5.

3 HTTP CONTENT RENDERING

URL:

URL is an acronym for Uniform Resource Locator and is a reference (an address) to a
resource on the Internet protocol identifier: For the URL http://example.com , the
protocol identifier is http . Resource name:

For the URL “http://example.com” , the resource name is example.com

Http Request

HTTP Request is a packet of Information that one computer sends to another computer
to communicate something. To its core, HTTP Request is a packet of binary data sent by
the Client to server. An HTTP Request contains following parts
1. Request Line
2. Headers, 0 or more Headers in the request
3. An optional Body of the Request

Http Response

HTTP Response is the packet of information sent by Server to the Client in response to
an earlier Request made by Client. HTTP Response contains the information requested
by the Client. For example, the request to Weather Web Service made in the HTTP
Request tutorial will contain the weather details of the location.
Just like HTTP Request, HTTP Response also has the same structure:
 Status Line
 Headers, 0 or more Headers in the request
 An optional Body of the Request

Html Content Rendering Engine or browser rendering engine

Bowser rendering engine, software that renders HTML pages (Web pages). It turns
the HTML layout tags in the page into the appropriate commands for the operating
system, which causes the formation of the text characters and images for screen and
printer.

<html>
<title> This is my Title </title>
<head>
<script>
</script>
</head>
<body>
<h1> This is my home page </h1>
<p> This is my paragraph </p>
</body>
</html>

Events of a web page:

1. onLoad: This event happens when a web page load into the web browser
2. unload: This event happens when a web page unload from the web browser

DOM: (Document object Model)

When a web page is loaded, the browser creates a Document Object Model of the page.

The HTML DOM model is constructed as a tree of Objects:

The HTML DOM Tree of Objects

BOM: (Browser Object Model)

 The browser object model (BOM) is a hierarchy of browser objects that are used to
manipulate methods and properties associated with the Web browser itself

Reference Object

window The main browser window

Information about the browser

window.navigator
itself

window.screen The user's screen

window.history URLs visited by a user

window.location The current URL

The document appearing in

window.document (document)
the main browser window

An HTML element appearing

document.getElementById("id") in a document and identified
by its assigned id value.

Script Example:

JavaScript is an object orient programming language designed to make web

development easier and more attractive. In most cases, JavaScript is used to create
responsive, interactive elements for web pages, enhancing the user experience.

avascript example is easy to code. JavaScript provides 3 places to put the JavaScript
code: within body tag, within head tag and external JavaScript file.

1. <script type="text/javascript">
2. document.write("JavaScript is a simple language for javatpoint learners");
3. </script>

Image tag:
If an image is not there at its place during the loading time of a webpage , then an error
handler should handle this situation displaying message like “The image is not there”.
Otherwise an attacker can load his own code in place of absent image.

Java script:

JavaScript is a very powerful client-side scripting language. JavaScript is used mainly

for enhancing the interaction of a user with the webpage. In other words, you can make
your webpage more lively and interactive, with the help of JavaScript. JavaScript is also
being used widely in game development and Mobile application development.

<html>
<head>
<title>My First JavaScript code!!!</title>
<script type="text/javascript">
alert("Hello World!");
</script>
</head>
<body>
</body>
</html>

Port scanning behind the firewall:

Each individual computer runs on multiple ports. For instance, when a person opens his
or her email, the computer's server will open a port through which new mail will be
downloaded through a connection to the email server. Certain ports on an individual's
personal computer are open continually, making them a target for any potential hacker
who is searching for individuals to victimize. This can lead to one's sensitive and
personal information falling into the hands of those who intend on using it for criminal
activity. Unfortunately, criminals and computer hackers are always looking for new
victims to exploit, and port scanning is one of the ways through which this can be
accomplished.

