Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

HyperText Transfer Protocol (HTTP)

Most internet communications are made with web requests through the HTTP protocol. HTTP is an application-level protocol used to access the World Wide Web resources. The term ‘hypertext’ stands for text containing links to other resources and text that the readers can easily interpret.
HTTP communication consists of a client and a server, where the client requests the server for a resource. the server processes the requests and returns the requested resource. The default port for HTTP communication is port 80, though this can be changed to any other port, depending on the web server configuration.

Uniform Resource Locator (URL)

URL structure

Structure-ElementExampleDescription
Schemahttp://
https://		is used to identify the protocol being accessed by the client
User Infoadmin:password@optional component that contains the credentials used to authenticate to the host, and is separated from the host with an ‘@’ sign
Hostinlanefreight.comsignifies the resource location
can be hostname or IP address
Port:80is separated from the host by a colon
if no port is specified, http schemes default to port 80 and https to port 443
Path/dashboard.phppoints to the resource being accessed, which can be a file or a folder
if there is no path specified, the server returns the default index
Query String?login=truestarts with a question mark, and consists of a parameter and a value
multiple parameters can be separated by an ampersand
Fragments#statusare proccessed by the browser on the client-side to locate sections within the primary resource

HTTP Flow

HTTP flow

cURL

cURL is a command-line tool and library that primarily supports HTTP along with many other protocols. -> Good candidate for scripts as well as automation, making it essential for sending various types of web requests from the command line.

Example:

d41y@htb[/htb]$ curl inlanefreight.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
...SNIP...

HyperText Transfer Protocol Secure (HTTPs)

One significant drawback of HTTP is that all data is transferred in clear-text. This means that anyone between the source and destination can perform a Man-in-the-Middle (MiTM) attack to view the transferred data.
To counter the issue, the HTTPs was created, in which all communications are transferred in an encrypted format, so even if a third party does intercept the request, they would not be able to extract the data out of it.

HTTPs Flow

HTTPs flow

cURL with HTTPs

cURL should automatically handle all the HTTPs communication standards and perform a secure handshake and then encrypt and decrypt the data automatically. However, if you contact a website with an invalid SSL certificate or an outdated one, then cURL by default would not proceed with the communication to protect against MiTM attacks.
To ignore certificate checks, you can set -k.

d41y@htb[/htb]$ curl https://inlanefreight.com

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
...SNIP...

d41y@htb[/htb]$ curl -k https://inlanefreight.com

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
...SNIP...

HTTP Requests and Responses

Request

HTTP communications mainly consists of an HTTP request and an HTP response. An HTTP request is made by the client and is processed by the server. The request contains all of the details we require from the server, including the resource, and many other options.

HTTP Request

FieldExampleDescription
MethodGETHTTP method or verb, which specifies the type of action to perform
Path/users/login.htmlpath to the resource being accessed
can also be suffixed with a query string
VersionHTTP/1.1third and final field is used to denote the HTTP version

Response

HTTP response

FieldExampleDescription
Response Code200 OKare used to determine the request’s status
Response Body[HTML code]usually defined as HTML code
can also be JSON or website resources

cURL

cURL also allows to preview the full HTTP request and response by adding -v.

d41y@htb[/htb]$ curl inlanefreight.com -v

*   Trying SERVER_IP:80...
* TCP_NODELAY set
* Connected to inlanefreight.com (SERVER_IP) port 80 (#0)
> GET / HTTP/1.1
> Host: inlanefreight.com
> User-Agent: curl/7.65.3
> Accept: */*
> Connection: close
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 21 Jul 2020 05:20:15 GMT
< Server: Apache/X.Y.ZZ (Ubuntu)
< WWW-Authenticate: Basic realm="Restricted Content"
< Content-Length: 464
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>

...SNIP...

HTTP Headers

General Headers

… are used in both HTTP requests and responses. They are contextual and are used to describe the message rather than its contents.

HeaderExampleDescription
DateDate: Wed, 16 Feb 2022 10:38:44 GMTholds the date and time at which the message originated
preferred to convert the time to the standard UTC time zone
ConnectionConnection: closedictates if the current network connection should stay alive after the request finishes

Entity Headers

HeaderExampleDescription
Content-TypeContent-Type: text/htmlused to describe the type of resource being transferred
Media-TypeMedia-Type: application/pdfdescribes the data being transferred
Boundaryboundary=“b4e4fbd93540”acts as a marker to separate content when there is more than one in the same message
Content-LengthContent-Length: 385holds the size of the entity being passed
Content-EncodingContent-Encoding: gzipspecifies the type of encoding used

Request Headers

HeaderExampleDescription
HostHost: www.inlanefreight.comused to specify the host being queried for the resource
User-AgentUser-Agent: curl/7.77.0is used to describe the client requesting resources
can reveal a lot about the client, such as the browser, its version, and th OS
ReferrerReferrer: http://www.inlanefreight.com/denotes where the current request is coming from
AcceptAccept: /describes which media types the client can understand
CookieCookie: PHPSESSID=b4e4fbd93540contains cookie-value pairs in format ‘name=value’
AuthorizationAuthorization: BASIC cGFzc3dvcmQKanother method for the server to identify clients

Response Headers

HeaderExampleDescription
ServerServer: Apache/2.2.14 (Win32)contains information about the HTTP server, which processed the request
Set-CookieSet-Cookie: PHPSESSID=b4e4fbd93540contains the cookie needed for client identification
WWW-AuthenticateWWW-Authenticate: BASIC realm=“localhost”notifies the client about the type of authentication required to access the requested resource

Security Headers

HeaderExampleDescription
Content-Security-PolicyContent-Security-Policy: script-src ‘self’dictates the website’s policy towards externally injected resources
Strict-Transport-SecurityStrict-Transport-Security: max-age=31536000prevents the browser from accessing the website over the plaintext HTTP protocol, and forces all communication to be carried over the secure HTTPs protocol
Referrer-PolicyReferrer-Policy: origindictates whether the browser should include the value specified via the Referrer header or not

HTTP Methods and Codes

Request Methods

MethodDescription
GETrequests a specific resource
additional data can be passed to the server via query in the URL (?param=value)
POSTsends data to the server
data is appended in the request body present after the headers
HEADrequests the headers that would be returned if a GET request was made to the server
PUTcreates new resources on the server
allowing this method can lead to uploading malicious resources
DELETEdeletes an existing resource on the webserver
OPTIONSreturns information about the server, such as the methods accepted by it
PATCHapplies partial modifications to the resource at the specific location

Response Codes

TypeDescription
1xxProvides information and does not affect the processing of the request
2xxreturned when a request succeeds
3xxreturned when the server redirects the client
4xxsignifies improper requests from the client
5xxreturned when there is some problem with the HTTP server itself