SOC - Web Basics (Lesson)

Web Basics

Introduction

In this lesson, you will learn how websites work and how website design, session management, and interactive features provide vectors for attacks. You will also learn that websites use a client/server model and the steps to deliver web data from the server to the client's computer.

Client Server Relationship Video

Basic Web Terminology

  • HTML (HyperText Markup Language) – code to create webpages.
  • HTTP (HyperText Transport Protocol) – protocol for network delivery of webpages.
  • HTTPS (HyperText Transport Protocol Secure) – protocol that encrypts data to securely deliver webpages.
  • Browser – software application with a graphical user interface for displaying and navigating between web pages. A web browser will fetch content from the Internet or the local storage and display it on a user’s screen.

Note: Cybersecurity professionals know that network packets can be captured and read by adversaries unless the contents are encrypted.  The HTTPS protocols are quickly replacing HTTP protocols to provide this encryption protection!

Open Systems Interconnection (OSI) Model

The OSI Model is a conceptual framework used to understand network interactions in seven layers:

  1. Layer 1 (Physical Layer): Illustrate the physical equipment (like cables, switches, and routers) that transfers raw bits from one device to another.
  2. Layer 2 (Data Link Layer): Add a frame around the bits, showing how MAC addresses are used to ensure data reaches the right device on a local network.
  3. Layer 3 (Network Layer): Encapsulate the frame within a packet, including the IP addresses for the source and destination to navigate the global network (the Internet).
  4. Layer 4 (Transport Layer): Demonstrate how the packet is wrapped in a segment or datagram that ensures reliable communication (TCP) or a connectionless communication (UDP), showing ports and error checking.
  5. Layer 5 (Session Layer): Indicate the establishment, maintenance, and termination of sessions.
  6. Layer 6 (Presentation Layer): Show data translation, such as encryption and decryption, or compression.
  7. Layer 7 (Application Layer): Display the user data being generated from an application, like a web browser request.

Infographic of Open Systems Interconnection model (OSI model)

How Websites Work: The Client-Server Model

When cybersecurity professionals are talking about web vulnerabilities, they will often use terms like “client side” or “server side.” Here is a summary of the basic relationship between client and server and the steps for website code to move between server and client (your computer):

  • Server Computer – stores the web pages and waits for client computers to send requests.
  • Client computer – sends requests through a browser to the website asking for the data from one of their pages
  • When the server gets a request, the code for the web page is returned to the client. Servers can respond to many different clients at the same time.
  • The Client browser translates the HTML code to display it on the user’s screen.

Client Server Model Activity

Client-to-Server Journey Illustration

  • User enters a URL in a web browser (Application Layer).
  • User data is prepared for transmission (Presentation and Session Layers).
  • Data packet is constructed, including headers for source and destination ports (Transport Layer).
  • Packet is put into an IP packet with source and destination IP addresses (Network Layer).
  • Packet is framed with MAC addresses for the local network traversal (Data Link Layer).
  • Physical transmission via media like ethernet cables or wireless signals (Physical Layer).

Application Programming Interface (API)

Web APIs were developed so that data could be shared and updated dynamically across many organizations without the need for special arrangements.  For example, the meteorology server has weather data APIs and the GPS server has location data APIs. The web server regularly makes API calls to those servers so that when you go to the website, it will have the forecast for your specific location.

APIImage

How APIs Can Increase Security

  • Encapsulation: APIs can encapsulate the internal workings of an application, revealing only what is necessary to the client and hiding everything else. This reduces the attack surface.
  • Access Control: APIs can enforce strict access control, ensuring that users can only perform actions that their privileges allow.
  • Consistent Interface: A consistent API interface for services can simplify the implementation of security measures since the same security protocols can be applied across various endpoints.
  • Security Standards: APIs can be designed to support robust security standards like OAuth, JWT (JSON Web Tokens), and HTTPS, which help in maintaining data integrity and confidentiality.
  • Rate Limiting: APIs can limit how often a user can send requests within a certain period, reducing the risk of DDoS attacks and brute-force attacks.
  • Monitoring and Logging: APIs can be closely monitored, and detailed logs can be maintained. This can help detect and respond to potential security threats quickly.

Command Line Interface (CLI) Commands to Interact with Websites

Did you know you can interact with a website without using a browser? Yep, you sure can – using Command Line Interface (CLI) commands.

There are two CLI commands, curl and wget, which are terminal commands that can request data from or send data to a web server. Advantages include:

  • Have options to finetune the request – download an entire website or just a file or upload one file or multiple files.
  • Can be included in scripts to automate moving lots of data.
  • Can be used to make API calls.
  • Both send results to the screen but wget also saves it to a file.

GET and POST Methods

GET and POST are HTTP methods most frequently used to transfer data from client to server.

  • The GET method is used to request data from a specified resource. Requests are saved to browser history and data may show in the URL. Important to note – it is NOT good for sensitive data!
  • The POST method is used to send data to a server to create/update a resource. Data sent is stored in the request body of the HTTP request.

Investigating Websites with Developer Tools

Web programmers use Developer Tools to perform tasks like checking collaborative work, troubleshooting issues, or experimenting with new code.  These tools can also be useful to forensic investigators or threat actors to gather information about web activities on the specific device.

Every browser includes a set of tools to inspect the code and actions of a website.  These are generally known as Developer Tools, but each browser is slightly different. The easiest way to find them is to right-click on the web page and select View Page Source or Inspect.

Of course, IT administrators may disable Developer Tools. For example, many school IT departments lock down student devices so that these tools are not available to students.  While Developer Tools don’t have hacking uses, it makes the IT folks nervous to give students this capability because some of the possible actions may alarm uninformed adults!

Here are some Developer Tools:

  • View Page Source – allows you to see behind the scenes. It is not interactive but programmers often leave code comments which can be very informative and sometimes even include passwords!
  • Inspect – has several tables, these are the most commonly used:
    • Elements – you can temporarily change page information but it only affects the version on your local device, so it changes back upon page refresh.
    • Network – will show data as information goes in and out of webpage including GET and POST requests.
    • Application/Storage – most useful for viewing cookies and local storage, which is data added to your device by the websites you visit.

Now you know about tools to investigate a website! However, please be aware that making any unauthorized changes is against the Information Technology Ethics Agreement enforced by most, if not all, schools.

Some students have used the Elements tool to make changes to the school webpage and then take photos of the modified webpage to post on social media. Others have accessed the online grade portal and changed grades, to show their parents. While neither of these pranks resulted in permanent changes and cannot be classified as hacking (there was no real intrusion into someone else’s device or data), students have faced serious disciplinary consequences.

Reflection and Wrap-up

In this lesson, we have learned that understanding the client-server model and basic web terminology is crucial for identifying potential security risks and investigating websites. By recognizing that HTML, HTTP, and HTTPS form the foundation of web content delivery and that browsers play a key role in displaying this content, we can better comprehend how data travels from server to client computers.

We have also explored the role of APIs in enhancing security through encapsulation, access control, and standardized protocols, and we have delved into the world of CLI commands like curl and wget which allow direct interaction with web servers and can be powerful tools for automating data transfers. Furthermore, we have touched on the significance of HTTP methods, particularly GET and POST, in the data transmission process.

The lesson highlighted the use of Developer Tools in browsers, which serve as an essential resource for programmers, forensic investigators, or even malicious actors to scrutinize and interact with website code and activity. Finally, it's important to always act within ethical boundaries and to respect the rules set by organizations regarding the use of these investigative tools.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. Video courtesy of LTN Labs, CC-BY