"Http protocol and other stuff" by Bipin Upadhyay

…and other stuff

that make the web work

Bits ‘bout Moi!

Senor Bipin Upadhyay

Developer, Directi Pvt. Ltd.

Lead, NULL Open Security Group – Mumbai Chapter

OWASP ESAPI-PHP Committer

Part of IHP (Honeynet Project)

Amateur Photographer

I know Kung-fu…

If Only it was true…

Think about the possibilities…

I know Kung-fu

Me too..

Me three..

Sigh! But it ain’t true, yet!

Agenda

http://icanhascheezburger.files.wordpress.com/2009/02/funny-pictures-cat-has-naps-on-his-agenda.jpg

Agenda

Intro: What & Why???

OSI model: Back to the basics

10000 feet view: How the web works

RFC 2616: Anatomy

RFC 2965: Handling Statelessness

Agenda




RFC 2616: Anatomy


Bit of History

Mar’89 – T.B. Lee presents “Information Management: A Proposal”

Aug’91 – Announces WWW

Mar’93 – Mosaic announced

Mar’94 – Netscape found

Oct’94 – W3C found by T.B. Lee

Web 2.0, uh!

http://www.wagnerblog.com/images/AjaxDarkSide.jpg

HTTP: What is it?

Part of the Application Layer of TCP/IP protocol suite

HTTP: What is it?


A set of grammatical rules for a client and server to communicate

http://www.flickr.com/photos/joshfassbind/4584323789/

HTTP: What is it?


A set of grammatical rules for a client and server to communicate

HTTP is what powers the WWW

…but

http://www.flickr.com/photos/quinnanya/4456123452/

Why should I bother?

Because:

web development sucks

http://www.flickr.com/photos/sneeu/1589152071/


Because:

web development sucks

Even your grandmom knows, ‘tis all about fundamentals


Also:

facilitates debugging,

improves understanding of security & performance


Agenda




RFC 2616: Anatomy


http://www.flickr.com/photos/stephenpoff/2312981944/

OSI & TCP/IP protocol suite

OSI is a reference model

http://blog.uad.ac.id/imam_riadi/files/2009/01/osi-layer.jpg

OSI & TCP/IP protocol suite…

TCP/IP protocol suite is implementation of OSI

http://www.hill2dot0.com/wiki/index.php?title=Image:G0209_TCPIP_vs_OSI.jpg

OSI & TCP/IP protocol suite…

Visual learning: Wireshark, baby

http://www.wireshark.org/

Agenda




RFC 2616: Anatomy


The Communication

My favorite interview question:

http://www.flickr.com/photos/terryhart/2890904949/

The Communication

My favorite interview question:

What all happens between the time when:

we click on a hyperlink

and the page is completely rendered in a browser

Brower InternetzProxy LBWeb

ServerDB

Server


ServerDB

Server

Client Server (null.co.in)


ServerDB

Server


Browser cache/ hosts file/ DNS server

null.co.in


ServerDB

Server


Browser cache/ hosts file/ DNS server

74.53.228.212null.co.in


ServerDB

Server


TCP Connection: There, bro?

SYN


ServerDB

Server


SYN

SYN-ACK

TCP Connection: Yo!


ServerDB

Server


SYN

SYN-ACK

ACK

TCP Connection: Cool!


ServerDB

Server


HTTP: Got this file?

GET /


ServerDB

Server


HTTP: Yup! Here ‘tis.

GET /

200 OK

index.html


ServerDB

Server


HTTP: Can I have these as well?

GET /

200 OK

index.html

GET /js.js

GET /pic.jpg


ServerDB

Server


HTTP: Sure!

GET /

200 OK

index.html

GET /js.js

GET /pic.jpg

200 OK

more content…


ServerDB

Server


FIN

TCP Connection: Arigato, am done.


ServerDB

Server


FIN

FIN-ACK

TCP Connection: Sayonara!

The Communication

…. or simply

The Communication

Web 2.0 has shrunk the client and server distinction

Conventionally, client sends an HTTP request

Server responds with an HTTP response

The Communication: HTTP Request

Request Line

Request Method

Requested Resource

HTTP Version used

Headers

General Headers

Request Headers

Entity Headers

Content (Optional)

The Communication: HTTP Response

Status Line

HTTP version(s) understood by server

Status code (3 digit numerical value)

Status description

Headers

General Headers

Response Headers

Entity Headers

Content (Optional)

Agenda




RFC 2616: Anatomy


http://www.saynotocrack.com/wp-content/uploads/2007/06/flinstones-anatomy.jpg

Anatomy

HTTP Request and Response are comprised of various components:

Request Methods

Response Status Codes

Request Headers

Response Headers

General Headers

Entity Headers

Content (MIME Media Types)

Anatomy: Request Methods

Humans can convey emotions in several ways

Why should HTTP clients lag!!!

HTTP methods describe the type of communication

GET POST HEAD OPTIONS

TRACE PUT DELETE CONNECT

Anatomy: Response Status Codes

Indicate the server’s mood corresponding to a request

Combination of a numerical code, and a short description

Cab be categorized in 5 categories:

1xx -- Informational

2xx -- Successful

3xx -- Redirection

4xx -- Client Error

5xx -- Server Error

Anatomy: Request Headers

Specific to an HTTP Request

Carry information about the client, and the type of request

Facilitates better understanding between client and server

Host Accept-Language If-Modified-Since Referer

User-Agent Authorization If-None-Match Expect

Accept Proxy-Authorization

If-Range From

Accept-Charset Max-Forwards If-Unmodified-Since

TE

Accept-Encoding If-Match Range

Anatomy: Response Headers

Specific to an HTTP Response

Carry information about the server, and the type of response

Accept-Ranges ETag Retry-After WWW-Authenticate

Age Location Server Proxy-Authenticate

Vary

Anatomy: General Headers

Carry information about the HTTP transaction

Can be a part of request, as well as response

Cache-Control Keep-Alive Pragma Via

Connection Upgrade Trailer Warning

Transfer-Encoding Date

Anatomy: Entity Headers

Carry information about the content

Mainly a part of HTTP response

Allow Content-Language Content-Location Content-Range

Content-Encoding Content-Length Content-MD5 Content-Type

Expires Last-Modified

Anatomy: Content

IANA maintains a list of valid content types

It is specified by the Content-Type Entity header

Categorized in 9 MIME Media types:

application audio example image

message model multipart text

video

Agenda




RFC 2616: Anatomy


Handling Statelessness

HTTP is a stateless protocol


HTTP is a stateless protocol

i.e., server’s got a bad memory


Cookies to rescue

http://www.flickr.com/photos/lij/283869088/


Cookies:

are text files stored by client browser

maintain session by storing information

are non-executable


Cookie attributes:

name=value

expires=value

domain=value

path=value

Secure

HttpOnly --not a part of spec

Conclusion

The single biggest problem in communication

is the illusion… that it has taken place.

--George Bernard Shaw

Conclusion

The single biggest problem in communication

is the illusion… that it has taken place.

--George Bernard Shaw

Think about it

Q&A!!!

Got queries? Raise your hands.

Arigato!

Contact info:

Om—At—[projectbee.org/null.co.in]

http://projectbee.org/

Twitter - @bipinu

Flickr -- projectbee



"Http protocol and other stuff" by Bipin Upadhyay

Technology

single biggest

favorite interview

tcpip protocol

ack tcp connection

handling statelessness

jpg osi amp

agenda intro

osi model