Restful Web Services Cookbook

Total Page:16

File Type:pdf, Size:1020Kb

Restful Web Services Cookbook www.allitebooks.com www.allitebooks.com RESTful Web Services Cookbook www.allitebooks.com www.allitebooks.com RESTful Web Services Cookbook Subbu Allamaraju Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo www.allitebooks.com RESTful Web Services Cookbook by Subbu Allamaraju Copyright © 2010 Yahoo!, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mary E. Treseler Cover Designer: Karen Montgomery Production Editor: Sumita Mukherji Interior Designer: David Futato Production Services: Molly Sharp Illustrator: Robert Romano Printing History: March 2010: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. RESTful Web Services Cookbook, the image of a great fringed lizard, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc., was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information con- tained herein. TM This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-80168-7 [M] 1266619255 www.allitebooks.com Table of Contents Preface . ix 1. Using the Uniform Interface . 1 1.1 How to Keep Interactions Visible 2 1.2 When to Trade Visibility 4 1.3 How to Maintain Application State 7 1.4 How to Implement Safe and Idempotent Methods on the Server 9 1.5 How to Treat Safe and Idempotent Methods in Clients 12 1.6 When to Use GET 13 1.7 When to Use POST 14 1.8 How to Create Resources Using POST 16 1.9 When to Use PUT to Create New Resources 18 1.10 How to Use POST for Asynchronous Tasks 19 1.11 How to Use DELETE for Asynchronous Deletion 23 1.12 When to Use Custom HTTP Methods 23 1.13 When and How to Use Custom HTTP Headers 25 2. Identifying Resources . 29 2.1 How to Identify Resources from Domain Nouns 30 2.2 How to Choose Resource Granularity 31 2.3 How to Organize Resources into Collections 32 2.4 When to Combine Resources into Composites 34 2.5 How to Support Computing/Processing Functions 37 2.6 When and How to Use Controllers to Operate on Resources 39 3. Designing Representations . 45 3.1 How to Use Entity Headers to Annotate Representations 46 3.2 How to Interpret Entity Headers 49 3.3 How to Avoid Character Encoding Mismatch 50 3.4 How to Choose a Representation Format and a Media Type 52 3.5 How to Design XML Representations 56 v www.allitebooks.com 3.6 How to Design JSON Representations 58 3.7 How to Design Representations of Collections 59 3.8 How to Keep Collections Homogeneous 61 3.9 How to Use Portable Data Formats in Representations 62 3.10 When to Use Entity Identifiers 65 3.11 How to Encode Binary Data in Representations 66 3.12 When and How to Serve HTML Representations 67 3.13 How to Return Errors 69 3.14 How to Treat Errors in Clients 73 4. Designing URIs . 75 4.1 How to Design URIs 75 4.2 How to Use URIs As Opaque Identifiers 79 4.3 How to Let Clients Treat URIs As Opaque Identifiers 81 4.4 How to Keep URIs Cool 83 5. Web Linking . 87 5.1 How to Use Links in XML Representations 88 5.2 How to Use Links in JSON Representations 90 5.3 When and How to Use Link Headers 91 5.4 How to Assign Link Relation Types 93 5.5 How to Use Links to Manage Application Flow 95 5.6 How to Deal with Ephemeral URIs 99 5.7 When and How to Use URI Templates 101 5.8 How to Use Links in Clients 103 6. Atom and AtomPub . 107 6.1 How to Model Resources Using Atom 108 6.2 When to Use Atom 111 6.3 How to Use AtomPub Service and Category Documents 116 6.4 How to Use AtomPub for Feed and Entry Resources 118 6.5 How to Use Media Resources 119 7. Content Negotiation . 123 7.1 How to Indicate Client Preferences 124 7.2 How to Implement Media Type Negotiation 126 7.3 How to Implement Language Negotiation 127 7.4 How to Implement Character Encoding Negotiation 129 7.5 How to Support Compression 130 7.6 When and How to Send the Vary Header 131 7.7 How to Handle Negotiation Failures 132 7.8 How to Use Agent-Driven Content Negotiation 133 7.9 When to Support Server-Driven Negotiation 135 vi | Table of Contents www.allitebooks.com 8. Queries . 