Web applications are essential to the modern internet, providing the backbone for many services we use daily. Understanding the basics of web application and the technologies involved is crucial for anyone interested in creating or working and in our case performing security testing or penetration testing with these applications. This blog covers the main frameworks, libraries, and programming languages used in web development, the knowledge, and key concepts to give you a solid understanding of the topic.
1. Learning Web Applications
What’s an Web application?
A software or a program that can run over a web server and can be accessed from a web browser is called web applications. Web apps are unlike traditional desktop applications, they don’t require installation on the user’s device and you can access them from anywhere with internet connection.
2. Web Development Core Components
Development of web applications can be divided into three main areas:
Front-End Development: And here may be the part involving the user interface (UI) users would interact with directly. Key technologies include:
- HTML (Hypertext Markup Language): It structures content on the web.
- CSS (Cascading Style Sheets): Styles and layouts web pages.
- JavaScript: It adds interactivity, dynamic behavior to web pages. Frameworks taken into consideration are React, Angular and Vue.js.
Back-End Development: Server side logic and database interactions are what it’s all about. Common programming languages include:
Node.js(Javascript runtime)
Python
Ruby
PHP
Java
Application data is stored in databases such as MySQL, PostgreSQL and MongoDB.
Full-Stack Development: It’s a combination of front end and back end skills, so that developers can actually build it from front to back.
3. Frameworks and Libraries
Frameworks and libraries make development easier by providing pre-written code for common tasks. Some of the commonly used frameworks and libraries when it comes to the topic of building web applications are:
Front-End Frameworks:
- React: A library for building User Interfaces in JavaScript.
- Angular: It is a platform to build mobile or desktop web applications.
- Vue.js: A progressive UI building framework.
Back-End Frameworks:
Express.js (for Node.js): A minimal & flexible Node.js web application framework.
Django (for Python): An environment for high level Python development which promotes rapid prototyping.
Ruby on Rails: Ruby based server side web application framework.
4. Programming Skills Required
To develop web applications effectively, one certainly some programming skills. The following outlines some of the required knowledge to build an web application. Take this list with a grain of salt, this is not an comprehensive or an exhaustive list.
- Basic Knowledge of HTML, CSS, and JavaScript: A must have for fronend dev.
- Understanding of Server-Side Languages: Ability to work with at least one back end language (e.g. reactorJS, Python).
- Database Management Skills: The familiarity with SQL, or NoSQL databases.
- Version Control Systems: Tracking changes in code, and knowledge of Git.
5. Key Concepts (Web APIs)
To get an better understand of web application pentesting we must understand two main concepts.
1. HTTP Protocol: The core of web data communication. Because HTTP is used to govern request and response between clients and servers, it’s important to understand how it works. This we have discussed on our first blog of this series in detail
2. APIs (Application Programming Interfaces): It allows multiple software components to communicate with other. One of the common use cases is to use RESTful APIs to interact between front end and back end systems.
Now that we understand what’s an API, let’s understand two main APIs that are mostly used to build web applications.
REST vs. SOAP: A Closer Look
When discussing APIs, two prominent styles emerge: SOAP (Simple Object Access Protocol) and ** REST ** (Representational State Transfer). They are all different, though, and have different use cases.
5.1 Representational State Transfer (REST)
Rest is an architectural style using HTTP methods to execute operations on resources addressed with URIs (Uniform Resource Identifiers). This is because it is simple and flexible.
Key Features:
- Data Formats: There are a multitude of data formats that REST supports, such as JSON, XML, HTML, and plain text, and JSON is the most common one because it’s so light weight.
- Stateless Operations: The information that must be passed with each request from the client to the server must fit into a single request with all the information necessary to understand and handle the request. The generated statelessness simplifies server design.
- Caching: RESTful API can cache to boost performance and landing on the server.
When to Use REST:
It is a simple object access protocol (enjoy the irony if you wish).
Security Measures in REST APIs
Unlike REST APIs, there is no default built in security solution. Instead, they rely on external measures for securing communications:
- HTTPS: Data in transit is encrypted from eavesdropping and man in the middle attacks.
- OAuth 2.0 and JWT (JSON Web Tokens): Often used under the name of authentication and authorization.
5.2 SOAP (Simple Object Access Protocol)
The protocol was designed specifically for trading structured information in web services video. It uses XML as format and is famous for strict standards.
Key Features:
- Protocol-Based: Like REST, SOAP defines some rules to structure messages so it is more rigid.