When a criminal targets a house for a burglary, typically the first thing he or she checks is
if there is an open window or door through which access to the home can be gained. A
Port scan is similar, only the windows and doors are the ports of the individual's personal
computer. While a hacker may not decide to "break in" at that moment, he or she will
have determined if easy access is available. Many people feel this activity should be
illegal, which it is not, however, due to the fact that the potential attacker is merely
checking to see if a possible connection could be made, in most areas, it is not considered
a crime. However, if repetitive port scans are made, a denial of service can be created.

Hackers typically utilize port scanning because it is an easy way in which they can
quickly discover services they can break into. In some cases, hackers can even open the
ports themselves in order to access the targeted computer. Hackers also use port scanners
to conduct tests for open ports on Personal Computers that are connected to the web

Port Number Usage

20 File Transfer Protocol (FTP) Data Transfer

21 File Transfer Protocol (FTP) Command Control
22 Secure Shell (SSH)
23 Telnet - Remote login service, unencrypted text
messages
25 Simple Mail Transfer Protocol (SMTP) E-mail
Routing
53 Domain Name System (DNS) service
80 Hypertext Transfer Protocol (HTTP) used in
World Wide Web
110 Post Office Protocol (POP3) used by e-mail
clients to retrieve e-mail from a server
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
143 Internet Message Access Protocol (IMAP)
Management of Digital Mail
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS) HTTP over TLS/SSL
Remote scripting (Applet, XML RPC, hidden iframe):

Applet: An applet (little application) is a small software program that supports a larger
application program. In the past, the term applet was often associated with the Java
programming language. This program is downloaded from server to client computer then
run at client machine.

XML RPC:

The XML-RPC protocol was created in 1998 by Dave Winer of UserLand

Software and Microsoft, with Microsoft seeing the protocol as an essential part of scaling
up its efforts in business-to-business e-commerce. As new functionality was introduced,
the standard evolved into what is now SOAP.
XML-RPC's idea of a human-readable-and-writable, script-parsable standard for HTTP-
based requests and responses has also been implemented in competing specifications

Hidden iframe:

The <iframe> tag specifies an inline frame.

An inline frame is used to embed another document within the current HTML document.

Example

An inline frame is marked up as follows:

<iframe src="https://www.w3schools.com"></iframe>

5.5 SECURITY USER INTERFACE

Safe Type password: You can safe your password by using following practices

1. Don‟t pick a weak password.

2. Use multifactor authentication.
3. If biometrics is an option, take it.
4. Different accounts need different passwords.
5. Consider a password manager
6. Don‟t share your password.
7. Don‟t fall for phishing
 8. Always update software

Role of CA (Certificate Authority):

In order to be a trusted Certificate Authority, you have to follow guidelines set for by
the CA/B forum that govern issuance and authentication practices.

Then, CA has to start actually issuing certificates. We won‟t drill all the way down into
roots and intermediates, etc. We‟ll just touch on the process of actually authenticating
and issuing a digital CA certificate. After the certificate is ordered, depending on the
level of validation required, the CA goes to work verifying the identity of the applicant.

If it‟s simply a Domain Validation certificate, the CA just checks ownership over the
domain, and then, once this is satisfied, issues the certificate. For Organization Validation
and Extended Validation, also known as business validation, the Certificate Authority
will use business registration. This can take between 3-5 days and is typically a fairly
extensive process. Once it is complete, the certificate can then be issued and will contain
critical details about the business itself.

All of this is essential, especially for a PKI (Public Key Infrastructure), as it allows the
true owner of the keys being managed to be verified and makes the entire endeavor safer
and more reliable.

SSL:

SSL stands for Secure Sockets Layer and, in short, it's the standard technology for
keeping an internet connection secure and safeguarding any sensitive data that is being
sent between two systems, preventing criminals from reading and modifying any
information transferred, including potential personal details. The two systems can be a
server and a client (for example, a shopping website and browser) or server to server (for
example, an application with personal identifiable information or with payroll
information).