137 8.1 How to Design URIs for Queries 138 8.2 How to Design Query Responses 140 8.3 How to Support Query Requests with Large Inputs 142 8.4 How to Store Queries 144 9. Web Caching . 147 9.1 How to Set Expiration Caching Headers 148 9.2 When to Set Expiration Caching Headers 151 9.3 When and How to Use Expiration Headers in Clients 153 9.4 How to Support Caching for Composite Resources 154 9.5 How to Keep Caches Fresh and Warm 156 10. Conditional Requests . 159 10.1 How to Generate Last-Modified and ETag Headers 161 10.2 How to Implement Conditional GET Requests in Servers 162 10.3 How to Submit Conditional GET and HEAD Requests from Clients 165 10.4 How to Implement Conditional PUT Requests in Servers 167 10.5 How to Implement Conditional DELETE Requests in Servers 171 10.6 How to Make Unconditional GET Requests from Clients 172 10.7 How to Submit Conditional PUT and DELETE Requests from Clients 174 10.8 How to Make POST Requests Conditional 176 10.9 How to Generate One-Time URIs 179 11. Miscellaneous Writes . 183 11.1 How to Copy a Resource 184 11.2 How to Merge Resources 186 11.3 How to Move a Resource 188 11.4 When to Use WebDAV Methods 189 11.5 How to Support Operations Across Servers 191 11.6 How to Take Snapshots of Resources 193 11.7 How to Undo Resource Updates 196 11.8 How to Refine Resources for Partial Updates 198 11.9 How to Use the PATCH Method 201 11.10 How to Process Similar Resources in Bulk 203 11.11 How to Trigger Bulk Operations 206 11.12 When to Tunnel Multiple Requests Using POST 208 11.13 How to Support Batch Requests 211 11.14 How to Support Transactions 213 Table of Contents | vii www.allitebooks.com 12. Security . 217 12.1 How to Use Basic Authentication to Authenticate Clients 218 12.2 How to Use Digest Authentication to Authenticate Clients 221 12.3 How to Use Three-Legged OAuth 223 12.4 How to Use Two-Legged OAuth 228 12.5 How to Deal with Sensitive Information in URIs 231 12.6 How to Maintain the Confidentiality and Integrity of Representations 233 13. Extensibility and Versioning . 235 13.1 How to Maintain URI Compatibility 236 13.2 How to Maintain Compatibility of XML and JSON Representations 237 13.3 How to Extend Atom 241 13.4 How to Maintain Compatibility of Links 244 13.5 How to Implement Clients to Support Extensibility 246 13.6 When to Version 247 13.7 How to Version RESTful Web Services 248 14. Enabling Discovery . 251 14.1 How to Document RESTful Web Services 251 14.2 How to Use OPTIONS 254 A. Additional Reading . 257 B. Overview of REST . 261 C. HTTP Methods . 265 D. Atom Syndication Format . 271 E. Link Relation Registry . 277 Index . 285 viii | Table of Contents www.allitebooks.com Preface In 2000, Roy Fielding, one of the key contributors to HTTP and URI, codified the architecture of the Web in his doctoral thesis titled “Architectural Styles and the Design of Network-Based Software Architectures.” In this thesis, he introduced an architecture style known as Representational State Transfer (REST). This style, in abstract terms, describes the foundation of the World Wide Web. The technologies that make up this foundation include the Hypertext Transfer Protocol (HTTP), Uniform Resource Iden- tifier (URI), markup languages such as HTML and XML, and web-friendly formats such as JSON. REST is an architectural style for networked applications. It consists of several con- straints to address separation of concerns, visibility, reliability, scalability, perform- ance, etc. See Appendix B for a brief overview of these constraints. What makes REST attractive to build distributed and decentralized client/server applications is the infra- structure of the Web. Deploying web services on this infrastructure lets you take advantage of a wide range of existing infrastructure that includes web servers, client libraries, proxy servers, caches, firewalls, and so on. Although, in theory, it is possible to build RESTful applications without relying on HTTP, attempting to do so can be an expensive proposition. In this book, RESTful web services means web services built using HTTP, URIs, XML, JSON, Atom, etc.
