Tag - HTTP - Synopse

2011, Friday December 30

Hash collision attack

By A.Bouchez on 2011, Friday December 30, 10:49 - mORMot Framework

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

Source: #2011-003 multiple implementations denial-of-service via hash algorithm collision

2011, Wednesday August 10

Framework documentation updated for revision 1.15

By A.Bouchez on 2011, Wednesday August 10, 20:52 - mORMot Framework

The framework documentation was just updated.

The general organization of the SAD document (which is the one to be read in all cases) has been refreshed, and is now separated in smaller chapters.

The new official name has been changed into "Synopse SQLite3/mORMot framework"...

2011, Monday July 4

WinINet vs WinHTTP

By A.Bouchez on 2011, Monday July 4, 06:09 - SQLite3 Framework

If you want to implement an HTTP client access in your application, you may consider several choices:

Use the provided Indy components;
Use third-party components like Synapse, ICS or your own WinSock-based wrapper;
Use WinINet;
Use WinHTTP.

For our ORM, we tried to avoid external dependencies, and did not have the need of all Indy's features and overhead.
We fist wrote our own WinSock wrapper, then tried out WinInet.

When used on our testing benchmark, we found out that WinINet was dead slow.
Then we tried WinHTTP, the new API provided by Microsoft, and we found out this was blazing fast. As fast as direct WinSock access, without the need of writing all the wrapper code.

2011, Tuesday May 24

How to implement RESTful authentication

By A.Bouchez on 2011, Tuesday May 24, 22:58 - SQLite3 Framework

How to handle authentication in a RESTful Client-Server architecture is a matter of debate.

Commonly, it can be achieved, in the SOA over HTTP world via:
- HTTP basic auth over HTTPS;
- Cookies and session management;
- Query Authentication with additional signature parameters.

We'll have to adapt, or even better mix those techniques, to match our framework architecture at best.

Each authentication scheme has its own PROs and CONs, depending on the purpose of your security policy and software architecture.

2011, Friday March 11

HTTP server using fast http.sys kernel-mode server

By A.Bouchez on 2011, Friday March 11, 22:06 - SQLite3 Framework

Since Windows XP SP2 and Windows Server 2003, the Operating System provides a kernel stack to handle HTTP requests. This http.sys driver is in fact a full featured HTTP server, running in kernel mode. It is part of the networking subsystem of the Windows operating system, as a core component.

The SynCrtSock unit can now implement a HTTP server based on this component. Of course, our SQLite3 framework will use it. If it's not available, it will launch our pure Delphi optimized HTTP server, using I/O completion ports and a Thread Pool.

2010, Tuesday August 24

Synopse SQLite3 Framework 1.9.1

By A.Bouchez on 2010, Tuesday August 24, 11:16 - SQLite3 Framework

The Synopse SQLite3 Database Framework was just released under version 1.9.1:
- internal SQLite3 database engine is updated to version 3.7.2;
- new TSQLRecordFTS3 record, for using FTS3 virtual tables, i.e. implementing full-text search;
- new SQLite3UIEdit unit, to edit table content with a dialog created from RTTI;
- new dedicated BLOB methods and JSON array serialization;
- a lot of fixes and speed enhancements (including our HTTP/1.1 RESTful server now using Thread Pool).

The new 3.7.2 version of the SQLite3 engine, which is mandatory according to SQLite3's authors, is included.

2010, Thursday August 19

How to implement multi-tier architecture in our SQLite3 Framework

By A.Bouchez on 2010, Thursday August 19, 10:48 - SQLite3 Framework

In software engineering, multi-tier architecture (often referred to as n-tier architecture) is a client–server architecture in which the presentation, the application processing, and the data management are logically separate processes. For example, an application that uses middleware to service data requests between a user and a database employs multi-tier architecture. The most widespread use of multi-tier architecture is the three-tier architecture.

Both ORM and RESTful aspects of our framework makes it easy to develop using such a three-tier architecture.

2010, Monday May 24

SQLite3 Framework version 1.7

By A.Bouchez on 2010, Monday May 24, 10:34 - SQLite3 Framework

Our SQLite3 Framework has been updated into the 1.7 version. For Delphi 7 to Delphi 2010.

Mostly User-Interface (reporting) enhancements, and some bug fixes.

15 comments

2010, Monday February 8

SQLite3 Framework version 1.4

By A.Bouchez on 2010, Monday February 8, 14:29 - SQLite3 Framework

The framework has been updated, and is released now under the LGPL license (public domain license was found to be confusing).

32 comments

Synopse

Tag - HTTP

Hash collision attack

Framework documentation updated for revision 1.15

WinINet vs WinHTTP

How to implement RESTful authentication

HTTP server using fast http.sys kernel-mode server

Synopse SQLite3 Framework 1.9.1

How to implement multi-tier architecture in our SQLite3 Framework

SQLite3 Framework version 1.7

SQLite3 Framework version 1.4

Search

Main dishes

Tags

Categories

RSS