Web Exploitation Intro
HTTP Background
URLs
When you visit a website, like google, you usually type “google.com.” Your browser will convert this to a “Universal Resource Locator” (URL). For example, google.com would become https://google.com
The standard URL format is as follows:
The Protocol is typically HTTP or HTTPS, however it can also be FTP, SMB, or many many more.
The Host describes the dns name the request is going to. A DNS lookup will be performed to get an IP address from the given host.
The Path is the reference to what you want to request from the server
The Query is a way of providing data to the website. This data can be read by JavaScript, PHP, etc.
This is often provided within a POST request
HTTP(s) Requests & Responses
HTTP(s) Requests
To actually request the data from the URL, the browser will send a HTTP(s) request to the server. HTTP(s) is a text-based protocol, which means it's easy to read and interpret.
HTTP(s) requests are split into 2 parts:
The Header
The Body
(More often than not, requests will only have a header section)
The Header:
The Header is where data is given to the server on what data the client wants
The first line specifies the request method, the path, and the protocol used.
The Host is the where the request is actually being sent to
Following these, each line contains a different header.
User-Agent tells the website which browser is requesting the data, this can affect how the website is displayed (i.e. mobile view)
Cookies are how websites store data across sessions. These can be used to store whether a user is logged in, or the contents of your shopping cart on Amazon
Note that the above does not contain all potential Headers, just a few basic ones
HTTP(s) Request Methods
Request methods tell the web server what kind of action the client wants performed. This can vary from requesting to GET the information, to POSTing data to the server. A full list of methods and explanations for each can be found here.
HTTP(s) Responses
After a request has been received, the server will provide the client with a response.
Just like the request, the response contains both a header and a body.
The Header:
The header is very similar to the request’s header, with a few key differences. Instead of a request method, the response will provide the client with a status code. These status codes provide the client the information about the request. A list of codes and their meanings can be found here.
The Body:
The Body contains the data requested from the server. From a GET request, this is usually the HTML/CSS/JS from the server that allows the browser to display the webpage. A POST request might return a JSON or a simple code.
Cookies
HTTP(s) is a stateless protocol; this means that there isn’t anything that allows the server to recognize that two different requests came from the same person.
Cookies were developed to solve this problem. Cookies are small pieces of information that are stored locally in your browser. These cookies can store information about your login session, items in your cart, etc.
A common implementation of session cookies involves generating a unique identifier that references a login session with the website. This allows for the server to recognize a user stays logged in despite updating the page or navigating to a different page.
Cookies have some security concerns however. Since cookies are stored locally, you can edit cookies directly from the browser, or by intercepting a request. This means that if an attacker captures the session id of a different user, they can log in as the other user.
Editing Cookies from the Browser
By right-clicking on a webpage, and opening the inspect element, you can edit cookies directly from your browser.
You can then click on “Storage” and this will provide a dropdown list of all the cookies on the website. Using this editor, you can change the values of a cookie and trick the website.
Download
Last updated