Recommended publications
  • A Novel Approach of MIME Sniffing Using
    ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 4, Issue 11, May 2015 A Novel Approach of MIME Sniffing using AES Ankita Singh, Amit Saxena, Dr.Manish Manoria TRUBA Institute of Engineering and Information Technology (TIEIT), Bhopal (M.P) We discuss some web application attacks which can be Abstract— In today’s scenario communication is rely on possible over browser also discuss security concern can be web, users can access these information from web with the use applied in future for security on web application of browsers, as the usage of web increases the security of data is required. If browser renders malicious html contents or environment. JavaScript code block, the content sniffing attack may occur. The contents are divided in different sections. In section In this paper we provide a framework with AES algorithm to 2 we mention different types of attacks. Related work is secure the content sniffing for the web browsers with text, discussed in section 3. Proposed work is discussed in image and PDF files. In this work the data files having section 4. Result analysis in section 5. Conclusion and encryption then partition in multiple parts for reducing the future direction in Section 6, and then references are duration of file transmission and transferring with parity bit checking to identify the attack. mention. II. ATTACKS Index Terms— Cross-Site Scripting, Web Application We discuss about some attacks, associated with this Security, Content Sniffing, MIME, AES. work. ClickJacking[11] - The purpose of this attack is to open I.
    [Show full text]
  • Hands-On Laboratory on Web Content Injection Attacks
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science TUT Centre for Digital Forensics and Cyber Security Hands-on laboratory on web content injection attacks Master’s thesis ITC70LT Anti Räis 121973IVCMM Supervisors Elar Lang, MSc Rain Ottis, PhD Tallinn 2015 Declaration I declare that this thesis is the result of my own research except as cited in the refer- ences. The thesis has not been accepted for any degree and is not concurrently submitted in candidature of any other degree. Anti Räis May 22, 2015 ........................ (Signature) Abstract This thesis focuses on explaining web application injection attacks in a practical hands-on laboratory. It is an improvement on Lang’s [1] master’s thesis about web appli- cation security. One of the main contributions of this thesis is gathering and structuring information about Cross Site Scripting (XSS) attacks and defenses and then presenting them in a practical learning environment. This is done to better explain the nuances and details that are involved in attacks against web applications. A thorough and clear under- standing of how these attacks work is the foundation for defense. The thesis is in English and contains 95 pages of text, 6 chapters, 4 figures, 27 tables. Annotatsioon Magistritöö eesmärk on selgitada kuidas töötavad erinevad kaitsemeetmed veebi- rakenduste rünnete vastu. Töö täiendab osaliselt Langi [1] magistritööd veebirakenduse rünnete kohta. Põhiline panus antud töös on koguda, täiendada ja struktureerida teavet XSS rünnete kohta ning luua õppelabor, kus on võimalik antud teadmisi praktikas rak- endada. See aitab kinnistada ja paremini mõista teemat. Selge ning täpne arusaamine, kuidas ründed toimuvad, on korrektse kaitse aluseks.
