Application Layer

A layer that provides an interface for the end user to interact with the network services (The application accesses the network services and shows the user the information they have received)

Hypertext Transfer Protocol (HTTP)

A TCP/IP based communication protocol for transporting data between a client and a web server

Some HTTP Headers

• Host
  • Target virtual host to use (HOST:PORT)
• Server
  • Target server that handled the request
• User-Agent
  • Software/Browser that is making the request

Some HTTP request methods

• GET
  • Read data
• POST
  • Insert data
• HEAD
  • Return metadata about the target

Some HTTP Response Status Codes

• 200
  • Request has succeeded
• 404
  • Server cannot find the requested resource
• 500
  • Internal server error

If you want to get a file named test.html from qeeqbox.com, your HTTP request will be something like this

GET /test.html HTTP/1.1
Host: www.qeeqboox.com

If the server does have the requested file, the HTTP response will be

HTTP/1.1 200 OK
Content-Length: 12
Content-Type: text/plain; charset=utf-8

Hello World!

If the file does not exist, the HTTP response will be

HTTP/1.1 404
Content-Length: 0

Uniform Resource Locator (URL)

A unique identifier used to locate a resource

• Protocol
  • A set of rules that define how content is transferred between the web server and browser
• Sub Domain
  • An extension to a domain name to separate a website section
• Root Domain
  • A website's main or primary domain
• Top Level Domain
  • An identifier that's used to categorize the domain
• Sub Directory
  • A directory that exists inside another directory
• Path
  • A location on the website

        Top Level Domain
               |
      Sub-Domain      |           Path
         |            |            |
        ---          ---     --------------
https://www.qeeqboox.com:80/files/test.html
-----       --------     |  ----- ---------
   |           |         |    |       |
Protocol       |        Port  |      File
           Root Domain        |
                         Sub Directory

Process

An instance of the application that's currently running (An application can have more than one process running)

• Foreground
  • Requires user to interact with it
• Background
  • Does not require users to interact with it

Services

A process that does not terminate (E.g., web server service)

Application

A program that performs different function or functions for users or objects

Web Application

A web client program that performs different functions for users or over the network (They are similar to websites where they need internet or network)

Cyberattacks

• Cross-Site Scripting
  • A threat actor aims to execute malicious actions on the victim's website (It's a client-side code injection attack)

• • • Reflected Cross-Site Scripting
      • A threat actor injects malicious content into web pages or web applications. The content will be reflected in the response and executed in the victim's browser
    • Dom-Based Cross-Site Scripting
      • A threat actor injects malicious content into web pages or web applications. The content is not reflected in the response and is executed in the victim's browser
    • Stored Cross-Site Scripting
      • A threat actor injects malicious content into a vulnerable server. The content is retrieved by users and then executed
• Cross-site request forgery
  • A threat actor may trick an authenticated or trusted victim into transmitting unauthorized actions on their behalf

• • • A threat actor crafts an exploit URL for a fund transfer and sends it to an authenticated user
• Denial-of-service (DoS)
  • A threat actor makes a target device\resource unavailable by overloading it using a device
    • A threat actor uses one device to overload XYZ LLC's website (This was common in the old days, but nowadays it often does not work )
• Distributed Denial of Service (DDoS)
  • A threat actor makes a target device\resource unavailable by flooding using multiple devices
    • A threat actor uses hundreds of infected devices to flood XYZ LLC's website

PCAP Example

The client requested web content from the server over an insecure protocol called HTTP, the server responded with the web content, the client received the web content and got rendered by the client's web browser. Insecure protocols can be intercepted, and the data carried in them can be modified

Client Sends Data

The client requests specific web content over HTTP using the GET method

Server Receives Data

The server receives the client's HTTP GET request

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from io import BytesIO
from gzip import GzipFile
from datetime import datetime
from contextlib import suppress

with suppress(Exception):
  from netifaces import gateways, ifaddresses, AF_INET, AF_LINK
  print("The default network interface is: ",gateways()['default'][AF_INET][1])
  print("The default network interface mac address is: ",ifaddresses(gateways()['default'][AF_INET][1])[AF_LINK])

class Server(SimpleHTTPRequestHandler):
  def do_GET(self):
    compressed = False
    content = b'<HTML><h1>Hello World!</h1></HTML>'
    if len(content) > 0:
      if 'accept-encoding' in self.headers:
        if 'gzip' in self.headers['accept-encoding']:
          bytes_ = BytesIO()
          with GzipFile(fileobj=bytes_, mode='w', compresslevel=5) as f:
            f.write(content)
            f.close()
            content = bytes_.getvalue()
            compressed = True
    self.send_response(200)
    if compressed:
      self.send_header('content-encoding', 'gzip')
    self.send_header('content-length', len(content))
    self.end_headers()
    self.wfile.write(content)

  def log_message(self, format, *args):
    print("[{}] - {}:{} - {} {}".format(datetime.now().strftime("%m/%d/%Y %H:%M:%S"), self.client_address[0],self.client_address[1],args[0],args[1]))

TCPServer(('0.0.0.0', 80), Server).serve_forever()

Server Sends Data

The server sends the client the requested web content over HTTP

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from io import BytesIO
from gzip import GzipFile
from datetime import datetime
from contextlib import suppress

with suppress(Exception):
  from netifaces import gateways, ifaddresses, AF_INET, AF_LINK
  print("The default network interface is: ",gateways()['default'][AF_INET][1])
  print("The default network interface mac address is: ",ifaddresses(gateways()['default'][AF_INET][1])[AF_LINK])

class Server(SimpleHTTPRequestHandler):
  def do_GET(self):
    compressed = False
    content = b'<HTML><h1>Hello World!</h1></HTML>'
    if len(content) > 0:
      if 'accept-encoding' in self.headers:
        if 'gzip' in self.headers['accept-encoding']:
          bytes_ = BytesIO()
          with GzipFile(fileobj=bytes_, mode='w', compresslevel=5) as f:
            f.write(content)
            f.close()
            content = bytes_.getvalue()
            compressed = True
    self.send_response(200)
    if compressed:
      self.send_header('content-encoding', 'gzip')
    self.send_header('content-length', len(content))
    self.end_headers()
    self.wfile.write(content)

  def log_message(self, format, *args):
    print("[{}] - {}:{} - {} {}".format(datetime.now().strftime("%m/%d/%Y %H:%M:%S"), self.client_address[0],self.client_address[1],args[0],args[1]))

TCPServer(('0.0.0.0', 80), Server).serve_forever()

Client Receives Data

The client receives the specific web content over HTTP and the web browser renders the HTML content