Refine
Departments, institutes and facilities
Document Type
- Conference Object (13)
- Article (5)
- Lecture (2)
- Book (monograph, edited volume) (1)
- Part of a Book (1)
- Contribution to a Periodical (1)
- Doctoral Thesis (1)
Keywords
- HTTP (5)
- REST (4)
- security (4)
- web caching (3)
- SOA (2)
- Web (2)
- Authentication (1)
- Cache Poisoning (1)
- Cloud (1)
- CoAP (1)
WebSocket - WS^2 2.0
(2015)
Das Websocket-Protokoll hat sich derzeit zu einer wichtigen Technologie für die Entwicklung moderner Webanwendungen durchgesetzt. Mit der Möglichkeit eine dauerhafte bidirektionale Verbindung zwischen Client und Server aufzubauen, ergeben sich neue Anwendungsszenarien, die vorher mit dem reinen HTTP nicht realisierbar waren. Die Einsatzgebiete reichen hier von einfachen Chats bis hin zu komplexen Systemen wie das kollaborative Arbeiten an Dokumenten in Echtzeit. Mittlerweile hat sogar der Instant Messaging-Dienst WhatsApp die Vorteile der WebSocket-Technologie für sich entdeckt und erlaubt Benutzern ihre Nachrichten nun auch über den Webbrowser auszutauschen.
Dieser Workshop soll den Teilnehmern zeigen wie sie die oben genannten oder andere Echzeitwebanwendungen mit der WebSocket-Technologie implementieren können. Nach einer kurzen Einführung wird gezeigt wie es in einfachen Schritten möglich ist, mehr als nur simple Chat-Anwendungen mit den WebSocket-Protokoll zu realisieren. Zudem stellt der Workshop nach Möglichkeit auch die Verwendung von Subprotokollen vor, wodurch auch RPC- sowie Publish and Subscribe-Anwendungen mit WebSockets umgesetzt werden können.
With the digital transformation, software systems have become an integral part of our society and economy. In every part of our life, software systems are increasingly utilized to, e.g., simplify housework or to optimize business processes. All these applications are connected to the Internet, which already includes millions of software services consumed by billions of people. Applications which process such a magnitude of users and data traffic requires to be highly scalable and are therefore denoted as Ultra Large Scale (ULS) systems. Roy Fielding has defined one of the first approaches which allows designing modern ULS software systems. In his doctoral thesis, Fielding introduced the architectural style Representational State Transfer (REST) which builds the theoretical foundation of the web. At present, the web is considered as the world's largest ULS system. Due to a large number of users and the significance of software for society and the economy, the security of ULS systems is another crucial quality factor besides high scalability.
In education, finding the appropriate learning pace that fits to the members of a large group is a challenging task. This becomes especially evident when teaching multidisciplinary subjects such as epidemiology in medicine or computer science in most study programs, since lecturers have to face a very heterogeneous state of previous knowledge. Approaching this issue requires an individual supervision of each and every student, which is obviously bounded by the available resources. Moreover, when referring back to the second example, writing computer programs requires a complex installation and configuration of development tools. Many beginning programmers already become stuck at this entry stage. This paper introduces WHELP, a Web-based Holistic E-Learning Platform, which provides an integrated environment enabling the learning and teaching of computer science topics without the need to install any software. Moreover, WHELP includes an interactive feedback system for each programming exercise, where lecturers or tutors can supply comments, improvements, code assistance or tips helping the students to accomplish their tasks. Furthermore, WHELP offers a statistical analysis module as well as a real-time classroom polling system both promoting an overview of the state of knowledge of a course. In addition to that, WHELP enables collaborative working including code-sharing and peer-to-peer learning. This feature enables students to work on exercises simultaneously at distinct places. WHELP has been successfully deployed in the winter term 2013 at the Cologne University of Applied Sciences supporting the 120 students and 3 lecturers to learn and teach basic topics of computer science in an engineering study program.
Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems
(2021)
The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems—e.g. caches, message routers, and load balancers—on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain.
In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.
Dieses Buch führt Sie umfassend in die WebSocket-Technik und die damit einhergehenden neuen Entwicklungsmöglichkeiten ein. Unter den zahlreichen exemplarischen Anwendungen finden sich Beispiele auf Basis von Node.js, Vert.x, und JSR 356, als Programmiersprachen werden Java und JavaScript eingesetzt.
SOA-Readiness of REST
(2014)
Service Security Revisited
(2014)
Despite the lack of standardisation for building REST-ful HTTP applications, the deployment of REST-based Web Services has attracted an increased interest. This gap causes, however, an ambiguous interpretation of REST and induces the design and implementation of REST-based systems following proprietary approaches instead of clear and agreed upon definitions. Issues arising from these shortcomings have an influence on service properties such as the loose coupling of REST-based services via a unitary service contract and the automatic generation of code. To overcome such limitations, at least two prerequisites are required: the availability of specifications for implementing REST-based services and auxiliaries for auditing the compliance of those services with such specifications. This paper introduces an approach for conformance testing of REST-based Web Services. This appears conflicting at the first glance, since there are no specifications available for implementing REST by, e.g., t he prevalent technology set HTTP/URI to test against. Still, by providing a conformance test tool and leaning it on the current practice, the exploration of service properties is enabled. Moreover, the real demand for standardisation gets explorable by such an approach. First investigations conducted with the developed conformance test system targeting major Cloud-based storage services expose inconsistencies in many respects which emphasizes the necessity for further research and standardisation.
Web of Services Security
(2015)
Contemporary software is inherently distributed. The principles guiding the design of such software have been mainly manifested by the service-oriented architecture (SOA) concept. In a SOA, applications are orchestrated by software services generally operated by distinct entities. Due to the latter fact, service security has been of importance in such systems ever since. A dominant protocol for implementing SOA-based systems is SOAP, which comes with a well-elaborated security framework. As an alternative to SOAP, the architectural style representational state transfer (REST) is gaining traction as a simple, lightweight and flexible guideline for designing distributed service systems that scale at large. This paper starts by introducing the basic constraints representing REST. Based on these foundations, the focus is afterwards drawn on the security needs of REST-based service systems. The limitations of transport-oriented protection means are emphasized and the demand for specific message-oriented safeguards is assessed. The paper then reviews the current activities in respect to REST-security and finds that the available schemes are mostly HTTP-centered and very heterogeneous. More importantly, all of the analyzed schemes contain vulnerabilities. The paper contributes a methodology on how to establish REST-security as a general security framework for protecting REST-based service systems of any kind by consistent and comprehensive protection means. First adoptions of the introduced approach are presented in relation to REST message authentication with instantiations for REST-ful HTTP (web/cloud services) and REST-ful constraint application protocol (CoAP) (internet of things (IoT) services).
Damit IT-gestützte Produkte und Systeme vor unbefugter oder missbräuchlicher Nutzung wirksam geschützt sind, müssen sie mit Sicherheitsfunktionen ausgestattet sein, die benutzerfreundlich sind. Hierfür sind seitens der Entwickler sowohl Security- als auch Usability-Kenntnisse erforderlich. Da insbesondere Entwickler in kleinen und mittleren Unternehmen (KMU) oft nicht über tiefer gehende Kenntnisse in beiden Bereichen verfügen, bedürfen sie einer Unterstützung, z. B. in Form geeigneter Methoden und Werkzeuge. In diesem Beitrag werden ein Lösungsweg und eine Werkzeugsammlung vorgestellt, die Entwicklern in KMU dabei helfen, auf systematische Weise digitale Produkte und Systeme mit dem Qualitätsmerkmal Usable Security herzustellen.