    [Show full text]
  • Der Security-Leitfaden Für Webentwickler
    Tangled Web - Der Security-Leitfaden für Webentwickler Deutsche Ausgabe – Aktualisiert und erweitert von Mario Heiderich von Michal Zalewski, Mario Heiderich 1. Auflage Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG Thematische Gliederung: Netzwerksicherheit – Netzwerksicherheit dpunkt.verlag 2012 Verlag C.H. Beck im Internet: www.beck.de ISBN 978 3 86490 002 0 Inhaltsverzeichnis: Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich 245 13 Mechanismen zur Inhaltserkennung Bis jetzt haben wir einige gutgemeinte Browsermerkmale betrachtet, die sich im Laufe der Entwicklung der Technologie als kurzsichtig und geradezu gefährlich erwiesen haben. In der Geschichte des Web hat sich jedoch nichts als so fehlgelei- tet herausgestellt wie das sogenannte Content-Sniffing. Ursprünglich lag dem Content-Sniffing folgende simple Annahme zugrunde: Browseranbieter gingen davon aus, dass es in manchen Fällen angemessen – und sogar wünschenswert – sei, die normalerweise vom Server stammenden verbind- lichen Metadaten eines geladenen Dokuments zu ignorieren, so etwa den Header Content-Type. Anstatt die erklärte Absicht des Entwicklers zu akzeptieren, versu- chen viele existierende Browser stattdessen den Inhaltstyp zu erraten, indem sie proprietäre Heuristiken auf die vom Server zurückgegebenen Daten anwenden. Das Ziel dieses Vorgehens ist es, eventuelle Unstimmigkeiten zwischen Typ und Inhalt zu »korrigieren«. (Erinnern Sie sich
    [Show full text]
  • OBIX Version 1.1 Committee Specification 01 14 September 2015
    OBIX Version 1.1 Committee Specification 01 14 September 2015 Specification URIs This version: http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.html http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.doc Previous version: http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.html http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.doc Latest version: http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.html http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.doc Technical Committee: OASIS Open Building Information Exchange (oBIX) TC Chair: Toby Considine ([email protected]), University of North Carolina at Chapel Hill Editor: Craig Gemmill ([email protected]), Tridium Additional artifacts: This prose specification is one component of a Work Product that also includes: XML schema: http://docs.oasis-open.org/obix/obix/v1.1/cs01/schemas/obix-v1.1.xsd Core contract library: http://docs.oasis-open.org/obix/obix/v1.1/cs01/schemas/stdlib.obix Related work: This specification replaces or supersedes: oBIX 1.0. Edited by Brian Frank. 05 December 2006. Committee Specification 01. https://www.oasis-open.org/committees/download.php/21812/obix-1.0-cs-01.pdf.
    [Show full text]
  • Compendium 2 A4 Printing Advice
    Compendium 2 A4 printing advice Print page 1-444 with Page setup = 96%, Acrobat = Not Shrink to fit Print pages 444-end with Page setup = 100%, Acrobat = Shrink to fit *:96 Internet application layer protocols and standards Compendium 2: Allowed during the exam Last revision: 1 Apr 2003 FTP RFC 959: File Transfer Protocol (FTP) .................................................................................. 253-287 Cookies RFC 2109: HTTP State Management Mechanism .............................................................. 288-298 Usenet News Message Format RFC 1036: Standard for Interchange of USENET Messages............................................ 299-308 HTTP RFC 2068: Hypertext Transfer Protocol HTTP 1.1 ............................................................ 309-389 NNTP RFC 977: Network News Transfer Protocol (NNTP).......................................................... 390-403 URL RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax................................... 425-444 Port Numbers IANA Register of Port Numbers............................................................................................... 445-460 Media Types IANA Register of Media Types................................................................................................. 461-468 The documents are not ordered in a suitable order for reading them, see compendium 0 page14-17 RFC 959 October 1985 File Transfer Protocol Network Working Group J. Postel Request for Comments: 959 J. Reynolds ISI 2.1. HISTORY Obsoletes RFC: 765 (IEN 149) October 1985 FTP has had a long evolution over the years. Appendix III is a FILE TRANSFER PROTOCOL (FTP) chronological compilation of Request for Comments documents relating to FTP. These include the first proposed file transfer mechanisms in 1971 that were developed for implementation on hosts Status of this Memo at M.I.T. (RFC 114), plus comments and discussion in RFC 141. This memo is the official specification of the File Transfer RFC 172 provided a user-level oriented protocol for file transfer Protocol (FTP).
    [Show full text]
  • The Scent of a Newsgroup: Providing Personalized Access to Usenet Sites Through Web Mining?