It does this by making sure that any data transferred between users and sites, or between
two systems remain impossible to read. It uses encryption algorithms to scramble data in
transit, preventing hackers from reading it as it is sent over the connection. This
information could be anything sensitive or personal which can include credit card
numbers and other financial information, names and addresses.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still
refer to our security certificates as SSL because it is a more commonly used term, but
when you are buying SSL from Symantec you are actually buying the most up to date
TLS certificates with the option of ECC, RSA or DSA encryption.

Figure 1. Overview of the SSL or TLS handshake

Https:

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext

Transfer Protocol (HTTP). It is used for secure communication over a computer network,
and is widely used on the Internet.[1][2] In HTTPS, the communication protocol is
encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure
Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over
TLS,[3] or HTTP over SSL.

Site Switching:

During the browsing time of html pages we can switch from http page to https page and
vise versa. In this switching the could be possibility of switching over some unsecured
page or script that can harm the user. Following are the example of browser and the
warning given by the browser.

 IE: Flash file over http gives no warning

  Firefox: no sign of unlock with red slash sign in URL
 Safari: does not detect mixed content

Link to malicious scripting code during the switching from one site to another can cause
of session hijacking by the attacker.

Extended Validation (EV) Concept:

An Extended Validation SSL Certificate (also known as EV SSL for short) is the highest
form of SSL Certificate on the market. While all levels of SSL – Extended Validation
(EV), Organization Validated (OV), and Domain Validated (DV) – provide encryption
and data integrity, they vary in terms of how much identity verification is involved and
how the certificates display in browsers.

Extended Validation Certificate Verification:

During verification of an EV SSL Certificate, the owner of the website passes a thorough
and globally standardized identity verification process (a set of vetting principles and
policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain,
confirm its legal, operational and physical existence, and prove the entity has authorized
the issuance of the certificate. This verified identity information is included within the
certificate, with some pieces, including business name and country, presented directly in
the browser window.

5.6 COOKIES, FRAMES AND FRAME BURSTING

HTTP PROTOCOL: This is a stateless transport protocol in communication between

client and server. It means no state is stored during the period of communication. To
maintained session between client and server we use client side cookies

Client side cookies (Header, cookies and request):

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or
simply cookie) is a small piece of data sent from a website and stored on the user's
computer by the user's web browser while the user is browsing. Cookies were designed to
be a reliable mechanism for websites to remember stateful information (such as items
added in the shopping cart in an online store) or to record the user's browsing activity
(including clicking particular buttons, logging in, or recording which pages were visited
in the past). They can also be used to remember arbitrary pieces of information that the
user previously entered into form fields such as names, addresses, passwords, and credit-
card numbers.

Cookies authentication: A server and client can be recognized with the help of cookies
sending through authenticate server.

Cookies Security Policy :

Some policies should be enforced for cookies
1. Policies for users-authentication
2. Policies for personalization details of client and server both
3. Policies for user tracks in case of maintaining the session.
4. A browser will store 20 cookies per site and 3 KB/cookies

Secure cookies with https: In this case read and write function can be done through
https protocol.

Frames: It is a subpart of the whole html page which can contained a separate
independent html page for display

<frameset cols="25%,*,25%">
<frame src="frame_a.htm">
<frame src="frame_b.htm">
<frame src="frame_c.htm">
</frameset>

Frame Bursting code:

Clickjacking allows an attacker to trick your users into clicking parts of your interface
without their consent. A simple way to describe describe this is, an attacker will embed
your application in their site as an iframe. On top of the iframe they can show a
completely different interface. You‟re thinking you‟re clicking buttons on your own
interface, while in fact you are hitting the „Delete my account‟ button in for example
GMail.

Because this technique completely operates with frames, it can be circumvented by using
a „Frame busting‟ technique. As a bonus, this will also disallow for example Digg to steal
and monetize your content.
Frame busting can be achieved with a simple javascript technique:

<script type=”text/javascript”>

If(top !==self) top.location.replace(self.location.href);

</script>