most common for re directions.
03:52
This happens when 11 Web page sends you to another.
03:54
For example,
03:55
after you put in your user name and password, the Web application could send you to another Web. Page
04:01
404 occurs when the Web server doesn't find the requested resource. It could be a typing error from the user. Wrong Web page called in the Code or someone trying to find information.
04:12
You can check all the codes in the RFC
04:15
after this brief review of http. Let's talk about T c p I, P
04:20
http is an application protocol like DNS or SMTP.
04:26
Since http is an application protocol, it uses the application layer, and it is located at the top of both the OS I and T C P I. P. Models.
04:36
Http uses lower layers to reach a destination like clients and servers.
04:43
Usually,
04:44
http uses TCP poor 80
04:46
other ports like
04:47
80 80 are possible as well.
04:50
If you see an s after http, the s stands for secure.
04:56
It means that the http is transferred encrypted.
04:59
The most common port to https is 443
05:02
Like http, it's possible to see the https running in a lot of TCP ports.
05:10
Now,
05:11
why should we care about t c p i p if the web server and clients and use http
05:17
As I said
05:18
http uses TCP i p
05:21
to clarify. Here we have a package capture for a communication between a client and a Web server.
05:28
The first three lines are the TCP I p communication, the three way handshake.
05:32
The TCP I P communication is handled by the Web server operational system.
05:38
The http doesn't care about
05:40
if a client is a Web browser, it will say to the operational system that a three way handshake will occur and the operational system will reach out to the Web browser saying, Hey, we're connected with the server.
05:51
You can use this connection to send your http information.
05:58
Then the next line is the http request here again,
06:01
this means that http and https communications Onley start after the TCP three way handshake.
06:10
The Web server will only log the http or https requests
06:15
for this communication. The Web server will only show one logline
06:20
to finish.
06:21
Here are the two apologies that we will use during our course.
06:25
We have an attacker machine in a vulnerable Web application.
06:29
The Web application is the a WASP broken web application project application
06:34
between the attacker and the application, there is a firewall.
06:40
Everything here is virtual.
06:42
The process will be that we will use the attack our machine to attack the web application.
06:46
After the attack, you start the logs, you analyze them to identify the attack.
06:55
We also have a Web server on the Internet To get some real locks.
06:59
Thes longs will be used as an example.
07:00
Now
07:01
answer the question
07:03
length Web server status code on the left with its description on the right
07:12
Here you have the answers.
07:14
Just to remember the 200 means success or okay,
07:18
for the next question, consider this scenario.
07:20
You are a stock analyst
07:23
and someone shows to you a package capture a package capture below.
07:27
Suppose that you need the Web server locks.
07:30
How many lines will you have in the Web server log for this communication
07:33
A two lines. Be four lines. See one line or D zero lines.
07:44
The answer is letter C one line.
07:46
As we said before the http communication starts after the three way handshake,
07:51
we only have one http request.
07:55
What that means is that we only have one logline
08:01
in this video we talked about http and two important components.
08:05
Http methods sent by the clients to the Web server and http status code sent from the Web server to the clients as the answer.
08:13
Finally,
08:13
we reviewed a little TCP I p Protocol and how it's related to http.
08:18
In the next video,
08:20
we will talk about logs and their importance.
08:22
We will identify key information in the Web server logs
08:26
after we will do some analysis on the most common Web server software logs like Apache and G. I X and Microsoft I I. S
Up Next