    The Scent of a Newsgroup: Providing Personalized Access to Usenet Sites through Web Mining? Giuseppe Manco1, Riccardo Ortale2, and Andrea Tagarelli2 1 ICAR-CNR – Institute of Italian National Research Council Via Bucci 41c, 87036 Rende (CS), Italy e-mail: [email protected] 2 DEIS, University of Calabria Via Bucci 41c, 87036 Rende (CS), Italy e-mail: {ortale, tagarelli}@si.deis.unical.it Abstract. We investigate Web mining techniques focusing on a specific application scenario: the pro- blem of providing personalized access to Usenet sites accessible through a Web server. We analyze the data available from a Web-based Usenet server, and describe how traditional techniques for pattern discovery on the Web can be adapted to solve the problem of restructuring the access to news articles. In our framework, a personalized access tailored to the needs of each single user, can be devised according to both the content and the structure of the available data, and the past usage experience over such data. 1 Introduction The wide exploitation of new techniques and systems for generating and storing data has made available a huge amount of information, which can be profitably used in the decision processes. Such volumes of data highlight the need for analysis methodologies and tools. The term “Knowledge Discovery in Databases” is usually devoted to the (iterative and interactive) process of extracting valuable patterns from the data by exploiting Data Mining algorithms. In general, data mining algorithms find hidden structures, tendencies, associations and correlations among data, and mark significant information. An example of data mining application involving huge volumes of data is the detection of behavioral models on the Web.
    [Show full text]
  • OBIX Version 1.1 Committee Specification Draft 02 / Public Review Draft 02 19 December 2013
    OBIX Version 1.1 Committee Specification Draft 02 / Public Review Draft 02 19 December 2013 Specification URIs This version: http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.html http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.doc Previous version: http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.html http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.doc Latest version: http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.html http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.doc Technical Committee: OASIS Open Building Information Exchange (oBIX) TC Chair: Toby Considine ([email protected]), University of North Carolina at Chapel Hill Editor: Craig Gemmill ([email protected]), Tridium, Inc. Additional artifacts: This prose specification is one component of a Work Product that also includes: XML schemas: http://docs.oasis-open.org/obix/obix/v1.1/csprd02/schemas/ Related work: This specification replaces or supersedes: oBIX 1.0. 5 December 2006. OASIS Committee Specification 01. https://www.oasis- open.org/committees/download.php/21812/obix-1.0-cs-01.pdf. This specification is related to: Bindings for OBIX: REST Bindings Version 1.0.
    [Show full text]
  • Mitigation of Web-Based Program Security Vulnerability Exploitations
    MITIGATION OF WEB-BASED PROGRAM SECURITY VULNERABILITY EXPLOITATIONS by Hossain Shahriar A thesis submitted to the School of Computing in conformity with the requirements for the degree of Doctor of Philosophy Queen’s University Kingston, Ontario, Canada November 2011 Copyright ©Hossain Shahriar, 2011 Abstract Over the last few years, web-based attacks have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at a client-side (browser) without the victim’s (browser user’s) knowledge. This thesis is intended to mitigate some exploitations due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. For example, visiting a webpage might result in JavaScript code execution (cross-site scripting), downloading a file might lead to the execution of JavaScript code (content sniffing), clicking on a hyperlink might result in sending unwanted legitimate requests to a trusted website (cross-site request forgery), and filling out a seemingly legitimate form may eventually lead to stealing of credential information (phishing). Existing web-based attack detection approaches suffer from several limitations such as (i) modification of both server and client-side environments, (ii) exchange of sensitive information between the server and client, and (iii) lack of detection of some attack types. This thesis addresses these limitations by mitigating four security vulnerabilities in web applications: cross-site scripting, content sniffing, cross- site request forgery, and phishing.
