Web Applications
PA 165, Lecture 7
Martin Kuba
PA165 - Web Applications 2
Outline
● Architecture of web applications
● Servlet API
● JSP, JSP EL, JSP tags, tag libs, JSTL
● Security (authentication, authorization, main
attacks)
PA165 - Web Applications 3
Layers in multi-tier application
PA165 - Web Applications 4
SaaS Cloud
● web applications are Software-as-a-Service type of
cloud service
● provide on-demand access to software
● device independence – PC, notebook, tablet,
smartphone, smart TV, …
● web mail, messaging, office suites, media libraries,
communication tools, business sw …
● Gmail, Facebook, Google Drive, Dropbox, Spotify,
Flickr, YouTube, WebEx, NetSuite ...
PA165 - Web Applications 5
Deployment
● SaaS services can be deployed
– into Platform-as-a-Service (PaaS) cloud
● Google App Engine, Amazon Elastic Beanstalk, Microsoft Azure
Websites, RedHat OpenShift, Heroku, ...
– into Infrastructure-as-a-Service (IaaS) cloud
● Google Computing Engine, Amazon Elastic Compute Cloud, Microsoft
Azure, ...
– locally
● software is provided as
– downloadable executable code (i.e. JavaScript, Android app)
– callable API on provider's servers (e.g. Google Calendar API)
PA165 - Web Applications 6
Client side technologies
● HTML, links, forms, CSS
● cookies
● JavaScript, Document Object Model, AJAX
● HTML 5 features - <canvas>, <video>, web storage, web
sockets, file API, geolocation API, device orientation,
media capture
● WebGL (Web Graphics Library)
● SVG (Scalable Vectr Graphics)
● dead technologies – Java applets, Flash
PA165 - Web Applications 7
http://caniuse.com/
PA165 - Web Applications 8
Google Analytics
PA165 - Web Applications 9
Client side libraries and frameworks
● area of rapid changes
● jQuery – JavaScript library
– HTML document traversal and manipulation, event
handling, animation, and Ajax
– unified API on multiple browsers
● AngularJS – framework for declarative
programming of user interfaces
– extends HTML vocabulary for applications
– suited for single-page applications
PA165 - Web Applications 10
Server side technologies
● PHP, Python, Perl, Ruby on Rails, NodeJS, …
● Java web containers (Apache Tomcat, Jetty,
JBoss, IBM WebSphere, …)
● basic Servlet API for handling HTTP
● Java Server Pages (JSP) for page templates
● frameworks on top of Servlet API
PA165 - Web Applications 11
Java server side frameworks
● page templates
– JSP, tag libraries, JSTL
– Velocity
– Freemarker
● Model-View-Controller
– Spring MVC
– Stripes
– Apache Struts
– …
PA165 - Web Applications 12
Web frameworks history
PA165 - Web Applications 13
Servlet API
● Servlets for managing HTTP requests
● Filters for modifying requests and responses
● Listeners for handling events (e.g. app start)
● HttpSession for maintaining state
● RequestDispatcher and attributes for
cooperation among multiple servlets
PA165 - Web Applications 14
Servlet
PA165 - Web Applications 15
Filter
PA165 - Web Applications 16
Listeners
● ServletContextListener,
ServletRequestListener,HttpSessionListener, ...
PA165 - Web Applications 17
HttpSession
● keeps a Map<String,Object> on server
● assigned to a particular browser
● maintained using cookie or URL rewriting
● timeout after 30 minutes since last request
PA165 - Web Applications 18
Attributes (Scoped variables)
● setAttribute(String name,Object value) on
– ServletContext (shared by all browsers)
– HttpSession (shared by all requests from a
browser)
– HttpServletRequest (shared by filters and servlets
during a request)
– JspContext (shared in a single JSP page)
● easily accessed in JSPs as ${name}
PA165 - Web Applications 19
WAR – Web ARchive
● a servlet container can have multiple web applications
running, mapped by different context path (first part of
URL)
● each web app is deployed in a *.war file
● a ZIP archive containing
– WEB-INF/classes/**/*.class … classes
– WEB-INF/lib/*.jar … libraries
– WEB-INF/web.xml … deployment descriptor
– WEB-INF/tags/*.tag … custom JSP tags
– directly accessible files like *.jsp, *.png, *.css, *.js
PA165 - Web Applications 20
Java Server Pages
● an HTML file with special directives, converted
to a servlet on each change
● scriptlets, EL language, tags, tag libraries
PA165 - Web Applications 21
JSP Expression Language (EL)
● expressions inside of ${ }
● value expressions
– ${attribute.property}
– ${attribute['property']}
● operators: + - * / div % mod and or not == != < >
<= >= empty
● functions defined by tag libraries
– ${fn:length(orderitems)}
PA165 - Web Applications 22
Own JSP tags
● defined in *.tag files with syntax similar to *.jsp
● can be used for common page layout
● attributes can be: simple, dynamic, fragment
PA165 - Web Applications 23
Java Standard Tag Library (JSTL)
PA165 - Web Applications 24
Security
● authentication – validation of identity
● authorization - access rights specification
PA165 - Web Applications 25
Authentication in web apps
● form based
● HTTP BASIC - name and password
● SSL client certificate
● federated identity (SAML, OpenID)
● OAuth
● other (HTTP DIGEST, Kerberos, etc.)
