Scribd
Upload
33 views

WebArchitectur Interview

This document provides a brief overview of SSL/TLS and cookies for managing state in HTTP. It explains that SSL was created to encrypt the transport layer and acts as a wrapper for HTTP, securing communication without changing the underlying request-response protocol. Cookies were introduced to address the stateless nature of HTTP, allowing servers to recognize users across multiple requests.

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
33 views

WebArchitectur Interview

This document provides a brief overview of SSL/TLS and cookies for managing state in HTTP. It explains that SSL was created to encrypt the transport layer and acts as a wrapper for HTTP, securing communication without changing the underlying request-response protocol. Cookies were introduced to address the stateless nature of HTTP, allowing servers to recognize users across multiple requests.

Uploaded by

api-3777069
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬


‫ﺗﻬﻴﻪ ﻛﻨﻨﺪﻩ ‪ :‬ﺍﻣﻴﺮ ﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬

‫‪SSL/TLS‬‬
‫ﺩﺭ ﺍﻳﻨﺠﺎ ﻓﺮﺽ ﺭﺍ ﺑﺮ ﺁﻥ ﮔﺬﺍﺷﺘﻴﻢ ﻛﻪ ﺧﻮﺍﻧﻨﺪﻩ ﻋﺰﻳﺰ ﺑﺎ ﭘﺮﻭﺗﻜﻞ ‪ HTTP‬ﻭ ‪ HTML‬ﺁﺷﻨﺎﻳﻲ ﺩﺍﺭﺩ ﻭ‬
‫ﻣﻲ ﺧﻮﺍﻫﻴﻢ ﻣﺨﺘﺼﺮ ﺑﺴﻴﺎﺭ ﻛﻮﺗﺎﻫﻲ ﺩﺭﺑﺎﺭﻩ ‪ SSL‬ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪.‬‬
‫ﻳﻜﻲ ﺍﺯ ﺍﺳﺘﺜﻨﺎﻫﺎﻱ ﻭﺍﺿﺢ ﻭ ﺁﺷﻜﺎﺭﻱ ﻛﻪ ﺑﻴﺸﺘﺮ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺗﺤﺖ ﻭﺏ ﺍﻣﺮﻭﺯﻩ ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﻣﻲ ﻛﻨﻨﺪ ﭘﺮﻭﺗﻜﻞ ﻻﻳﻪ ﺳﻮﻛﺘﻬﺎﻱ ﺍﻣﻦ ) ‪ ( Secure Sockets Layer‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ﺑﺎﻻﻱ ‪HTTP‬‬
‫ﻗﺮﺍﺭ ﮔﺮﻓﺘﻪ ﺍﺳﺖ‪ SSL .‬ﺩﺭ ﺍﺻﻞ ﺑﺮﺍﻱ ﺭﻣﺰﮔﺬﺍﺭﻱ ﻻﻳﻪ ﺍﻧﺘﻘﺎﻝ ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺍﺳﺖ ﺑﻨﺎﺑﺮﺍﻳﻦ ﻳﻚ‬
‫ﻣﻴﺎﻧﺠﻲ ﺑﻴﻦ ﻣﺸﺘﺮﻱ ﻭ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻧﻤﻲ ﺗﻮﺍﻧﺪ ﻣﺘﻦ ﺍﺻﻠﻲ ﺭﺩﻭ ﺑﺪﻝ ﺷﺪﻩ ﺭﺍ ﺑﻪ ﺭﺍﺣﺘﻲ ﺑﺨﻮﺍﻧﺪ‪.‬‬
‫ﻣﻲ ﺗﻮﺍﻥ ﮔﻔﺖ ﻛﻪ ‪ SSL‬ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﻟﻔﺎﻓﻲ ﺑﺮﺍﻱ ‪ HTTP‬ﺳﺎﺧﺘﻪ ﺷﺪﻩ ﺍﺳﺖ‪ SSL .‬ﺑﻪ ﺻﻮﺭﺕ‬
‫ﺫﺍﺗﻲ ﭘﺎﻳﻪ ﻭ ﺍﺳﺎﺱ ﺩﺭﺧﻮﺍﺳﺖ‪-‬ﭘﺎﺳﺦ )‪ ( Request-Response‬ﭘﺮﻭﺗﻜﻞ ‪ HTTP‬ﺭﺍ ﺗﻐﻴﻴﺮ ﻧﺪﺍﺩﻩ‬
‫ﺍﺳﺖ‪ SSL .‬ﺑﺮﺍﻱ ﺍﻣﻨﻴﺖ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﻫﻴﭻ ﻛﺎﺭﻱ ﺍﻧﺠﺎﻡ ﻧﺪﺍﺩﻩ ﺍﺳﺖ ﺑﻠﻜﻪ ﻓﻘﻂ ﺍﺳﺘﺮﺍﻕ ﺳﻤﻊ‬
‫ﺑﻴﻦ ﻣﺸﺘﺮﻱ ﻭ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺭﺍ ﻛﻤﻲ ﻣﺸﻜﻞ ﺗﺮ ﻛﺮﺩﻩ ﺍﺳﺖ‪ .‬ﮔﻮﺍﻫﻴﻨﺎﻣﻪ ﺳﻤﺖ ﻣﺸﺘﺮﻱ ﻳﻜﻲ ﺍﺯ‬
‫ﺧﺼﻮﺻﻴﺎﺕ ﺍﺧﺘﻴﺎﺭﻱ ﭘﺮﻭﺗﻜﻞ ‪ SSL‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﭘﻴﺎﺩﻩ ﺳﺎﺯﻱ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﻳﻌﻨﻲ ﻳﻚ ﺍﺣﺮﺍﺯ ﻫﻮﻳﺖ‬
‫ﺩﻭ ﻃﺮﻓﻪ ﻛﻪ ﺑﺎﻳﺪ ﺍﻧﺠﺎﻡ ﺷﻮﺩ‪).‬ﮔﻮﺍﻫﻴﻨﺎﻣﻪ ﻣﺸﺘﺮﻱ ﺑﺎﻳﺪ ﺑﻪ ﻋﻨﻮﺍﻥ ﻳﻚ ﻫﻮﻳﺖ ﻣﺤﺮﺯ ﺷﺪﻩ ﺗﻮﺳﻂ‬
‫ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺍﻣﻀﺎ ﺷﻮﺩ( ‪ .‬ﺍﮔﺮ ﭼﻪ ﺗﻌﺪﺍﺩ ﻛﻤﻲ ﺍﺯ ﺳﺎﻳﺘﻬﺎﻱ ﺭﻭﻱ ﺍﻳﻨﺘﺮﻧﺖ ﺍﻣﺮﻭﺯﻩ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ‬
‫ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﻨﺪ‪.‬‬
‫ﻧﺴﺨﻪ ﻗﺪﻳﻤﻲ ‪ ، SSL‬ﻻﻳﻪ ﺍﻣﻨﻴﺖ ﺍﻧﺘﻘﺎﻝ ) ‪ ( Transport Layer Security‬ﺑﻮﺩ‪ SSL/TSL .‬ﺍﺯ‬
‫ﻃﺮﻳﻖ ﭘﺮﻭﺕ ‪ 443‬ﻋﻤﻞ ﻣﻲ ﻛﻨﻨﺪ‪.‬‬

