{%hackmd theme-dark %} # Stanford Web Security View the book with "<i class="fa fa-book fa-fw"></i> Book Mode". :::info grok course: [web security](https://groklearning.com/learn/cyber-hs-websec) [python](https://groklearning.com/learn/intro-python-1/intro-to-programming/1/) ::: ### HTML ### Lists `ol` ordered list `ul` unordered list `li` list ### URL : Universal Resource Locations(URL's) https://example.com:81/a/b.html?user=Who&year=2019#p2 ```haskell https: scheme, protocol example: hostname 81: port a/b: path, points to files query: dynamic file query request fragment: links inside a page ``` Full URL : `<a href='http://stanford.edu/news'> News</a>` Gives: <a href='http://stanford.edu/news'> news</a> Relative URL: ```<a href='stanford'>News</a>``` Same as: `http://stanford.edu/news/2019/september` Absolute URLS: `<a href='/published'>Published</a>` Published course: <a href='/@SZid34XfRLeFQVAqsg7WZw/SyA1M4wLU'> published</a> Fragment: ``<a href='#mentions'>scrolls to mentions</a>`` ### Javascript > Fun, Flexile, Immediate Feedback ### Nodejs - JS on the command line - Adds built-in functions for filesystem , HTTP, DNS and sockets (scripting languae features) - Also adds module system, binary data support ### Javascript API - APIs for JS come from language specifications - Document Object Model specification (browser) - Node.js built-ins Exampels ```javascript Array document.createElement fs.readFile ``` ### Crusty browser APIs ``` window.open() : pop-up windows.moveTo() windows.resizeTo() ``` # DNS, HTTP, Cookies ### What happens when you type a URL and press enter?  1. Client asks **DNS Recursive Resolver** to lookup a hostname (stanford.edu) A DNS system translates user friendly domain name into IP adresses  2. **DNS Recursive Resolver** sends DNS query to **ROOT Nameserver** - Root Nameserver responds with IP adress of TLD Nameserver 3. ## TLS Queries are in plaintext Cloudflare DNS (1.1.1.1) #### Encrypted DNS-over-HTTPS on Mozilla GET / HTTP / 1.1 GET is the ==Method Path==. HTTP is the ==Protocol-Version== #### HTTP Response GET / HTTP / 1.1 200 OK 200 ==Status Code== . OK ==Status Message== Server gives response :::info HTTP - **Client-server model** client asks server for resource, server replies - **Simple** Human readable text protocol - **Extensible** just add HTTP headers - **Stateless** two requests have no relation to each other - **Transport protocol agnostic**, is implemented as a layer ::: #### HTTP success Codes **200 OK** - requested succeeded **206 Partial Content** - requested for specific byte range range succeeded #### HTTP Redirection Codes **301 Moved Permanently** - resource has a new permanent URL **302 Found** - resource temporarily resides at a different URL **304 Not Modified** - resource hasn't been modified since last cached #### HTTP Server Error Codes **500 Internal Server Error** - generic server error **502 Bad Gateway** - server is a proxy, backend server is unreachable **503 Service Unavailable** - server is overloaded **504 Gateway Timeout** #### HTTP Headers A map of keys and values  - Host- domain name of the server - User-Agent- name of your browser and os - Referer - the webpage which led you here - Cookie - the cookie server gave you earler, keeps you logge in - Range - specifies a subset of bytes to fetch ```bash curl https://twitter.com --header "Accept-Language: es" ``` :::info HTTP request header - **Cache-Control** specifies if you want a cached response or not - **Date** when response was sent - **Lat-Modified** just add HTTP headers - **Expires** discard response from cache after this date - **Vary**,list of headers which affect response ::: :::danger :::danger HTTP response header - **Location** URL to redirect the client to - **Connection** control TCP sockets (`keep-live || close` ) - **Content-Type** type of content in response (`text/html`) - **Content-Encoding** encoding of the response - **Content-Language**,language of the response, `ar` for arabic ::: ## Cookies `Set-Cookie: theme=dark;` ###### tags: `Templates` `Book`