Application Security Testing: An Integral Part of DevOps
Environment: VC6 SP4, NT4 SP3, Win 2000
- Introduction of networking programming
- The Chat Room Application ( for the impatient, click here!)
The most popular networking architecture is the client_ server model. The Client and the Server are software Applications: The server provides the services while the Client forwards the request for the user and get the services (response) from the Server.
The most important concept is properly the "Socket". Socket is like some point attached to both Client and Server side. Through the socket on the Server, the Client sends a request to the server and receives responses from the server. Through the socket on the client, the server gets the request from the client and sends the responds to the client.
The Socket plays like an agency. So, what is inside a socket? Socket is a data structure. Obviously, taking the connect oriented network as an example, we need to know at least the IP address and Port* of the remote machine that we want to connect .
(NOTE: We cant say most networking programs use the TCP/IP protocol sets, but many do. When TCP/IP is employed, we must have it in mind that TCP/IP transportation layer use PORT to interact with applications. Actually, many well known applications have default ports:
- DAYTIME (13)
- FTP (21)
- TELNET (23)
- SMTP (25)
- TIMESERVER (37)
- NAMESERVER (42)
- WHOIS (43)
- FINGER (77)
- WEBSERVER (80)
They are called well_known ports . If you are developing a FTP server/Client, youd better use 21 as your applications port.)
When Socket was developed in Berkerly by Bill Joy or Winsock developed in Microsoft by some other big shots, the details of communication between socket and TCP/IP were hided. Developers use socket to communicate with a remote computer , as a matter of fact, they are using the TCP/IP protocol sets without necessarily knowing them. One can only find some trial from the parameters like "AF_INET", "PF_INET", IP address.
Simple steps of using socket:
- WSAstartup; //that is the initial work to launch a socket programming;
- Socket_Handle = socket(protocol family, socket type,
protocol family : PF_INET; socket type: SOCK_STREAM (connect oriented) SOCK_DATAGRAM (connectless oriented) Protocol: IPPROTO_TCP
NOTE: We have allocated some space for the socket in the memory now, but its still empty.
- Construct a socket address data structure (SocketAddr)
, its members are including the IP address, ports and protocol type.
(For the client application ,for example, try to find out the local machines IP; If your client application is a web browser, the port would be 80, protocol is AF_INET).
- Bind. Use the function bind to combine step 2 and step 3 together, then the socket is no longer empty, it has something meaningful inside.
From here, Server and Client begin to differ in the following procedure: Take an example of connect oriented communication , things go like this:
We can see the on the client side, the "bind" is unnecessary. Once it's connected to a Server, it's socket address information can be thrived from the server.
Multithread is crucial in the networking programming.
For the client, while it's attempting to connect the server, surely you don't wait for the time idle by, but in a single thread application, you'll find it's "dead" in responding your action.( By the way, the TELNET program for Win98/NT is a bad example, which is obviously a single thread application, you can try moving it while it's performing the connection) .
While it's still workable for a single thread client, the Server must be a multithread one. Each secession with the client, each single connection, is a thread. They are all the worker threads attached to the server application. There would be conflict among the clients' connection if they don't have their own thread.
I have to say that there would be some other better technology stuff about the internet programming, actually you can also see an article about the chat room on http://www.codeguru.com/internet/UniTalk2.html with ATL. But I think this intuitive MFC implementation would suit most readers.
But not totally from ground up. I read David J. Kruglinski'sclassical "Inside visual C++" and used the thin_wrapped classes of raw internet API from his book. I'm not sure if it's better than the ones provided by MFC as declared , but it works well.
There are actually two applications: Server and Client. You have to launch the server first, then distribute your client copies to other machines.
NOTE: You have to modify the client's code manually : change the server's IP address string to your own server's address ( in the beginning of "Utility.cpp" of Client project, see the comment there) before compiling it.
If you don't know what your server's IP address is, select server's menu : Connection/Local IP Address .
Several things have to be attended when you are playing the "Chat room":
- The server must be launched first, select the menu "connection/start server", then goes the Client;
- As soon as the Client is launched, it's attempting to connect the server;
- Login with an user name;
- Begin to talk, you can use the RETURN key instead of the "Go!" button, it's more efficient.
This application is far from perfect, for example, you can see it's not robust enough to prevent the simultaneously access of the global variables. I made it as simple as possible to be understood. Only the necessary implementations are preserved. I am improving it on my site from time to time. You are welcome to stop by www.geocities.com/sawyhandyee to see my progress.
Code (Just flowchart)
- Server loop: Listening->Get request ->Parse request->Form response->Send back;
- Client loop: Get response->Parse response->Send it to the appropriate controls to interact with the user.
Read the comments in the code for more details.