‫ﻣﺪﻳﺮﻳﺖ ﻭﺿﻌﻴﺘﻬﺎ؛ ‪Cookies‬‬


‫ﻫﻤﺎﻥ ﻃﻮﺭ ﻛﻪ ﻣﻲ ﺩﺍﻧﻴﺪ ﺩﺭ ﺣﻘﻴﻘﺖ ‪ HTTP‬ﻳﻚ ﭘﺮﻭﺗﻜﻞ ‪ Stateless‬ﻣﻲ ﺑﺎﺷﺪ‪ .‬ﻳﻌﻨﻲ ﻫﻴﭻ ﻭﺿﻌﻴﺘﻲ‬
‫ﺍﺯ ﻧﺸﺴﺘﻬﺎ ﺑﻪ ﻭﺳﻴﻠﻪ ﺧﻮﺩ ﭘﺮﻭﺗﻜﻞ ﺣﻤﺎﻳﺖ ﻧﻤﻲ ﺷﻮﺩ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﺍﮔﺮ ﺷﻤﺎ ﺑﺮﺍﻱ ﺩﺭﺧﻮﺍﺳﺖ‬
‫ﻣﻨﺒﻌﻲ ﻛﻪ ﻛﺮﺩﻩ ﺍﻳﺪ ﻳﻚ ﭘﺎﺳﺦ ﻧﺎﻣﻌﺘﺒﺮﻱ ﺩﺭﻳﺎﻓﺖ ﻛﻨﻴﺪ ﺩﻭﺑﺎﺭﻩ ﺍﻗﺪﺍﻡ ﺑﻪ ﺩﺭﺧﻮﺍﺳﺖ ﻓﻮﻕ ﻣﻲ ﻛﻨﻴﺪ ﺍﻣﺎ‬
‫ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺍﻳﻦ ﺩﺭﺧﻮﺍﺳﺖ ﺭﺍ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻼ ﺟﺪﺍﮔﺎﻧﻪ ﻭ ﻭﺍﺣﺪ ﻣﻼﺣﻈﻪ ﻣﻲ ﻛﻨﺪ‪ .‬ﺑﺮﺍﻱ ﺭﻓﻊ‬
‫ﺍﻳﻦ ﺿﻌﻒ ﻣﻜﺎﻧﻴﺰﻣﻬﺎﻳﻲ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻛﻪ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﺍﻳﻦ ﭘﺮﻭﺗﻜﻞ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﭘﺮﻭﺗﻜﻞ‬
‫‪ Stateful‬ﻋﻤﻞ ﻛﻨﺪ‪ .‬ﻳﻜﻲ ﺍﺯ ﻣﻜﺎﻧﻴﺴﻢ ﻫﺎﻳﻲ ﻛﻪ ﺍﻣﺮﻭﺯﻩ ﺑﻪ ﻃﻮﺭ ﮔﺴﺘﺮﺩﻩ ﺍﻱ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‬
‫‪ Cookie‬ﻫﺎ ﻣﻲ ﺑﺎﺷﻨﺪ ﻛﻪ ﺑﻪ ﻋﻨﻮﺍﻥ ﺑﺨﺸﻲ ﺍﺯ ﺩﺭﺧﻮﺍﺳﺖ – ﭘﺎﺳﺦ ﻫﺎﻱ ‪ HTTP‬ﺑﻴﻦ ﺳﺮﻭﺭ ﻭ‬
‫ﻛﻼﻳﻨﺖ ﺭﺩﻭ ﺑﺪﻝ ﻣﻲ ﺷﻮﻧﺪ ﻭ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭ ﻣﺸﺘﺮﻱ ﺍﻳﻨﮕﻮﻧﻪ ﻓﻜﺮ ﻛﻨﻨﺪ ﻛﻪ‬

‫‪1‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

‫ﺁﻧﻬﺎ ﺍﺯ ﻃﺮﻳﻖ ﻳﻚ ﺣﻮﺯﻩ ﻣﺠﺎﺯﻱ ﺑﻪ ﻫﻢ ﻣﺘﺼﻞ ﺷﺪﻩ ﺍﻧﺪ‪) .‬ﺍﻳﻦ ﻣﻜﺎﻧﻴﺴﻢ ﺑﻪ ﺻﻮﺭﺕ ﻛﺎﻣﻞ ﺗﺮﻱ ﺩﺭ‬
‫‪ RFC 2965‬ﺑﻴﺎﻥ ﺷﺪﻩ ﺍﺳﺖ (‪ .‬ﻛﻮﻛﻴﻬﺎ ﺑﻬﺘﺮﻳﻦ ﺭﻭﺷﻲ ﺍﺭﺗﺒﺎﻃﻲ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﻨﻈﻮﺭ ﻣﻲ ﺑﺎﺷﻨﺪ ﺑﺮﺍﻱ‬
‫ﺍﻳﻦ ﻛﻪ ﻫﺮ ﻛﺎﺭﺑﺮﻱ ﺑﻪ ﻭﺳﻴﻠﻪ ﻳﻚ ﻧﺸﺎﻧﻪ ﺑﺎ ﻳﻚ ﺳﺎﻳﺖ ﻭﺏ ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍﺭ ﻛﻨﺪ ﻭ ﺗﺎ ﻫﺮ ﺯﻣﺎﻧﻲ ﻛﻪ ﺍﻳﻦ‬
‫ﻧﺸﺎﻧﻪ ﺑﻪ ﻫﻤﺮﺍﻩ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺎﺭﺑﺮ ﻓﺮﺳﺘﺎﺩﻩ ﻣﻲ ﺷﻮﺩ ‪ ،‬ﺁﻥ ﻛﺎﺭﺑﺮ ﻣﺠﺎﺯ ﺑﻪ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺳﺎﻳﺖ ﻣﻮﺭﺩ‬
‫ﻧﻈﺮ ﻣﻲ ﺑﺎﺷﺪ‪.‬ﺁﻧﻬﺎ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﻫﻢ ﺩﺭ ﺣﺎﻓﻈﻪ ﺫﺧﻴﺮﻩ ﺷﻮﻧﺪ ﻭ ﻫﻢ ﻣﻲ ﺗﻮﺍﻧﻨﺪ ﺑﻪ ﺻﻮﺭﺕ ﭘﺎﻳﺪﺍﺭﺗﺮﻱ ﺩﺭ‬
‫ﺩﻳﺴﻚ ﺳﺨﺖ ﻣﺎﻧﺪﮔﺎﺭ ﺑﺎﺷﻨﺪ‪ .‬ﻛﻮﻛﻴﻬﺎ ﻫﺮﮔﺰ ﺑﺪﻭﻥ ﻋﻴﺐ ﻭ ﻧﻘﺺ ﻧﻤﻲ ﺑﺎﺷﻨﺪ ) ﺑﻪ ﺧﺼﻮﺹ ﻫﻨﮕﺎﻣﻲ‬
‫ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﺿﻌﻴﻔﻲ ﺳﺎﺧﺘﻪ ﻣﻲ ﺷﻮﻧﺪ ( ﻭ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺁﻧﻬﺎ ﭘﻴﺎﻣﺪﻫﺎﻱ ﺯﻳﺎﺩﻱ ﺭﺍ ﺑﺮﺍﻱ ﺍﻣﻨﻴﺖ‬
‫ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺩﺍﺭﺩ ‪ .‬ﻭﻟﻲ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﻫﻴﭻ ﻣﻜﺎﻧﻴﺰﻡ ﺑﻬﺘﺮ ﺩﻳﮕﺮﻱ ﺑﺮﺍﻱ ﺍﻳﻦ ﻣﺸﻜﻞ ﻭﺟﻮﺩ‬
‫ﻧﺪﺍﺭﺩ‪.‬‬

