Protocols, Web Sessions, and Security Issues

Application Layer Protocols

Popular application layer protocols include:

  • HTTP: An HTML page is transmitted over the web in a standard way and format known as Hypertext Transfer Protocol (HTTP). This protocol users TCP/IP to manage the web transmission.
  • HTTPS: This protocol provides security for sensitive data by transmitting the HTML page in an encrypted form. A web page using this protocol will have https: at the beginning of its URL.
  • FTP: This protocol provides a method for copying files over a network from one computer to another. It can also be used for downloading from the web but, more often than not, downloading is done via HTTP. Sites that have a lot of downloading (software sites, for example) will often have an FTP server to handle the traffic. If FTP is involved, you will see ftp: at the beginning of the URL.

HTTP Protocol

When you click a hyperlink in a web browser, the following steps occur:

  1. A TCP/IP virtual communication channel is created from the browser to the web server specified in the URL.
  2. An HTTP GET (this request is used for downloading static web pages from web servers) or HTTP POST (this request is used for submitting data to web servers) request is sent through this channel to the destination web application, which retrieves data submitted by the browser user and composes an HTML file.
  3. The HTML file is sent back to the web browser as an HTTP response through the same TCP/IP channel.
  4. The TCP/IP channel is shut down.

Web Sessions

Today’s consumers who use the web to do their shopping do so during what can be called a web session. For example, the popular website Amazon allows you to pick out items by clicking on a button that submits an HTML form. The HTTP or HTTPS requests that occur when your browser connects with an application are part of such a session, and the session ends either when you close a browser or purchase the item (Tao, 2008).

However, the data from the session is not retained by the HTTP protocol, but the websites and browsers can collect useful data using other mechanisms (Tao, 2008):  

  • Web/browser cookies. A cookie is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Cookies were designed to help you use the web more efficiently, but security concerns about them sometimes lead users to disable them.
  • Hidden fields. If cookies are disabled, form-hidden fields in web applications can store data. When the user submits the form, data that the user entered and the data in the hidden fields is sent to the application.
  • Server-side session objects. The server-side objects are mechanisms to store the history of connection between a client and the server on the server instead of the client machine.

Web Security Issues

Web applications provide consumers and businesses significant conveniences. Purchases from sites like Amazon, as well as online banking, take place via web applications. Since critical consumer and business information are exchanged through these web applications, security is a major issue.

When bank accounts are accessed or items are purchased on the web, data has to be exchanged with back-end databases. These databases are targeted by hackers because they contain critical information. In addition, hackers can go after consumers' information directly by redirecting them to their malicious sites.

Here are two of the top issues related to web applications:

  • SQL injection: Structured Query Language (SQL) is a special language used to tell a database what to do. An SQL injection is a form of attack on a database-driven website used to steal information. For example, a query (set of instructions) might have parameters (data) that could be interpreted as instructions. This could cause the website to not work properly (Sutherland, 2012). Such a problem can be avoided by sending the instruction and data separately so that the database understands and “sees” the difference. These are called parameterized queries (Sutherland, 2012). 
A syringe representing an SQL injection.

Source: qtipd, Wikimedia Commons

An end user stores information on a web server which is vulnerable to XSS attack.

 

  • Cross-site scripting: Cross-site scripting (XSS) enables attackers to inject client-side script into web pages viewed by other users. For example, imagine a victim is using a web application (e.g., email or an e-commerce site) and is currently logged into an account. If malicious code is present while the victim is logged in, that code sends the session information to the attacker's email account. The attacker can then tap into the user's session and log in while the victim is still using the application. This is an example of session hijacking using XSS.

References

Sutherland, G. (2012, December 20). How can I explain SQL injection without technical jargon? [Blog post]. Information security stack exchange. http://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon

Tao, L. (2008). A tutorial on XHTML and XML. http://csis.pace.edu/~lchen/sweet/tutorials/htmlXmlTutorial.pdf

Licenses and Attributions

Thin Syringe from Wikimedia Commons is available under a Creative Commons CC0 1.0 Universal Public Domain Dedication. UMGC has modified this work and it is available under the original license.

Simple Monitor Icon from Wikimedia Commons is in the public domain. Gnome-network-server by GNOME icon artists from Wikimedia Commons is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license. Cartoon Cloud by egyninja from Wikimedia Commons is available under a Creative Commons CC0 1.0 Universal Public Domain Dedication. UMGC has modified these works and they are available under the original licenses.