    [Show full text]
  • Filter Failure: One-Pass Delete Filter Failure: UTF-7
    Outline Cross-site scripting, cont’d CSci 5271 More cross-site risks Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Stephen McCamant Even more web risks University of Minnesota, Computer Science & Engineering More crypto protocols More causes of crypto failure Filter failure: one-pass delete Filter failure: UTF-7 You may have heard of UTF-8 Encode Unicode as 8-bit bytes Simple idea: remove all occurrences of <script> UTF-7 is similar but uses only ASCII Encoding can be specified in a <meta> What happens to <scr<script>ipt>? tag, or some browsers will guess +ADw-script+AD4- Filter failure: event handlers Use good libraries <IMG onmouseover="alert('xss')"> Coding your own defenses will never work Put this on something the user will be Take advantage of known good tempted to click on implementations There are more than 100 handlers like Best case: already built into your this recognized by various browsers framework Disappointingly rare Content Security Policy Outline Cross-site scripting, cont’d New HTTP header, W3C candidate recommendation More cross-site risks Lets site opt-in to stricter treatment of Announcements intermission embedded content, such as: Confidentiality and privacy No inline JS, only loaded from separate URLs Even more web risks Disable JS eval et al. More crypto protocols Has an interesting violation-reporting mode More causes of crypto failure HTTP header injection Content sniffing Browsers determine file type from headers, extension,
    [Show full text]
  • Cure53 Browser Security White Paper
    Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich Alex Inführ, MSc. Fabian Fäßler, BSc. Nikolai Krein, MSc. Masato Kinugawa Tsang-Chi "Filedescriptor" Hong, BSc. Dario Weißer, BSc. Dr. Paula Pustułka Cure53, Berlin · 29.11.17 1/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables .............................................................................................................................. 3 List of Figures ............................................................................................................................ 5 Chapter 1. Introducing Cure53 BS White Paper ......................................................................... 7 Browser Security Landscape: An Overview ............................................................................ 9 The Authors .......................................................................................................................13 The Sponsor ......................................................................................................................15 Earlier Projects & Related Work .........................................................................................15 Research Scope ................................................................................................................16 Version Details ...................................................................................................................19
    [Show full text]
  • Survey and Analysis of Client Side Detection of Content Sniffing Attack
    ISSN (Print) : 2319-5940 ISSN (Online) : 2278-1021 International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 3, March 2013 Survey and Analysis of Client Side Detection of Content Sniffing Attack Animesh Dubey1, Ravindra Gupta2, Gajendra Singh3 M.Tech Scholar, CSE, SSSIST, Sehore, Bhopal, India1 Assistant Professor (CSE/IT), SSSIST, Sehore, Bhopal, India 2 HOD (CSE/IT), SSSIST, Sehore, Bhopal, India 3 Abstract: From the last few years, the attacks based on web portals have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at client-side (browser) without the victim‟s (browser user‟s) knowledge. Our work is intended to some exploitation due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. In this paper we survey the aspects of content sniffing attack mainly on client side and analyses how the control should be monitor from the server side after attack. Keywords: Content sniffing, Security Measures, Web Based Attack, HTML Rendering 1. INTRODUCTION If we analyze our daily routine, then we surprise to observe the number of web-based attacks has increased in recent that we are relying on Internet. It is our need. For example years [7][8], existing research has addressed a subset of email, e-shopping, trading, game etc. In the meantime we security vulnerabilities in web applications for example SQL share our crucial and confidential data by HTML browser.
    [Show full text]
  • WAF Virtual Patching Challenge
    Reflected File Download a New Web Attack Vector Oren Hafif Security Researcher Trustwave’s SpiderLabs Twitter: @orenhafif [email protected] [email protected] Revision 1 (October 27, 2014) Abstract Attackers would LOVE having the ability to upload executable files to domains like Google.com and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly escaped. Moreover, this attack allows running shell commands on the victim's computer. How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn. - 1 - Table of Content 1. Introduction ......................................................................................................... - 3 - 1.1. RFD Attack Flow ............................................................................................ - 3 - 1.2. Implications ................................................................................................... - 3 - 1.3. RFD Requirements
    [Show full text]