‫ﻣﺸﺘﺮﻱ ﻫﺎﻱ )‪ ( Clients‬ﻭﺏ‬


‫ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﺍﺳﺘﺎﻧﺪﺍﺭﺩ ﺑﺮﺍﻱ ﻣﺸﺘﺮﻱ ‪ ،‬ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﺯ ﻣﻴﺎﻥ ﭘﺮﻭﺗﻜﻞ ‪HTTP‬‬
‫ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍﺭ ﻣﻲ ﻛﻨﺪ ﻭ ﻣﺘﻮﻥ ‪ HTML‬ﺍﻱ ﻛﻪ ﺩﺭﻳﺎﻓﺖ ﻣﻲ ﻛﻨﺪ ﺭﺍ ﺗﺮﺟﻤﻪ ﻛﺮﺩﻩ ﻭ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ‪.‬‬
‫ﺑﻪ ﺻﻮﺭﺕ ﻛﻠﻲ ‪ HTML‬ﻭ ‪ HTTP‬ﻣﺎﻣﻮﺭ ﺷﺪﻩ ﺍﻧﺪ ﻛﻪ ﺩﺍﺩﻩ ﻫﺎﻳﻲ ﻛﻪ ﺑﻪ ﻭﺳﻴﻠﻪ ﺳﺮﻭﺭ ﭘﺮﺩﺍﺯﺵ‬
‫ﺷﺪﻩ ﺍﻧﺪ ﺑﺮﺍﻱ ﻣﺸﺘﺮﻱ ﻭﺏ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﻮﺩ ‪.‬‬
‫ﻣﺎﻧﻨﺪ ‪ ، HTTP‬ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﻧﻴﺰ ﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺑﻪ ﻧﻈﺮ ﻣﻲ ﺭﺳﺪ‪ .‬ﺗﻮﺳﻌﻪ ﭘﺬﻳﺮﻱ ‪ HTML‬ﺍﻳﻦ ﺍﻣﻜﺎﻥ‬
‫ﺭﺍ ﺑﺮﺍﻱ ﻣﺎ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺑﺘﻮﺍﻧﻴﻢ ﻣﺘﻮﻥ ﺍﺳﺘﺎﺗﻴﻚ ﻭ ﺩﻳﻨﺎﻣﻴﻚ ﺭﺍ ﺩﺭ ﺁﻥ ﺑﻴﺎﻣﻴﺰﻳﻢ‪ .‬ﺍﺯ ﻣﺤﺘﻮﺍﻫﺎﻱ‬
‫ﻓﻌﺎﻝ ﺑﻪ ﻛﺎﺭ ﺭﻓﺘﻪ ﻣﻲ ﺗﻮﺍﻥ ‪ ActiveX‬ﻫﺎ ﻭ ‪ Java‬ﺭﺍ ﻧﺎﻡ ﺑﺮﺩ‪ .‬ﮔﻨﺠﺎﻧﺪﻥ ﻳﻚ ‪ ActivX‬ﺩﺭ ‪HTML‬‬
‫ﺭﺍ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺩﺭ ﺫﻳﻞ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ‪:‬‬
‫”‪<object id=”scr‬‬
‫>”‪classid=”clsid:09243BD5-48AA-11D2-092267C3FBC‬‬
‫>‪</object‬‬

