The Application Layer

Question 1

What is the application layer?

Answer 1

the application layer is not theapplication itself, but rather a set of protocols which provide communication services to applications.

Question 2

What do application layer protocols focus on?

Answer 2

Application layer protocols rely on the protocols at the layers below them to ensure that a message gets to where it is supposed to, and focus instead on the structure of that message and the data that it should contain.

Question 3

What are the protocols used at the application layer?

Answer 3

There are a wide number of different application layer protocols for different use cases including HTTP, SMTP, FTP, etc.

Question 4

What is a URI?

Answer 4

Uniform Resource Identifier(URI), is a string of characters which identifies a particular resource.

Question 5

What is HTTP?

Answer 5

Hypertext Transfer Protocol(HTTP) is the set of rules which provide uniformity to the way resources on the web are transferred between applications.

Question 6

What model of communication does HTTP use?

Answer 6

HTTP follows a simple model where a client makes arequestto a server and waits for aresponse. Hence, it’s referred to as arequest response protocol

Question 7

What is DNS?

Answer 7

The Domain Name System provides a way to look up unknown server IP addresses.

Question 8

What steps does DNS use?

Answer 8

1. Enter a URL likehttp://www.google.cominto your web browser’s address bar.
2. The browser creates an HTTP request, which is packaged up and sent to your device’s network interface.
3. If your device already has a record of the IP address for the domain name in its DNS cache, it will use this cached address. If the IP address isn’t cached, a DNS request will be made to the Domain Name System to obtain the IP address for the domain.
4. The packaged-up HTTP request then goes over the Internet where it is directed to the server with the matching IP address.
5. The remote server accepts the request and sends a response over the Internet back to your network interface which hands it to your browser.
6. Finally, the browser displays the response in the form of a web page.

Question 9

What does it mean for a protocol to be stateless?

Answer 9

A protocol is said to bestatelesswhen it’s designed in such a way that each request/response pair is completely independent of the previous one. HTTP is a stateless protocol.

Question 10

What affect is caused by HTTP being stateless?

Answer 10

Because of HTTPs statelessness, it is challenging to build stateful web applications

Question 11

What is a url?

Answer 11

Uniform Resource Locator orURL, is the most frequently used part of the general concept of a Uniform Resource Identifier orURI, which specifies how resources are located.

Question 12

What are the components of the URL:
HTTP://www.example.com:88/home?item=book

Answer 12

• http: Thescheme. It always comes before the colon and two forward slashes and tells the web client how to access the resource. In this case it tells the web client to use HTTP to make a request.
• www.example.com: Thehost. It tells the client where the resource is hosted or located.
• :88: Theportor port number. It is only required if you want to use a port other than the default.
• /home: Thepath. It shows what local resource is being requested. This part of the URL is optional.
• ?item=book: Thequery string, which is made up ofquery parameters. It is used to send data to the server. This part of the URL is also optional.

Question 13

What are query strings?

Answer 13

It is used to send data to the server as part of the URL

Question 14

What is URL encoding?

Answer 14

URLs are designed to accept only certain characters in the standard 128-characterASCII character set. Reserved or unsafe ASCII characters have to be encoded.

URL encoding replaces these non-conforming characters with a%symbol followed by two hexadecimal digits that represent the equivalent UTF-8 character.

Question 15

What are the limitations of query strings?

Answer 15

• Query strings have a maximum length. Therefore, if you have a lot of data to pass on, you will not be able to do so with query strings.
• The name/value pairs used in query strings are visible in the URL. For this reason, passing sensitive information like username or password to the server in this manner is not recommended.
• Space and special characters like&cannot be used with query strings. They must be URL encoded, which we’ll talk about next.

Question 16

When must characters be URL encoded?

Answer 16

1. They have no corresponding character within the standard ASCII character set. Note that this means all extended ASCII characters as well as 2-, 3-, and 4-byte UTF-8 characters.
2. The use of the character is unsafe since it may be misinterpreted or modified by some systems. For example,%is unsafe since it is used to encode other characters. Other unsafe characters include spaces, quotation marks, the#character,<and>,{and},[and], and~, among others.
3. The character is reserved for special use within the URL scheme. Some characters are reserved for a special meaning; their presence in a URL serves a specific purpose. Characters such as/,?,:,@, and&are all reserved and must be encoded. For example&is reserved for use as a query string delimiter.:is also reserved to delimit host/port components and user/password.

Question 17

What are the 2 main HTTP request methods?

Answer 17

GET & POST

Question 18

What is a GET request used for?

Answer 18

• GET requests are used to retrieve a resource, and most links are GETs.
• The response from a GET request can be anything, but if it’s HTML and that HTML references other resources, your browser will automatically request those referenced resources. A pure HTTP tool will not.

