HTTP Basics
The "Web" is arguably the largest threat surface to an organisation. With almost "everyone"1 having some form of web presence.
This module focuses on examining websites for security issues, exploiting them, and defending against attack. While the attacking part is obviously the most interesting, a decent understanding of the underlying technologies is going to help you when it comes to the exploit phase.
Managing users and Sessions is also important when it comes to designing and securing web services. We will take a look at authentication and authorisation, and how session management is used to keep track of users on a site.
This week
This week we will be looking at the protocols that help make the web work.
As most of the security issues with the web involve manipulating data that the site sees Having a good understanding of how data is sent to and from web pages can help us find, and exploit, potential security issues.
The stateless design of the HTTP protocol, means that every request made is independent, with the protocol making no links between them2. This means that for anything needing state we need some way to keeping track of users.
Sessions allow us to do this by attaching a unique identifier (a session token) to all requests that sent to the server. When the server receives a new request, it can cross reference the session token, against its list of users to gain a better understanding of who has made the request.
While sessions give us some way of keeping track of users, we also need to confirm who they are. Authentication mechanisms are designed to allow us to confirm an users identity. For the second topic this week we will look at common authentication mechanisms, and how they can effect the security of a web service.