‫ﺩﺭ ﻛﻠﻤﺎﺕ ﻭﺏ ‪ ،‬ﻫﻤﻪ ﺣﺮﻭﻑ ﺩﺭ ﻛﺪ ‪ ASCII‬ﻣﻲ ﺑﺎﺷﺪ‪ .‬ﻭﻗﺘﻲ ﻳﻚ ﻣﺘﺮﺟﻢ ﻣﺮﻭﺭﮔﺮ ﻭﺏ ﺑﺎ ﻳﻚ‬
‫ﺑﺮﭼﺴﺐ ‪ object‬ﺑﺮﺧﻮﺭﺩ ﻛﺮﺩ ﻣﺘﻮﺟﻪ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﺎﻳﺪ ﺁﻥ ﺭﺍ ﺍﺯ ﻳﻚ ﺳﺎﻳﺖ ﺩﻭﺭ ﺩﺍﻧﻠﻮﺩ ﻛﻨﺪ ﻭ ﻳﺎ ﺍﺯ‬
‫ﺑﻪ ﺻﻮﺭﺕ ﻣﺴﺘﻘﻴﻢ ﺍﺯ ﻛﺎﻣﭙﻴﻮﺗﺮ ﻣﺤﻠﻲ ﺑﺎﺭﮔﺬﺍﺭﻱ ﻛﻨﺪ ﻭ ﺳﭙﺲ ﺁﻥ ﺭﺍ ﺍﺟﺮﺍ ﻛﻨﺪ‪ .‬ﺍﻟﺒﺘﻪ ﺍﻳﻦ ‪ActivX‬‬
‫ﺩﺭ ﺻﻮﺭﺗﻲ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﻳﺎ ﻗﺒﻼ ﺩﺭ ﻛﺎﻣﭙﻴﻮﺗﺮ ﺷﻤﺎ ﻧﺼﺐ ﺷﺪﻩ ﺑﺎﺷﺪ ﻭ ﻳﺎ ﺍﺣﺮﺍﺯ ﻫﻮﻳﺖ ﺷﺪﻩ‬
‫ﺑﺎﺷﺪ ﻛﻪ ﺍﻳﻦ ﻛﺎﺭ ﺑﻪ ﻭﺳﻴﻠﻪ ‪ Microsoft Authenticode‬ﺍﻧﺠﺎﻡ ﻣﻲ ﺷﻮﺩ‪ .‬ﻳﻌﻨﻲ ﺩﺭ ﺣﻴﻦ ﺍﺟﺮﺍﻱ ﺁﻥ‬
‫ﻳﻚ ﺻﻔﺤﻪ ﺑﺎﺯ ﺷﺪﻩ ﻭ ﺍﻣﻀﺎﻱ ﺩﻳﺠﻴﺘﺎﻝ ﺷﺨﺺ ﺳﺎﺯﻧﺪﻩ ﻛﺪ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ ﻭ ﺍﺯ ﺷﻤﺎ ﺳﻮﺍﻝ‬
‫ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺁﻳﺎ ﻓﺎﻳﻞ ﻣﻮﺭﺩ ﻧﻈﺮ ﺭﺍ ﺍﺟﺮﺍ ﻛﻨﺪ ﻳﺎ ﺧﻴﺮ ‪ .‬ﺍﮔﺮ ﻛﺎﺭﺑﺮ ﺟﻮﺍﺏ ﻣﺜﺒﺖ ﺩﻫﺪ ﻛﺪ ﺍﺟﺮﺍ ﻣﻲ ﺷﻮﺩ‪.‬‬
‫ﻻﺯﻡ ﺑﻪ ﺫﻛﺮ ﺍﺳﺖ ﻛﻪ ﺍﺟﺮﺍﻱ ﺑﺴﻴﺎﺭﻱ ﺍﺯ ‪ ActiveX‬ﻫﺎ ﻣﻲ ﺗﻮﺍﻥ ﺍﻣﻨﻴﺖ ﻳﻚ ﺳﻴﺴﺘﻢ ﺭﺍ ﺑﻪ ﺧﻄﺮ‬
‫ﺑﻴﺎﻧﺪﺍﺯﺩ‪ .‬ﭘﺲ ﻫﻴﭽﮕﺎﻩ ﺑﻪ ﺍﻳﻨﮕﻮﻧﻪ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻳﻲ ﻛﻪ ﻧﺎﺁﺷﻨﺎ ﻭ ﻧﺎ ﻣﺸﺨﺺ ﻣﻲ ﺑﺎﺷﻨﺪ ﺍﺟﺎﺯﻩ ﺍﺟﺮﺍ ﺷﺪﻥ‬
‫ﻧﺪﻫﻴﺪ‪.‬‬

‫‪2‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

‫‪ HTML‬ﻳﻚ ﺯﺑﺎﻥ ﺗﻮﺍﻧﺎ ﻣﻲ ﺑﺎﺷﺪ ﺍﻣﺎ ﻣﺤﺪﻭﺩﻳﺖ ﻫﺎﻱ ﺯﻳﺎﺩﻱ ﺩﺍﺭﺩ‪ .‬ﺑﻌﺪ ﺍﺯ ﺳﺎﻟﻬﺎ ‪ ،‬ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎﻱ‬
‫ﺟﺪﻳﺪﻱ ﻣﺎﻧﻨﺪ ‪ HTML‬ﺩﻳﻨﺎﻣﻴﻚ ﻭ ‪ Style Sheet‬ﻫﺎ ﭘﺪﻳﺪﺍﺭ ﺷﺪﻧﺪ ﺗﺎ ﭼﺎﺷﻨﻲ ﺑﺮﺍﻱ ﻧﻤﺎﻳﺶ ﻣﺤﺘﻮﻳﺎﺕ‬
‫ﺻﻔﺤﺎﺕ ﻭﺏ ﺑﺎﺷﻨﺪ‪ .‬ﺍﻣﺎ ﺗﻐﻴﻴﺮﺍﻥ ﺑﻨﻴﺎﺩﻱ ﺗﺮﻱ ﻧﻴﺰ ﺩﺭ ﺣﺎﻝ ﻭﻗﻮﻉ ﺍﺳﺖ‪eXtensible ) XML .‬‬
‫‪ ( Markup Language‬ﺑﻪ ﺁﻫﺴﺘﮕﻲ ﺟﺎﻳﮕﺰﻳﻦ ‪ HTML‬ﻣﻲ ﺷﻮﺩ‪.‬‬
‫ﺑﺎﻻﺧﺮﻩ ﺍﻳﻨﻜﻪ ﻣﺮﻭﺭﮔﺮ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎ ﺩﻳﮕﺮ ﭘﺮﻭﺗﻜﻠﻬﺎ ﻧﻴﺰ ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﻪ‬
‫ﻭﺳﻴﻠﻪ ﭘﺮﻭﺗﻜﻞ ‪ SSL‬ﺑﺎ ﻳﻚ ﺳﺮﻭﺭ ﻭﺏ ﺍﺭﺗﺒﺎﻁ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ‪ .‬ﻭ ﻫﻤﭽﻨﻴﻦ ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎ ﺩﻳﮕﺮ ﭘﺮﻭﺗﻜﻠﻬﺎ‬
‫ﻣﺎﻧﻨﺪ ‪ FTP‬ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍ ﻛﻨﺪ‪ .‬ﺑﻪ ﺩﺭﺳﺘﻲ ﻛﻪ ﻣﺮﻭﮔﺮ ﻭﺏ ﻳﻜﻲ ﺍﺯ ﺑﺰﺭﮔﺘﺮﻳﻦ ﺳﻼﺡ ﻫﺎﻱ ﻗﺎﺑﻞ‬
‫ﺩﺳﺘﺮﺱ ﺑﺮﺍﻱ ﻧﻔﻮﺫﮔﺮﺍﻥ ﻭﺏ ﻣﻲ ﺑﺎﺷﺪ‪.‬‬

