Security analysis of Web Architecture

web Working mechanism

Webpage 、 Website

We can see beautiful pages on the Internet through the browser , It is usually rendered by the browser .html page , It includes css Equal front end technology . The collection of multiple web pages is the website .

Web Containers

Web Containers , Also called Web The server , Mainly provide Web service , That's what they say HTTP service .

common Web The container has ：Apache/IIS/Nginx etc. .

Static page

Static page , They are all .html file , It's a plain text file . These files contain html Code .

Middleware server

The above , Only one-way tactical information can be given to users . With Web The development of , Information should flow in both directions , There is a need for interaction , That is, the concept of dynamic web pages ; The so-called dynamic is to use flash、Php、asp、Java And other technologies to embed some scripts that can run in the web page , When the user browser interprets the page , When you encounter a script, start and run it .

The use of scripts makes Web The service model has the ability of two-way communication ,Web The server mode can also handle various transactions like traditional software , Such as editing files 、 Interest calculation 、 Submit forms, etc ,Web The applicability of the architecture is greatly expanded

These scripts can be embedded in the page , Such as JS etc. . It can also be stored separately in the form of files Web In the server directory , Such as .asp、.php、jsp Documents, etc. . There are more and more functional scripts like this , Form a common toolkit , Manage alone ,Web Business development , Just use it directly , This is the middleware server , It's actually Web Expansion of server processing capacity .

The emergence of databases

Static web pages and scripts are designed in advance , Generally, it is not changed frequently , But a lot of content on the website needs to be updated frequently , It is obviously inappropriate to put these changed data in the program of static web pages , The traditional method is to separate the data from the program , Professional database used .

Web Developers in Web A database server is added behind the server , These constantly changing data are stored in the database , It can be updated at any time . When a user requests a page , The script is based on the page requested by the user , Where dynamic data is involved , utilize SQL Database language , Read the latest data from the data , production “ complete ” page , Finally, send it to the user

HTTP agreement

Brief overview

HTTP It's a browser and web Communication protocol between servers Are the specifications and requirements for message delivery .

1900 Put forward in , The current version is 1.1

HTTP It's used to put HTML Document from web Server transfer to web browser , Is a request and response protocol . The client makes the request , The server responds to the request

HTTP Use reliable TCP Connect , The default port is 80

characteristic

Support browser or service mode

When the browser makes a request to the server , Just send the request method and request path

HTTP Run to transfer objects of any type

 URL

Uniform resource locator （ website ）, To tell Web Containers , The resource requested by the browser （ file ） The path of . for example ：Schema://login:[email protected]:port/path/to/resource/?query_string#fragment

Port     80

Login     user name
Password   password   

Fragment     Anchor point    （ Realize the positioning in the page ）

URL The coding  

URL Only characters allowed are limited ,URL in path Start allowing direct presence [A-Z][a-z][0-9]

Half width minus sign （-）、 Underline period （.）、 The waves, （~）. Other characters will be encoded with a percent sign （ Including Spaces ）

Can be in burp Inside decoder Encoding and decoding
  decode ：%+ASCII Code hexadecimal  

 HTTP Message analysis
 

HTTP The request is made by the request line   Request header The body of the request consists of

Request line ： Method , Resource path , agreement / edition

Request header ： The content from the second line of the request message to the first blank line . It contains many fields

  Request body ： Under the request header  

Request method ：

GET    The most common method , Usually, the user requests a resource sent by the server .

POST    You can submit parameters and forms to the server , Including file stream, etc

HEAD    And GET The method is similar to , But only the first part is returned in the server response

PUT    And GET Read the document from the server ,PUT Method writes a document to the server

TRACE    Echo browser requests

OPTIONS    request Web The server informs it of the various functions it supports DELETE

  Response message analysis

The response message consists of the status line Response head The response text consists of

Status line ： agreement / edition , The status code , Descriptive phrase

Respond to the headlines

Everything from the second line to the first blank line , It contains information about HTTP Important fields of response .

Response Content

The server returns the contents of the resource , That is, what the browser receives HTML Code .

    Status code

100~199    Informational status code

200~299    Success status code

300~399    Redirect the status code

400~499    Client error status code

500~599    Server error status code

    The main field

Server    Server fingerprint

Set-Cookie    Set... To the browser side Cookie

Last-Modified    The server tells the browser through this header , Last modified time of resource

Content-Length    Request body length

Location    Redirect target page

Refresh    Server pass Refresh The header tells the browser to refresh the browser regularly