Web Services and Security

Internet and TCP/IP

  • 科普時間
  • 但老師連字幕都沒開變成在聽力測驗QQ

HTTP:

  • Persistent but Stateless
  • not a whole conversation
  • just a line of message/request

  • Request and Resoinse Msg

  • (HTTPie)[https://httpie.org] : cmd tool designed for painless debugging and interaction with HTTP servers, RESTful APIs, and web services

HTTP methods

  • Safety : Never change the resources
  • Idempotence : can be called many times without different outcome
HTTP method Safety Idempotence
GET Y Y
POST N N
PUT N Y
DELETE N Y
  • usage example :
    google search use GET method
    GET parameter is saved in url so that you can save the search result as a bookmark

HTTP status code

  • DON’T be lazy, lookup the table

Happy(Coding) time ~ 之前要先有

出場人員介紹👏👏👏

Sinatra

  • Web Application Framework
  • Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort
    (介紹就這麼簡短,官網甚至一進去只看到sample code)

run server

  • Execute Rack based web application as per config.ru
1
rackup

Bundler

  • provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.

install

1
gem install bundler

execution

1
bundle install
  • Gemfile.lock stores which version of gems should be installed

execution(suggestion)

1
bundle exec rake
  • ensures following command is only run with gems specified in Gemfile.lock

rake

  • Ruby make

simple example

task simple
1
2
3
4
5

task default: %w[test]
task :test do
  ruby "test/unittest.rb"
end

真正的coding time~

Ruby 語法的部分就略過不說了

model

  • 一般的class
  • 這次spec 要求implement 下列 methods
    • initialize
    • save
    • find
    • all
    • to_json

controller

  • 必需繼承 Sinatra::Base, rack才認得它
  • requirement
    • get /sourece : return details of a specific resource
    • get /sourece/id : return an index of all resources
    • post : create a new resource
1
2
3
4
5
6
7
8
9
10
11
12
13
14

class ShareConfigurationsAPI < Sinatra::Base
  configure do
    #Configure Sinatra settings
  end

  get '/?' do
    # root route for anything
  end

  post '/api/v1/configurations/?' do
    # a post route
  end
end

Security Threats

當然目前的服務很簡單,也有很多漏洞
下面列了一些,之後我們都會一個一個來解決

  • Threat: Confidentiality

    • Stored resources could be stolen if server is compromised
    • Vulnerability: User resources are not being encrypted
    • Vector: Attacker with access to server can read whole data store

  • Threat: Authorization, Authentication

    • Information about resources is not private
    • Vulnerability: App does not check if user is authorized to see resource
    • Vector: Anyone can access any data by knowing its public URL

  • Threat: Integrity, Bug

    • :id random key generator could produce collisions
    • Vulnerability: random key generator produces same keys within given second
    • Vector: send multiple POST ‘/resource’ requests within same second

  • Threat: Integrity

    • User could destroy earlier resources
    • Vulnerability: app does not check if :id key is being sent along with POST request
    • Vector: send :id along with POST request to see if app overwrite earlier resource

  • Threat: All dimensions

    • Dependencies (gems) could have vulnerabilities
    • Vulnerability: gems could allow attacks (denial of service, remote code execution, etc.)
    • Vector: send a payload to a route that will likely invoke a particular dependency (gem)