‫ﺳﺮﻭﺭ ﻭﺏ‬
‫ﺳﺮﻭﺭ ﻭﺏ ﺩﺭ ﺗﻌﺮﻳﻒ ﺑﻪ ﺻﻮﺭﺕ ﻳﻚ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ‪ HTTP‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭﺧﻮﺍﺳﺖ ﻫﺎ ﺭﺍ ﺑﺮﺍﻱ‬
‫ﻣﻨﺎﺑﻊ ﺩﺭﻳﺎﻓﺖ ﻣﻲ ﻛﻨﺪ ﻭ ﺑﻌﻀﻲ ﺍﺯ ﺗﺠﺰﻳﻪ ﻫﺎ ﺭﺍ ﺭﻭﻱ ﺁﻥ ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﺪ ﺗﺎ ﻣﻄﻤﺌﻦ ﺷﻮﺩ ﻛﻪ ﺍﻳﻦ ﻣﻨﺒﻊ‬
‫ﻗﺎﺑﻞ ﺩﺳﺘﺮﺱ ﻣﻲ ﺑﺎﺷﺪ ﻳﺎ ﺧﻴﺮ ﻭ ﺳﭙﺲ ﺁﻥ ﺭﺍ ﺑﺮﺍﻱ ﭘﺮﺩﺍﺯﺵ ‪ ،‬ﺗﺤﻮﻳﻞ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻣﻲ ﺩﻫﺪ ﻭ‬
‫ﻭﻗﺘﻲ ﻛﻪ ﺑﺮﻧﺎﻣﻪ ﭘﺎﺳﺦ ﺭﺍ ﺑﺮﮔﺮﺩﺍﻧﺪ ‪ ،‬ﺳﺮﻭﻳﺲ ‪ HTTP‬ﺁﻥ ﺭﺍ ﺑﻪ ﻣﺸﺘﺮﻱ ﺗﺤﻮﻳﻞ ﻣﻲ ﺩﻫﺪ‪.‬‬
‫ﺍﻣﺮﻭﺯﻩ ﺳﺮﻭﺭ ﻫﺎﻱ ﻣﺤﺒﻮﺏ ﻗﺎﺑﻞ ﺩﺳﺘﺮﺱ ﺯﻳﺎﺩﻱ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻣﺎﻧﻨﺪ ‪Apache Software ِ IIS‬‬
‫ﺳﺮﻭﺭ ‪ ) Apache HTTP‬ﻛﻪ ﺑﻪ ﺍﺧﺘﺼﺎﺭ ‪ Apache‬ﮔﻔﺘﻪ ﻣﻲ ﺷﻮﺩ ( ‪،‬‬ ‫‪، Foundation‬‬
‫‪ AOL/Netscaps Enterprise‬ﻭ ‪. Sun iPlant‬‬
‫ﺍﮔﺮ ﭼﻪ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺑﻪ ﻧﻈﺮ ﻣﻲ ﺁﻳﺪ ‪ ،‬ﺍﻣﺎ ﻣﺎ ﺩﻭﺑﺎﺭﻩ ﺑﺎﻳﺪ ﺩﺭﺑﺎﺭﻩ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ‬
‫ﺯﻳﺎﺩﻱ ﻛﻪ ﺩﺭ ﺁﻧﻬﺎ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻭ ﻃﻲ ﺳﺎﻟﻴﺎﻥ ﺩﺭﺍﺯ ﻛﺸﻒ ﺷﺪﻩ ﺍﻧﺪ ﺑﺤﺚ ﻛﻨﻴﻢ‪ .‬ﺑﻪ ﻃﻮﺭﻱ ﻛﻪ‬
‫ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺩﺭ ﺳﺮﻭﺭ ﻫﺎﻱ ﻭﺏ ﻳﻜﻲ ﺍﺯ ﺑﺮﺗﺮﻳﻦ ﻣﺴﺎﺋﻞ ﺍﻣﻨﻴﺘﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﺯ ﺳﺎﻝ ‪١٩٩٠‬‬
‫ﺑﻪ ﺍﻳﻦ ﻃﺮﻑ ﺑﻴﺎﻥ ﺷﺪﻩ ﺍﺳﺖ‪.‬‬

‫ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭﺏ‬


‫ﻫﺴﺘﻪ ﺍﺻﻠﻲ ﺳﺎﻳﺘﻬﺎﻱ ﻭﺏ ﻗﺴﻤﺖ ﻣﻨﻄﻘﻲ ﺳﻤﺖ ﺳﺮﻭﺭ ﻣﻲ ﺑﺎﺷﺪ‪ ) .‬ﺍﮔﺮ ﭼﻪ ﻣﻨﻄﻖ ﺳﻤﺖ ﻣﺸﺘﺮﻱ‬
‫ﻫﻨﻮﺯ ﺑﺎ ﻣﺮﻭﺭ ﮔﺮ ﻭﺏ ﺁﻣﻴﺨﺘﻪ ﻣﻲ ﺑﺎﺷﺪ (‪ .‬ﺍﻳﻦ ﻣﺪﻝ ﺑﻪ ‪ n-tire‬ﻣﺸﻬﻮﺭ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﻃﻮﺭ ﻣﻌﻤﻮﻝ‬
‫ﺷﺒﻴﻪ ﻳﻚ ﺳﺮﻭﺭ ‪ HTTP‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﺩﻳﻨﺎﻣﻴﻚ ﻃﺮﺍﺣﻲ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺗﻘﺮﻳﺒﺎ ﺑﻪ ﺻﻮﺭﺕ‬
‫ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻳﻜﭙﺎﺭﭼﻪ ﻭ ‪ Stateful‬ﻛﻪ ﺑﻪ ﻛﺎﺭﺑﺮﻫﺎ ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﻛﻪ ﺑﺎ ﺁﻥ ﺗﻌﺎﻣﻞ ﺩﺍﺷﺘﻪ‬
‫ﺑﺎﺷﻨﺪ‪.‬‬
‫ﻣﻔﻬﻮﻡ ‪ n-tire‬ﻳﺎ ‪ n‬ﻻﻳﻪ ﺍﻱ ﺑﺮﺍﻱ ﻓﻬﻤﻴﺪﻥ ﻭ ﺩﺭﻙ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻣﻬﻢ ﻣﻲ ﺑﺎﺷﺪ ﻻﻳﻪ ﺑﺮﻧﺎﻣﻪ‬
‫ﻛﺎﺭﺑﺮﺩﻱ ﻣﻲ ﺗﻮﺍﻧﺪ ﺧﻮﺩﺵ ﺷﺎﻣﻞ ﭼﻨﺪﻳﻦ ﻻﻳﻪ ﺩﻳﮕﺮ ﺑﺎﺷﺪ‪ .‬ﺍﻣﺎ ﻧﻤﺎﻳﺶ ﻋﻤﻮﻣﻲ ﺁﻥ ﺑﻪ ﺻﻮﺭﺕ‬
‫‪3‬‬
‫ﻣﻌﻤﺎﺭﻱ ‪ ٣‬ﻻﻳﻪ ﺍﻱ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﻪ ﻧﺎﻣﻬﺎﻱ ﻻﻳﻪ ﻧﻤﺎﻳﺶ‪ ، ١‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ‪ 2‬ﻭ ﻻﻳﻪ ﺩﺍﺩﻩ‬

