Thinking about Web Application security (i)

In my thinking about Web Application Security (preface) I mentioned that the security of:web applications should not depend on the client's request information.

It is well known that the,http protocol is open, so anyone can send request requests to a Web server that is exposed on the network, requiring a URL (uniform Resource Locator Uniform Resource Locator).

The so-called request, is just a large string of strings that conform to the HTTP protocol (that is, the HTTP request syntax):

The following is an example of an ASPX request:

GET /FrameWorkService/TestRequest.aspx HTTP/1.1
Connection: Keep- Alive
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-tw
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
UA-CPU: x86

The following is an example of a request for a Web service:

POST /testwssecurity/service2.asmx HTTP/1.1
Content-Length: 288
Content-Type: text/xml; charset=utf-8
Expect: 100-continue
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.42)
SOAPAction: "http://tempuri.org/HelloWorld"
　　
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><HelloWorld xmlns="http://tempuri.org/" /></soap:Body></soap:Envelope>

I believe you can basically understand the meaning of the above string. This means that if we organize similar strings and then send them to the appropriate Web server, we can request a URL, that is, the Web request is not dependent on the browser (the Web does not rely on the server, it relies only on the HTTP protocol).

The following is an example of C # written to send an HTTP request directly to the Web server via the socket:

 1using System;
 2using System.Text;
 3using System.IO;
 4using System.Net;
 5using System.Net.Sockets;
6 7public Class Server 8{9//establish socket connected to private static socket Connectsocket (string server, int port) 11 {
Socket s = null;
Iphostentry hostentry = null;
Hostentry = dns.gethostentry (server); foreach (IPAddress address in hostentry.addresslist) {IPEndPoint ipe = new IPEndPoint (A
Ddress, Port); Socket tempsocket = new socket (ipe.
AddressFamily, SocketType.Stream, protocoltype.tcp);
Tempsocket.connect (IPE);            if (tempsocket.connected) {s = tempsocket; break; 25 {Continue} (Console.writ).
Eline (s==null "": "Connect to build Success!");
return s; 33} 34 35/Send request please and return the response string, private static string soCketsendreceive (string request,string server, int port) Notoginseng {byte[] bytessent = Encoding.ASCII.GetBytes (reque
ST);
byte[] bytesreceived = new byte[256];
Socket s = connectsocket (server, port);
if (s = = null) return ("Connected failure!");
Console.WriteLine ("Being sent for request");
S.send (bytessent, bytessent.length, 0);
int bytes = 0;
StringBuilder responsestr = new StringBuilder ();
Console.WriteLine ("Receiving the response from the Web Service"); bytes = S.receive (bytesreceived, bytesreceived.length, 0), Wuyi responsest
R.append (Encoding.UTF8.GetString (bytesreceived, 0, bytes));
while (bytes > 0); The return RESPONSESTR.
ToString ();  55} 56 57//FETCH request please ask for string getrequeststr private static string () StringBuilder sb = new
StringBuilder (); A sb. Append ("Get/frameworkservice/testrequest.aspx?name=zkw&age=24 http/1.1\r\ n "); SB.
Append ("host:localhost\r\n"); SB.
Append ("Accept: */*\r\n"); SB.
Append ("Accept-encoding:gzip, deflate\r\n"); SB.
Append ("accept-language:zh-tw\r\n"); I'm a moron. Append ("user-agent:mozilla/8.0" (compatible; MSIE 7.0; 

Windows NT 5.2;
. NET CLR 1.1.4322;. NET CLR 2.0.50727;. NET CLR 3.0.04506.30) \ r \ n "); I'm a moron.
Append ("ua-cpu:x86\r\n"); SB.
Append ("cookie:asp.net_sessionid=g5vz3k55q4dhgy3dvmm3dj4x\r\n"); SB.
Append ("connection:close\r\n\r\n"); Return SB.
ToString (); string[public static void Main (] args) The REQUESTSTR = Getrequeststr (); Onsole.
WriteLine ("Please ask the string as follows:\n{0}", REQUESTSTR);
string result = Socketsendreceive (requeststr, "localhost", 80);
Console.WriteLine (result);
Console.ReadLine (); 80} 81}