Scope of a Web Application
Depending on its architecture and size, a production web application can reside on a single server or span across many different servers and tiers, as shown in Figure 6-1. Ideally, a production web application’s source is grouped logically into presentation, business, and data layers and is separated physically across tiers. Anyone with experience testing web application security knows this is rarely the case. Table 6-1 provides a brief description of the types of code commonly found at each tier.
Table 6-1. Typical web application architecture
Tier |
Code description |
Example code |
---|---|---|
Client |
Client-side/mobile code. |
JavaScript, VBScript, ActiveX, Java applets |
Frontend |
Hosts the user interface (UI)/presentation code. Can also contain business logic and data access code. |
ASP (VBScript), ASPX (C#/VB.NET), Java/JSP, PHP, Perl |
Middle tier |
Hosts code implementing a company’s business logic and data access code. |
C, C++, C#, VB.NET, Java |
Backend |
Hosts code for the retrieval and storage of application data. Code can also implement business logic rules. |
T-SQL, PL/SQL, MySQL dialect |
Figure 6-1. Typical web application architecture
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.