‫‪1 - Presentation Layer‬‬

‫‪3‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

‫ﻣﻌﺮﻭﻑ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ﺷﻜﻞ ‪ ١‬ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﺪﻩ ﺍﺳﺖ‪ .‬ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﻛﻪ ﺁﻧﻬﺎ ﺭﺍ ﺑﻪ ﻃﻮﺭ ﺧﻼﺻﻪ‬
‫ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪.‬‬
‫ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺗﺴﻬﻴﻼﺗﻲ ﺭﺍ ﺑﺮﺍﻱ ﮔﺮﻓﺘﻦ ﻭﺭﻭﺩﻱ ﻫﺎ ﻭ ﻧﻤﺎﻳﺶ ﻧﺘﻴﺠﻪ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ‪ ،‬ﺩﺍﺩﻩ‬
‫ﻫﺎ ﺭﺍ ﺍﺯ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺩﺭﻳﺎﻓﺖ ﻛﺮﺩﻩ ﻭ ﻛﺎﺭﻫﺎﻳﻲ ﺭﺍ ﺭﻭﻱ ﺁﻥ ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﺪ‪ .‬ﻫﺮ ﺯﻣﺎﻥ ﻛﻪ ﻧﻴﺎﺯ ﺑﻪ ﻛﻤﻚ‬
‫ﻻﻳﻪ ﺩﺍﺩﻩ ﺑﺎﺷﺪ‪ ،‬ﺩﺍﺩﻩ ﻫﺎ ﺑﻪ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺑﻪ ﻋﻨﻮﺍﻥ ﻧﺘﻴﺠﻪ ﻛﺎﺭ ﺑﺮ ﮔﺮﺩﺍﻧﺪﻩ ﻣﻲ ﺷﻮﺩ‪ .‬ﺳﺮﺍﻧﺠﺎﻡ ﻻﻳﻪ‬
‫ﺩﺍﺩﻩ ﻳﻚ ﻣﻨﺒﻊ ﻣﺎﻧﺪﮔﺎﺭﻱ ﺍﺯ ﺩﺍﺩﻩ ﻫﺎ ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﺭﻭﻱ ﺁﻧﻬﺎ ﺟﺴﺘﺠﻮ ﺍﻧﺠﺎﻡ ﺩﺍﺩ ﻭ‬
‫ﻫﺮ ﺩﻓﻌﻪ ﺑﻪ ﻭﺳﻴﻠﻪ ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻣﻲ ﺷﻮﺩ‪ .‬ﻻﻳﻪ ﺩﺍﺩﻩ ﺍﻳﻦ ﺍﻣﻜﺎﻥ ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻛﻪ‬
‫ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﺪﻭﻥ ﺍﻳﻨﻜﻪ ﻧﻴﺎﺯﻱ ﺑﻪ ﻛﺪﻫﺎﻱ ﻣﺸﻜﻞ ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺴﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ﺑﺘﻮﺍﻧﺪ ﺁﻥ ﺭﺍ ﺑﻪ ﺁﺳﺎﻧﻲ‬
‫ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻛﻨﺪ ﻭ ﺍﺯ ﺁﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﺎﻳﺪ‪.‬‬
‫ﺑﺮﺍﻱ ﺍﻳﻨﻜﻪ ﺑﻔﻬﻤﻴﺪ ﺍﻳﻨﻬﺎ ﭼﮕﻮﻧﻪ ﺑﺎ ﻫﻢ ﻛﺎﺭ ﻣﻲ ﻛﻨﻨﺪ ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﻣﺜﺎﻟﻲ ﺭﺍ ﺑﻴﺎﻥ ﻛﻨﻴﻢ‪ .‬ﻳﻚ ﺑﺮﻧﺎﻣﻪ‬
‫ﻛﺎﺭﺑﺮﺩﻱ ﺗﺤﺖ ﻭﺏ ﺳﺎﺩﻩ ﺭﺍ ﻓﺮﺽ ﻛﻨﻴﺪ ﻛﻪ ﺗﻤﺎﻡ ﻓﺎﻳﻠﻬﺎﻱ ﻣﺤﻠﻲ ﺩﺭﻭﻥ ﻫﺎﺭﺩ ﺳﺮﻭﺭ ﺭﺍ ﺑﺮﺍﻱ ﻭﺟﻮﺩ‬
‫ﻣﺘﻨﻲ ﻛﻪ ﻛﺎﺭﺑﺮ ﺩﺭﺧﻮﺍﺳﺖ ﻛﺮﺩﻩ ﺍﺳﺖ ‪ ،‬ﺟﺴﺘﺠﻮ ﻣﻲ ﻛﻨﺪ ﻭ ﻧﺘﻴﺠﻪ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ‪ .‬ﻻﻳﻪ ﻧﻤﺎﻳﺶ‬
‫ﺷﺎﻣﻞ ﻳﻚ ﻓﺮﻡ ﺑﺎ ﻓﻴﻠﺪﻫﺎﻳﻲ ﺑﺮﺍﻱ ﺩﺭﻳﺎﻓﺖ ﻣﺘﻦ ﻭﺭﻭﺩﻱ ﺗﻮﺳﻂ ﻛﺎﺭﺑﺮ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺍﻳﻦ ﻣﺘﻦ ﺑﺎﻳﺪ‬
‫ﻣﻮﺭﺩ ﺟﺴﺘﺠﻮ ﻗﺮﺍﺭ ﮔﻴﺮﺩ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﺍﺟﺮﺍﻳﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺭﺷﺘﻪ ﻭﺭﻭﺩﻱ ﺭﺍ ﺩﺭﻳﺎﻓﺖ‬