PA165 - Web Applications 26
Form based authentication
● own form, flag stored in HttpSession, Filter checking the flag
● Servlet API offers “HTTP FORM”, but very limited
customization
● how to not store passwords:
– plaintext (can be stolen)
– hashed (can be reversed using rainbow tables)
– hashed with salt (can compute specific rainbow table)
● recommended way how to store passwords:
– BCrypt or PBKDF2 (PBKDF2WithHmacSHA512 in JRE)
PA165 - Web Applications 27
HTTP BASIC
● server sends response
● client asks user for name and password
● browser sends name and password with every
request
● username:password encoded by base64
● communication must be encrypted using
SSL/TLS, otherwise can be easily stolen !
PA165 - Web Applications 28
Client X509 certificate
● SSL server must present a certificate
● SSL client may present a certificate
● get your certificate at https://tcs.cesnet.cz/
PA165 - Web Applications 29
Federated identity
● three parties
– user
– Identity Provider
– Service Provider
● SAML (Security Assertion
Markup Language)
standard
● Czech eduId.cz
federation
● worldwide eduGAIN
PA165 - Web Applications 30
OAuth
● “open authentication” standard
● used by Google, Facebook, LinkedIn, …
● tree parties
– user as resource owner
– resource server (e.g. Facebook)
– client application (e.g. some third party game)
● user authorizes the client to perform a specific set of
operations on resource server on his/her behalf
● can be used for authentication as authorization for reading
user's personal info
● user can revoke the authorization anytime
PA165 - Web Applications 31
Attacks
● SQL injection
● session hijacking
● session fixation
● XSS
● XSRF
● clickjacking
● phishing
PA165 - Web Applications 32
SQL injection attack
● attacker sends special strings as inputs
● for values, use PreparedStatement in JDBC
● for other (e.g. ORDER BY) check using regex
PA165 - Web Applications 33
Session hijacking
● attacker gets the cookie identifying someone
else's session and uses it
● defence – session cookies must have attribute
“secure”, so can be sent only over SSL/TLS
PA165 - Web Applications 34
Session fixation
● attacker sends a URL to the victim containing a
session identifier in a parameter
● defence – do not accept session identifiers from
URL parameters, use cookies, change session
identifier after each login
PA165 - Web Applications 35
XSS – Cross site scripting
● attacker injects client-side script (JavaScript)
into web pages viewed by other users
● defence
– replace special characters with HTML entities using
<c:out> tag
– check URLs coming from user for “javascript:”
– sanitize untrusted HTML input
PA165 - Web Applications 36
XSRF – Cross site request forgery
● passive attack, attacker prepares a URL that
causes an action on another server
● defence
– important actions (e.g. money transfers) need to be
confirmed
– web forms contain a hidded randomly generated
token
PA165 - Web Applications 37
Clickjacking (UI redressing)
● attacker shows a web page in IFRAME in
another web page
● tricks user into performing undesired actions by
clicking on a concealed link
● defence – X-Frame-Options HTTP header
PA165 - Web Applications 38
Phishing
● attacker masquerades as a trustworthy entity
● typically sends an email with link to fake web
pages asking user to log in
● defence
– train users to recognize phishing attempts
– use Extended Validation server certificates
PA165 - Web Applications 39
Penetration testing
● launching a software attack on a computer
system looking for security weaknesses
● testing frameworks
– Metasploit
– w3af
● automatically performs attacks (SQL injection,
XSS, …) on a web application
PA165 - Web Applications 40
Thank you for your attention