- WSDL (Web Services Description Language): Sometimes SOAL services are specified through WSDL, which is used to define how the service is served by a machine.
- Built-in Security: WS Security is supported by SOAP, as it is a message level communication security.
When to Use SOAP:
These are best suited for enterprise level applications where high security, high reliability transactional requirements are needed.
Best suitable for complex operations which require tight standards.
Security Measures in SOAP API
SOAP APIs have a built in security with the help of WS-Security. This specification provides a framework for securing SOAP messages by implementing:
- XML Encryption: Encrypts the XML data that it protects the confidentiality of the message.
- Digital Signatures: It authenticates and integrity of message by providing a way for a sender to sign the message.
- SAML Tokens: It provides fully secure user authentication and authorization.
As a result, the SOAP APIs are inherently more secure in an environment where there’s a ton of sensitive data transactions — for example, in the case of financial services or healthcare.
5.2.1 Understanding WSDL in SOAP
WSDL stands for Web Services Description Language. It is an XML-based language that describes the functionality offered by a SOAP web service. WSDL files serve as contracts between service providers and consumers, detailing how to communicate with the service.
5.2.1.1 Components of WSDL
A typical WSDL document includes several key elements:
Types: Defines the data types used in the messages exchanged between client and server.
Messages: Represents the abstract definition of the data being transmitted.
Port Types: Defines a collection of operations supported by the service.
Bindings: Specifies the protocols and data formats used for communication.
Services: Groups together related ports, providing access points for clients.
5.2.1.2 Importance of WSDL
WSDL promotes interoperability by providing a standardized format that allows different software applications to communicate regardless of their underlying technology or programming language. This self-description capability simplifies integration efforts between disparate systems.
5.2.1.3 Understanding WSDL
Web Services Description Language (or WSDL) is an acronym. SOAP is an XML based language which describes what functionality it will provide a SOAP web service. The WSDL files are contract between service consumers and service providers which defines the way by which two parties can communicate with the service.
5.2.1.4 Components of WSDL
A typical WSDL document includes several key elements:
Types: Provides definition for the message message data types exchanged between clients and servers.
Messages: The abstract definition of data being transmitted.
Port Types: Defines a set of operations available with the service.
Bindings: It defines what protocols and data format will be used for communication.
Services: It groups related ports and is the access point for the clients.
5.2.1.4 Importance of WSDL
With WSDL, interoperability is promoted through the use of a standardized format allowing software applications of different technology and programming languages to communicate. An ability for disparate systems to integrate together is simplified through this self description.
5.3 Other API Alternatives
In addition to REST and SOAP, there are other alternatives like GraphQL and gRPC:
GraphQL: It gives clients what they need to ensure over fetching or under fetching of data. However REST has a steeper learning curve than it is flexible.
gRPC: A high performance RPC framework for Protocol Buffers based serialization. If your looking for a micro services but lacks the knowledge of etc’s specific syntax, then it is a good fit.
6. Conclusion
While people oftentimes think about the internet as a tool used for fun, web applications have revolutionized how we pay bills, stay in touch with friends and family, and in many ways, make the internet a fundamental part of everyday life. These apps are powered by APIs like REST and SOAP that allows continuous communication between systems.
REST is simple, flexible, great for web and mobile apps, and SOAP offers strong security for enterprise needs. The tools an technology you choose is what is going to help you build secure, scalable apps.
It’s true: best way to predicting the future: make it. Learn the basics, go find new technologies, and start building something awesome today!
References:
[1] https://www.upwork.com/resources/soap-vs-rest
[2] https://blog.dreamfactory.com/when-to-use-rest-vs-soap-with-examples
[3] https://blog.dreamfactory.com/what-is-wsdl-in-soap-a-comprehensive-guide
[4] https://www.soapui.org/docs/soap-and-wsdl/working-with-wsdls/
[5] https://www.chakray.com/advantages-of-rest-api/
[6] https://www.techtarget.com/whatis/definition/HTTP-Hypertext-Transfer-Protocol
[7] https://www.browserstack.com/guide/web-application-development-guide
[8] https://www.khanacademy.org/computing/computers-and-internet/xcae6f4a7ff015
[9] https://www.soapui.org/learn/api/soap-vs-rest-api/
[10] https://www.split.io/blog/a-guide-to-apis/
[11] https://smartbear.com/blog/soap-vs-rest-whats-the-difference/
[12] https://www.geeksforgeeks.org/difference-between-rest-api-and-soap-api/