‫ﻛﺮﺩﻩ ﻭ ﭘﺲ ﺍﺯ ﺍﻳﻨﻜﻪ ﻣﻄﻤﺌﻦ ﺷﺪ ﻛﻪ ﺍﻳﻦ ﺭﺷﺘﻪ ﺣﺎﻭﻱ ﻛﺎﺭﺍﻛﺘﺮﻫﺎﻱ ﻣﺨﺮﺏ ﻧﻤﻲ ﺑﺎﺷﺪ ‪ ،‬ﺍﺭﺗﺒﺎﻁ‬
‫ﺩﻫﻨﺪﻩ ﻣﻨﺎﺳﺐ ﺑﻪ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺭﺍ ﺑﺮﺍﻱ ﺍﻳﺠﺎﺩ ﻳﻚ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﻻﻳﻪ ﺩﺍﺩﻩ ‪ ،‬ﻓﺮﺍﺧﻮﺍﻧﻲ ﻣﻲ ﻛﻨﺪ‪ .‬ﺳﺮﺍﻧﺠﺎﻡ‬
‫ﻳﻚ ‪ Query‬ﺑﻪ ﻭﺳﻴﻠﻪ ﻭﺭﻭﺩﻱ ﺳﺎﺧﺘﻪ ﻣﻲ ﺷﻮﺩ‪ .‬ﻻﻳﻪ ﺩﺍﺩﻩ ﻣﻤﻜﻦ ﺍﺳﺖ ﺷﺎﻣﻞ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺍﻱ ﺑﺎﺷﺪ‬
‫ﻛﻪ ﺷﺎﺧﺼﻲ ﺍﺯ ﻛﻠﻴﻪ ﻓﺎﻳﻠﻬﺎﻱ ﺩﺭﻭﻥ ﻣﺎﺷﻴﻦ ﻣﺤﻠﻲ ﺭﺍ ﺩﺭ ﺧﻮﺩ ﺫﺧﻴﺮﻩ ﻛﺮﺩﻩ ﺍﺳﺖ ﻭ ﺑﻪ ﺻﻮﺭﺕ‬
‫‪ Real-Time‬ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﻣﻲ ﺷﻮﺩ‪ Query .‬ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﻣﺠﻤﻮﻋﻪ ﺍﻱ ﺍﺯ ﺭﻛﻮﺭﺩﻫﺎ ﺭﺍ ﺍﻧﺘﺨﺎﺏ‬
‫ﻛﺮﺩﻩ ﻭ ﺁﻧﻬﺎ ﺭﺍ ﺑﻪ ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺑﺮ ﻣﻲ ﮔﺮﺩﺍﻧﺪ‪ .‬ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺭﻛﻮﺭﺩﻫﺎﻱ ﺑﺮﮔﺸﺘﻲ ﺭﺍ ﺗﺮﺟﻤﻪ ﻭ ﺗﺤﻠﻴﻞ‬
‫ﻣﻲ ﻛﻨﺪ ﻭ ﺭﻛﻮﺭﺩﻫﺎﻳﻲ ﻛﻪ ﻻﺯﻡ ﻧﺒﻮﺩﻩ ﺍﻧﺪ ﺭﺍ ﺣﺬﻑ ﻛﺮﺩﻩ ﻭ ﺭﻛﻮﺭﺩﻫﺎﻱ ﺩﺭﺧﻮﺍﺳﺖ ﺷﺪﻩ ﺭﺍ ﺑﻪ ﻻﻳﻪ‬
‫ﻧﻤﺎﻳﺶ ﺑﺮ ﻣﻲ ﮔﺮﺩﺍﻧﺪ‪ .‬ﺍﻳﻦ ﺭﻛﻮﺭﺩﻫﺎ ﻧﻴﺰ ﺩﺭ ‪ HTML‬ﺁﻣﻴﺨﺘﻪ ﺷﺪﻩ ﺗﺎ ﺑﻪ ﺻﻮﺭﺕ ﻣﻨﺎﺳﺒﻲ ﺑﺮﺍﻱ‬
‫ﻛﺎﺭﺑﺮ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﺷﻮﺩ‪ .‬ﻭ ﺍﺯ ﺳﺮﻭﺭ ﻭﺏ ﺑﻪ ﺳﻤﺖ ﻣﺮﻭﺭﮔﺮ ﺑﺮﮔﺮﺩﺍﻧﺪﻩ ﻣﻲ ﺷﻮﺩ‪.‬‬
‫ﺧﻴﻠﻲ ﺍﺯ ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎﻱ ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ‪ ،‬ﺑﻪ ﺻﻮﺭﺕ ﻭﺍﻗﻌﻲ ﻭ ﻋﻤﻠﻲ ﺍﺯ ﻳﻚ ﻳﺎ ﺑﻴﺸﺘﺮ ﺍﻳﻦ ﻻﻳﻪ ﻫﺎ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻛﻨﻨﺪ ﺑﻨﺎﺑﺮﺍﻳﻦ ﺍﻏﻠﺐ ﺗﺸﺨﻴﺺ ﺩﺍﺩﻥ ﻻﻳﻪ ﻫﺎ ﺍﺯ ﻳﻜﺪﻳﮕﺮ ﻛﻤﻲ ﻣﺸﻜﻞ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﺣﺘﻲ‬
‫ﺑﻌﻀﻲ ﻻﻳﻪ ﻫﺎ ﺩﺭﻭﻥ ﺑﻌﻀﻲ ﺩﻳﮕﺮ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‪ .‬ﺑﻪ ﻋﻨﻮﺍﻥ ﻣﺜﺎﻝ ﺑﺮﻧﺎﻣﻪ ‪Active Server‬‬
‫‪ ( ASP ) Page‬ﺑﻪ ﺷﻤﺎ ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﺩﺭﻭﻥ ﺻﻔﺤﺎﺕ ﻭﺏ ﺩﺭ ﻻﻳﻪ ﻧﻤﺎﻳﺶ ﺍﺯ ﻛﺪﻫﺎﻱ ﻻﻳﻪ ﻣﻨﻄﻘﻲ‬
‫ﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻴﺪ‪.‬ﺑﻨﺎﺑﺮﺍﻳﻦ ﻧﻴﺎﺯﻱ ﻧﻴﺴﺖ ﻛﻪ ﻳﻚ ﻛﺪ ﺍﺟﺮﺍﻳﻲ ﻣﺠﺰﺍ ﺑﺮﺍﻱ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻳﺘﺎﻥ ﺍﺯ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ‪،‬‬
‫ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ‪ ) .‬ﺍﮔﺮ ﭼﻪ ﺧﻴﻠﻲ ﺍﺯ ﺳﺎﻳﺘﻬﺎ ﺍﺯ ‪ COM object‬ﺑﺮﺍﻱ ﺩﺳﺘﺮﺳﻲ ﺑﻪ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺍﺳﺘﻔﺎﺩﻩ‬
‫ﻣﻲ ﻛﻨﻨﺪ ﻭ ﻣﻤﻜﻦ ﺍﺳﺖ ﻛﻪ ﺍﻳﻦ ﻛﺎﺭ ﺩﺭ ﺑﻌﻀﻲ ﻣﻮﺍﺭﺩ ﺍﻳﻤﻦ ﺗﺮ ﺑﺎﺷﺪ‪( .‬‬

