HW14-Web-Development

Homework assignment for week 14 of the UCSD Cybersecurity Bootcamp

Questions

HTTP Requests and Responses

Answer the following questions about the HTTP request and response process.

1. What type of architecture does the HTTP request and response process occur in?

• Client-Server Architecture, on the Application Layer of the OSI Model.

2. What are the different parts of an HTTP request?

• The Request Line:

  • The first line of the HTTP request which includes the following:
  • HTTP method:
    • GET
    • HEAD
    • POST
    • PUT
    • DELETE
    • CONNECT
    • OPTIONS
  • The request URI
  • The HTTP protocol version

• The Request Header:

  • The Request Header provides information about the nature of the request for the servers response.
  • Sample Header Variations:
    • Connection
    • Host
    • Upgrade
    • Accept
    • User-Agent
    • Authorization
    • Referrer
    • Cookie

• The Request Body:

  • Is the data sent by the client to your API. A response body is the data your API sends to the client.

3. Which part of an HTTP request is optional?

• The optional part of the HTTP Request is the Body.

4. What are the three parts of an HTTP response?

• The Three parts of an HTTP response are:
  • Status Line - Unencrypted protocol in use & status code
    • Status Codes: 100's, 200's, 300's, 400's, and 500's
  • Header
  • Body - Optional

5. Which number class of status codes represents errors?

• 400 codes indicate client errors.
• 500 codes inidicate server errors.

6. What are the two most common request methods that a security professional will encounter?

• The two most common request methods are:
  • GETand POST

7. Which type of HTTP request method is used for sending data?

• The HTTP Request method that is used for sending data is:
  • POST

8. Which part of an HTTP request contains the data being sent to the server?

• The part of an HTTP request that contains the data being sent to the server is:
  • The Request Body contains the actual data being sent, which is sent using the HTTP Method POST

9. In which part of an HTTP response does the browser receive the web code to generate and style a web page?

• The part of an HTTP response which gives the web code is:
  • The Response body

Using curl

Answer the following questions about curl:

10. What are the advantages of using curl over the browser?

• A few advantages of using curl are:
  • Test web server security configurations
  • Authenticating
  • Using HTTP Post
  • Ensure web servers don't leak sensitive data through their HTTP responses
  • Verify that servers only respond to certain request types
  • SSL Connections
  • Look for vulnerabilities on a web server
  • Downloading

11. Which curl option is used to change the request method?

• -X or --request are both options to change the request method.

12. Which curl option is used to set request headers?

• -H or --header are both options to set request headers.

13. Which curl option is used to view the response header?

• -i or --include are both options to view the response header

14. Which request method might an attacker use to figure out which HTTP requests an HTTP server will accept?

• GET or OPTIONS are both viable options.
  • GET: would allow the attacker to request information from the server and see which requests can and cannot be accepted.
  • OPTIONS: is best because it allows the attacker to see which communication options are availble for use.

Sessions and Cookies

15. Which response header sends a cookie to the client?

    HTTP/1.1 200 OK
    Content-type: text/html
    Set-Cookie: cart=Bob

• Set-Cookie is responsible for sending the cookie to cart=Bob.

16. Which request header will continue the client's session?

    GET /cart HTTP/1.1
    Host: www.example.org
    Cookie: cart=Bob

• Cookie will continue the clients session, in particular cart=Bob.

Example HTTP Requests and Responses

HTTP Request

POST /login.php HTTP/1.1
Host: example.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

username=Barbara&password=password

17. What is the request method?

• POST

18. Which header expresses the client's preference for an encrypted response?

• Upgrade-Insecure-Requests: 1

19. Does the request have a user session associated with it?

• The request DOES NOT have a user session associated with it

20. What kind of data is being sent from this request body?

• Log in credentials were being sent in the body of this request:
  • username=Barbara&password=password

HTTP Response

HTTP/1.1 200 OK
Date: Mon, 16 Mar 2020 17:05:43 GMT
Last-Modified: Sat, 01 Feb 2020 00:00:00 GMT
Content-Encoding: gzip
Expires: Fri, 01 May 2020 00:00:00 GMT
Server: Apache
Set-Cookie: SessionID=5
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type: NoSniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

[page content]

21. What is the response status code?

• 200

22. What web server is handling this HTTP response?

• Server: Apache

23. Does this response have a user session associated to it?

• Yes - Set-Cookie: SessionID=5

24. What kind of content is likely to be in the [page content] response body?

• The content of the page given in the header Content-Type: text/html; charset=UTF-8.

25. If your class covered security headers, what security request headers have been included?

• The Security Request Headers in this example are listed below:
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Content-Type: NoSniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block

Monoliths and Microservices

26. What are the individual components of microservices called?

• The individual components of a microservice are:
  • Front-end
  • Back-end
  • Database

27. What is a service that writes to a database and communicates to other services?

• Application Programming Interface (API).

28. What type of underlying technology allows for microservices to become scalable and have redundancy?

• Containers are the underlying technology that allows for microservices to become scalable, while loadbalancers allow them to have redunddancy.

Deploying and Testing a Container Set

29. What tool can be used to deploy multiple containers at once?

• docker-compose up is a tool to spin up multiple containers.
• docker-compose down is a tool to tear down multiple containers.

30. What kind of file format is required for us to deploy a container set?

• YAMLfiles are required to deploy a container set

Databases

31. Which type of SQL query would we use to see all of the information within a table called customers?

• SELECT statements
  • SELECT * FROM customers WHERE Last_Name"insertnamehere"

32. Which type of SQL query would we use to enter new data into a table? (You don't need a full query, just the first part of the statement.)

• INSERT INTO
  • INSERT INTO customers (field1, field2, field3, ...) VALUES ('a', 'b', 'c', ...)

33. Why would we never run DELETE FROM <table-name>; by itself?

• It would delete the entire table as it doesn't have the WHERE clause.

---