Web applications are usually created with a 3-tier model approached, Presentation tier, Application tier, and Data tier. Building applications in a modular approach such as this allows for each individual tier to be modifies/updated/replaced independently as requirements change.

Presentation Tier

The Presentation Tier provides a user interface that allows an individual to communicate and interact with the application.  This tier typically runs in a web browser and utilises languages such as HTML, CSS, and JavaScript.

Application Tier

The Application Tier provides the logic of an application and provides the functionality by performing detailed processing based on user input.  This tier acts as a middle man to process requests and provide users with data they are requesting from the underlying database.

Data Tier

The Data Tier provides a method for the Application Tier to access the persistent data stored within a database or file server.  This data is stored independently of the Application and Presentation tier and can only be accessed by the Application Tier.

‍

Client/Server communication is the process of the web browser (client) interacting with the web application (server).  Web applications utilise HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure) which implements encryption standards onto the HTTP protocol)

‍

HTTP allows users to request information from a webserver and process the response that will be rendered by a browser.  As such the words “Request” and “Response” are key terminology when discussing web application communication.

‍

When interacting with a web application, a user can make a range of requests.  The most common are GET and POST requests.  These are actions that are triggered by the user and sent to the server to process.  These requests structure the data sent to the sever in slightly different ways as the GET request is used to retrieve a resource from the server whereas the POST request is used for writing data that will then be processed.

GET requests are the default HTTP method and will be used by users to access data from an application.  It is possible to see GET request parameters in the URL e.g.

www.e-shop.com/product.asp?id=15

As can be seen in the URL, a user for the e-shop website is requesting the page of a product that has been given an ID of 15.  The underlying request would look something like the below:

‍

GET /product.asp?id=15 HTTP/1.1

Host: www.e-shop.com

‍

Post requests are caused when the user is creating or updating a resource.  These requests send data in the “body” of the request (not visible in the URL).  The underlying request to add product 15 at e-shop to a shopping basket may look like the following:

‍

POST /cart/listing.asp HTTP/1.1

Host: www.e-shop.com

‍

productID=15&quantity=1&BaskeyID=12

‍

This would add 1 copy of product 15 to the user’s basket (in this instance their basketID is 12)

‍

Web vulnerabilities can be divided into client or server side attacks.  These are defined by whether the target of an attack is the end user (the client) or the server itself.  Both of these can be targeted as an approach to compromise a website, however the techniques are slightly different.

‍