‫‪2 - Logic Layer‬‬


‫‪3 - Data Layer‬‬

‫‪4‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

‫ﺗﻜﻨﻴﻜﻬﺎﻱ ﻣﺘﻨﻮﻉ ﺯﻳﺎﺩﻱ ﺑﺮﺍﻱ ﺍﻳﺠﺎﺩ ﺳﺎﻳﺘﻬﺎﻱ ﻭﺏ ﭼﻨﺪ ﻻﻳﻪ ﻭﺟﻮﺩ ﺩﺍﺭﺩ‪ .‬ﺑﻌﻀﻲ ﺍﺯ ﺍﻳﻦ ﺗﻜﻨﻴﻜﻬﺎ ﺩﺭ‬
‫ﺟﺪﻭﻝ ﺷﻤﺎﺭﻩ ‪ ١‬ﺁﻣﺪﻩ ﺍﺳﺖ‪.‬‬
‫ﺁﻧﭽﻪ ﻛﻪ ﻻﺯﻡ ﺍﺳﺖ ﺩﺭﺑﺎﺭﻩ ﺍﻳﻦ ﺗﻜﻨﻴﻜﻬﺎ ﺑﺪﺍﻧﻴﺪ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺁﻧﻬﺎ ﺷﺒﻴﻪ ﻳﻚ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﺗﺮﺟﻴﺤﺎ‬
‫ﺍﻳﺴﺘﺎ ﻛﺎﺭ ﻣﻲ ﻛﻨﻨﺪ‪ .‬ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ﺑﺮﺍﻱ ﻳﻚ ﺍﺳﻜﺮﻳﭙﺖ ‪ PHP‬ﻣﻤﻜﻦ ﺍﺳﺖ ﺑﻪ ﺻﻮﺭﺕ‬
‫ﺯﻳﺮ ﺑﺎﺷﺪ‪:‬‬
‫‪http://www.somestie.net/article.php?id=425&format=html‬‬
‫ﻫﻤﺎﻧﻄﻮﺭ ﻛﻪ ﻣﺸﺎﻫﺪﻩ ﻣﻲ ﻛﻨﻴﺪ ‪ ،‬ﻓﺎﻳﻞ ‪ article.php‬ﺷﺒﻴﻪ ﻳﻚ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﻋﻤﻞ ﻣﻲ ﻛﻨﺪ ﻭ ﭘﺎﺭﺍﻣﺘﺮﻫﺎﻳﻲ‬
‫ﻛﻪ ﻫﻤﺮﺍﻩ ﺑﺎ ﺁﻥ ﺍﺭﺟﺎﻉ ﺩﺍﺩﻩ ﺷﺪﻩ ﺍﻧﺪ ﻣﺎﻧﻨﺪ ﻭﺭﻭﺩﻱ ﻫﺎ ﻭ ﻳﺎ ﺁﺭﮔﻮﻣﺎﻧﻬﺎﻱ ﺍﻳﻦ ﻓﺎﻳﻞ ﺍﺟﺮﺍﻳﻲ ﻣﻲ ﺑﺎﺷﻨﺪ‪.‬‬

‫ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ‬
‫ﻻﻳﻪ ﺩﺍﺩﻩ ﻣﻌﻤﻮﻻ ﺑﻪ ﻋﻨﻮﺍﻥ ﺁﺧﺮﻳﻦ ﻻﻳﻪ ﻳﻚ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻭﺏ ﺩﺭ ﻳﻚ ﻣﻌﻤﺎﺭﻱ ﭼﻨﺪﻻﻳﻪ ﺍﻱ ﻣﻲ ﺑﺎﺷﺪ‪.‬‬
‫ﺷﺎﻳﺪ ﺧﻴﻠﻲ ﺑﻴﺸﺘﺮ ﺍﺯ ﭼﻴﺰﻫﺎﻱ ﺩﻳﮕﺮ‪ ،‬ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ﺩﺍﺩﻩ ﻣﺴﻮﻭﻝ ﺗﺤﻮﻝ ﻳﻚ ﻓﺮﻡ ﺍﺳﺘﺎﺗﻴﻚ ﺑﺮ ﭘﺎﻳﻪ ‪ HTML‬ﺑﻪ‬
‫ﻓﺮﻣﻬﺎﻱ ﺩﻳﻨﺎﻣﻴﻚ ‪ ،‬ﺑﺎﺯﻳﺎﺑﻲ ﺍﻃﻼﻋﺎﺕ ﺳﻴﺎﻝ ﻭ ﺭﻭﺍﻥ ﻭ ﺗﺠﺎﺭﺕ ﺍﻟﻜﺘﺮﻭﻧﻴﻚ ﺷﺪﻩ ﺑﺎﺷﻨﺪ‪.‬‬
‫ﺑﻴﺸﺘﺮﻳﻦ ﺯﻣﻴﻨﻪ ﻛﺎﺭﻱ ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ﺩﺍﺩﻩ ﺩﺭ ﻭﺏ ﺭﻭﻱ ﺩﻭ ﻋﻨﻮﺍﻥ ﻣﻲ ﭼﺮﺧﺪ‪ SQL :‬ﻭ ‪ .Oracle‬ﻣﻮﻟﻔﻪ ﻫﺎﻱ‬
‫ﻻﻳﻪ ﻣﻨﻄﻘﻲ ﺍﺯ ﺍﺭﺗﺒﺎﻁ ﺩﻫﻨﺪﻩ ﻫﺎﻱ ﻣﻌﺮﻭﻑ ﺑﺮﺍﻱ ﺑﺮﻗﺮﺍﺭﻱ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﭘﺎﻳﮕﺎﻫﻬﺎﻱ ‪ ،‬ﺳﺎﺧﺘﻦ ‪ query‬ﻫﺎ ‪ ،‬ﺑﻪ‬
‫ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﺭﻛﻮﺭﺩﻫﺎ ﻭ ‪ ...‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻛﻨﺪ‪ .‬ﻳﻜﻲ ﺍﺯ ﻋﻤﻮﻣﻲ ﺗﺮﻳﻦ ﺭﺍﺑﻄﻬﺎﻳﻲ ﻛﻪ ﺍﻣﺮﻭﺯﻩ ﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﺷﻮﺩ‬
‫‪ Open Database Connectivity‬ﻭ ﻳﺎ ‪ ODBS‬ﻣﻲ ﺑﺎﺷﺪ‪.‬‬
‫ﺩﺭ ﺯﻳﺮ ﺷﻤﺎﻱ ﻛﻠﻲ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ﻭ ﭘﺎﺳﺦ ﻭ ﻣﻌﻤﺎﺭﻱ ﺑﺮﻧﺎﻣﻪ ﻫﺎﻱ ﻛﺎﺭﺑﺮﺩﻱ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻣﻲ ﻛﻨﻴﺪ‪.‬‬

‫‪5‬‬ ‫‪www.WebSecurityMgz.com‬‬
‫ﻣﺮﻭﺭﻱ ﺑﺮ ﻣﻌﻤﺎﺭﻱ ﻭﺏ‬

Web
App
Database
WEB Web
Web Internet Conector
Server App
client Database
Web
App

Search for:
Search.php Fname.db
Search.html

Result.html

Presentaion Layer Logic Layer Data Layer

‫ﺷﺮﻛﺖ ﻫﺎ‬ ‫ﺗﻜﻨﻮﻟﻮﮊﻳﻬﺎ‬


Microsoft Actice Server Page (ASP)
ASP .NET
ASAPI
Common Object Model (COM)
JavaScript

Sun Microsystem Java 2 Enterprise Edition (J2EE), including


IBM Websphere Java Servlets
BEA Weblogic Java Server Pages (JSP)
CORBA

Apache Software Foundation PHP (Hypertext Perprocessor)


Jakarta (server – side Java)

(none) HTML
CGI (including Perl)

6 www.WebSecurityMgz.com

You might also like