Matt Hale

Director, School of Interdisciplinary Informatics
Director, NebraskaCYBER
Associate Professor of Cybersecurity

Server-side Development 

CYBR 8470: Secure Web Application Development

slides.com/matthale/cybr8470-serverside

Today’s topics: Conceptual overview Architecture Attack Vectors: Types and where they occur Case Study: Django Django Basics MVC in Django Django Admin Package Django REST Framework: Building an API Django in Docker

Server Client Architecture

HTTP Request GET/POST/ PUT/DELETE

HTTP Response

Server

Application

Database Server

FileSystem/OS

(LAN) TCP or UDP

JS App

Server-client Attack Vectors

HTTP Request GET/POST/ PUT/DELETE

HTTP Response

Server

Application

Database Server

FileSystem/OS

(LAN) TCP or UDP

Denial of Service (DoS/DDoS)

Session Attacks

DB Injection

Privilege Escalation

Command Execution

File Disclosure

XSS Attacks

JS App

Server-client Attack Vectors

We will talk more about defending against these attacks moving forward and you will mitigate them by hardening an API and an application server like apache or NGINX

Case Study: Django

Django Server Client Architecture

send

receive

NGINX/

Django Application

mod_wsgi

Database Server

mod_wsgi

FileSystem/OS

send

matched

data?

render

receive

JS App

APACHE

Django Basics

A high-level web framework Automates key web development patterns Provides a framework so you can focus on keeping code clean and efficient Model-View-Controller pattern, keep it separate! Model (data abstraction, translatable to database objects) Views (encapsulate business logic, bad name – these are actually the controllers in Django) URLs (map a URL pattern to particular view, acts as a top-down router) Templates (specifies presentation format, these are basically the ‘view’ layer)

Django: Models

Model  Database Table Model Instance  Database Record Database-abstraction API via object-relational mapping (ORM) Helps avoid boilerplate database code e.g. MySQLdb.connect(params=values)

Image Image

See django model documentation: https://docs.djangoproject.com/en/4.2/topics/db/models/

Django: Views (remember these are controllers)

A simple View: An alternate view, utilizing the Django template system:

Image Image

See django view documentation: https://docs.djangoproject.com/en/4.2/topics/http/views/

Django: Views and simple queries

Accessing an object and raising a 404 if it doesn’t exist Uses some model named “Poll” using the “get” query with a primary key “pk” = poll_id Note: “get” returns one item, use “filter” for sets of items Where does poll_id come from? - urls

Image

See django view documentation: https://docs.djangoproject.com/en/4.2/topics/http/views/

Django: URLconf

The ‘Table of Contents’ of your web site Mapping between URL patterns and view functions to handle URLs Regular expressions used to specify patterns ( don’t be afraid if you don’t know regex though)

Image

See django url documentation: https://docs.djangoproject.com/en/4.2/topics/http/urls/

Image

Django: The poll detail example

A request comes in for URL /app_name/polls/detail/12 Search URLconf for pattern Match second pattern, send to app_name.views.detail view function Passes HttpRequest object and poll_id represented by one or more digits View performs business logic and returns an HttpResponse object

Image

That’s great! But what does a template look like?

Templates Placeholder variables Basic logic (template tags) Formatting variables (filters)

Image Image Image Image Image Image Image

See django template documentation: https://docs.djangoproject.com/en/4.2/topics/templates/

Since the web user interfaces you build in this class will be client-side apps (ember) you usually only need a server-side web app to host an API - so you probably wont need django templates

Django: Bonus

Admin interface Django Packages: Reusable apps, tools and more If you can think of something its probably already been done Use and re-use libraries – don’t reinvent the wheel if you don’t need to

Building a REST API in Django

Django REST Framework

Image

Django REST Framework

Serializers Views / class-based views / viewsets router, simple urls multiple methods GET/POST/PUT/DELETE auto-documenting browseable API in markdown clear separation of code

Django REST Framework

Serializer map to a model or data type automagically serialize python data to JSON specify what fields to use and any more advanced features can use pre-built components or write your own

Image Image

More info: http://www.django-rest-framework.org/api-guide/serializers

Django REST Framework

Simple function-based views lowest level way to dictate an API call highest amount of code more prone to errors use only if you need to provide very specific functionality or for one-off usecases

Image

Django REST Framework

Class-based views higher level way to dictate an API call better way to group requests Still requires effort to create each handler

Image

More info: http://www.django-rest-framework.org/api-guide/views

Django REST Framework

Viewsets very high level way of dictating API calls DRF Automagically generates multiple views that map to GET,POST, etc This is the “quick and easy” way to get an API up. Benefits from convention, but can you need to understand what you get out of the box to secure it. Off-the-shelf methods can be overridden to your specification – good way to introduce security features

Image

Django REST Framework

More on Viewsets queryset maps to a set of database models creates views to handle GET/POST/ETC requests to /contentitems/ and /contentitems/ serializer_class parses the data for the related views can specify new methods as function e.g. def foo on in a viewset to handle special cases or perform functions like /contentitems//foo can override base views using list, create, retrieve, update, partial_update, and destroy keywords these map to HTTP methods

Image

More info: http://www.django-rest-framework.org/api-guide/viewsets

Django REST Framework

Wiring the API with URLs Viewsets Can be customized Use router for connecting viewsets to urls Can use view mapping for class-based views Can use basic URLs for function-based views

Image

Django REST Framework

Wiring the API with URLs: Using the Router prefix is specified in the .register call. E.g. router.register(r'contentitems', views.ContentItemViewSet) methodname is a custom method detailed in the viewset lookup is the primary key or other unique field that identifies one instance

Image

More info: http://www.django-rest-framework.org/api-guide/routers

Django REST Framework

Auto-magical Documentation Whatever pydocs comments you make are translated using markdown into HTML automagically

Image Image

Django REST Framework

Self Documenting Browsable API use detail_route() and list_route() for non-standard api functions

Image

Django app in docker(live demo)

Questions?

Image

Matt Hale, PhD University of Nebraska at Omaha Associate Professor of Cybersecuritymlhale@unomaha.edu X: @mlhale

© 2015-2023 Matthew L. Hale

Image

Serverside Development

By Matt Hale

Serverside Development

Concepts for Serverside Development

  • 165

More from Matt Hale