Question 19

What is an HTTP POST request used for?

Answer 19

POSTis used when you want to initiate some action on the server, or send data to a server.

TheHTTPbody contains the data that is being transmitted in an HTTP message and is optional. You can think of the body as the letter enclosed in an envelope, to be posted.

Question 20

What are HTTP headers?

Answer 20

HTTP headers allow the client and the server to send additional information during the HTTP request/response cycle. Headers are colon-separated name-value pairs that are sent in plain text. For example, when you click a button to submit a form, Your browser issues an initialPOSTrequest, gets a response with aLocationheader, then issues another request without any action from you, then displays the response from that second request.

Question 21

What is a response status code?

Answer 21

Thestatus codeis a three-digit number that the server sends back after receiving a request signifying the status of the request.

Question 22

What is response code 302?

Answer 22

this happens when the resource has been moved

Question 23

What is response code 404

Answer 23

resource not found

Question 24

What is response code 500?

Answer 24

Internal server error

Question 25

What are response headers?

Answer 25

Response headers offer more information about the resource being sent back. Common headers include location, server, and content-encoding.

Question 26

What is a cookie?

Answer 26

CookiesorHTTP cookies, are small files stored in the browser and contain the session information. actual session data is stored on the server but the client side cookie is compared with the server-side session data on each request to identify the current session

Question 27

How are cookies established?

Answer 27

When you first access a website, the response will include a set cookie header, this will set the cookie which will be sent back with each subsequent get request.

Question 28

Where is session data stored?

Answer 28

session data is generated and stored on the server-side and the session id is sent to the client in the form of a cookie. That cookie is sent back and used as a “key” to the session data stored server side.

Question 29

What is AJAX? why is it useful?

Answer 29

Asynchronous JavaScript and XML. When AJAX is used, all requests sent from the client are performedasynchronously. Instead of the browser refreshing and processing the response, the response is processed by a callback function, which is usually some client-side JavaScript code.

Question 30

What is HTTPS?

Answer 30

HTTPS sends messages through a cryptographic protocol calledTLSfor encryption. These cryptographic protocols use certificates to communicate with remote servers and exchange security keys before data encryption happens.

Question 31

What is the Same-Origin Policy?

Answer 31

Same-origin policy permits unrestricted interaction between resources originating from the same origin, but restricts certain interactions between resources originating from different origins. Byorigin, we mean the combination of the scheme, host, and port.

Whatistypically restricted are cross-origin requests where resources are being accessed programmatically using APIs such asXMLHttpRequestorfetch.

This is an important defense against Session Hijacking

Question 32

What is Session Hijacking?

Answer 32

Session hijacking takes place when an attacker get ahold of a session ID, allowing them to access the web application.

Question 33

How can we defend against session hijacking?

Answer 33

• resetting sessions. With authentication systems, this means a successful login must render an old session id invalid and create a new one. With this in place, on the next request, the victim will be required to authenticate. At this point, the altered session id will change, and the attacker will not be able to have access. Most websites implement this technique by making sure users authenticate when entering any potentially sensitive area, such as charging a credit card or deleting the account.
• setting an expiration time on sessions. Expiring sessions after, say 30 minutes, gives the attacker a far narrower window to access the app.
• using HTTPS across the entire app to minimize the chance that an attacker can get to the session id.

Question 34

What is Cross-Site Scripting?

Answer 34

XSS happens when you allow users to input HTML or JavaScript that ends up being displayed by the site directly. If not sanitized or escaped, user input will be injected into the page contents, andthe browser will interpret the HTML and JavaScript and execute it.

Question 35

How can we defend against cross site scripting?

Answer 35

• sanitizing user input. This is done by eliminating problematic input, such as

   tags, or by disallowing HTML and JavaScript input altogether.

• Escaping all user input data when displaying it. If you do need to allow users to input HTML and JavaScript, then when you print it out, make sure to escape it so that the browser does not interpret it as code.

Question 36

What is the difference between HTTP & TCP/IP

Answer 36

HTTP is actually relying on a TCP/IP connection. HTTP operates at the application layer and is concerned with structuring the messages that are exchanged between applications; it’s actually TCP/IP that’s doing all the heavy lifting and ensuring that the request/response cycle gets completed between your browser and the server.

Question 37

What are the 3 primary pieces of server side infrastructure?

Answer 37

• web server: typically a server that responds to requests for static assets: files, images, css, javascript, etc. These requests don’t require any data processing, so can be handled by a simple web server.
• application server: typically where application or business logic resides, and is where more complicated requests are handled. This is where your server-side code lives when deployed.
• data store: like a relational database, to retrieve or create data. Data stores can also be simple files, key/value stores, document stores, etc. can be used topersistour data between stateless request/response cycles.