Download as PDF, PPTX
More Related Content
Similar to HTTP Request and Response Structure
HTTP Request and Response Structure
- 1. HyperText Transfer Protocol REQUEST& RESPONSE STRUCTURE @_ShreeGajera 19/04/2020
- 2.
- 3. Agenda ● What isHTTP? ● HTTP Methods ● Directory and File name ● Parameters and it’s value ● HTTP Version ● HTTP Request Header ● CR&LF Character ● Status Code ● HTTP Response Header
- 4. What is HTTP? Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers.
- 5. Evolution of HTTP HTTP/0.9Extremely simple: requests consist of a single line. GET /mypage.html HTTP/1.0 Added HTTP Version in request and HTTP headers has been introduced. A status code line is also sent at the beginning of the response. HTTP/1.1 Allowing to send a second request before the answer for the first one. Additional cache control, including language, encoding, or type, has been introduced. Host header, the ability to host different domains at the same IP address. HTTP/2.0 Binary protocol rather than text.It can no longer be read and created manually HTTP/3.0 Still in draft mode.
- 6. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 7.
- 8. HTTP request methodsare the assets that indicate the specific desired action to be performed on a given resource These method names are case sensitive and they must be used in uppercase.
- 9. Most Common HTTPMethods GET : used to request data from a specified resource. POST : used to send data to a server to create/update a resource. HEAD : almost identical to GET, but without the response body. OPTIONS : Describes the communication options for the target resource. DELETE : deletes the specified resource. PUT : used to send data to a server to create/update a resource. … … ...
- 10. HTTP METHODS OPTIONS GETHEAD POST PUT DELETE TRACE CONNECT PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY ORDERPATCH ACL PATCH SEARCH ARBITRAR TRACK
- 11. Exploit of PUTmethod https://medium.com/@asfiyashaikh10/exploiting-put-method-d2d0cd7ba662
- 12. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 13. DIRECTORY & FILENAME
- 14. URL Path andfile. Path start with application root directory e.g. /var/www/html, which is not appear in user side and manage by application server. Directory path : /var/www/html/blog/2020/03/10/upcoming_meets/ File : meet.php
- 15.
- 16. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 17. PARAMETERS & ITSVALUES
- 18. Parameters are inthe form of attribute/value pairs. In GET URL Path and parameter is separated through ? symbole. Two parameters are separated through & symbol.
- 19. REST request URL GET/API/v1/data/getdata/account/123/id/1337 POST /API/v1/data/putdata/account/123/id/1337/name/bhagyashree http://infosecgirls.in/index.php?page=foo http://infosecgirls.in/products?category=2&pid=25 http://infosecgirls.in/index.php?mod=profiles&id=193 http://infosecgirls.in/kb/index.php?cat=8&id=41 http://infosecgirls.in/foo http://infosecgirls.in/products/2/25 http://infosecgirls.in/profiles/193 http://infosecgirls.in/kb/8/41 = = = =
- 20. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 21.
- 22.
- 23.
- 24. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 25.
- 26. CRLF Character CR andLF are control characters or bytecode that used to mark a line break in a text file. CR = Carriage Return (r, 0x0D in hexadecimal, 13 in decimal) LF = Line Feed (n, 0x0A in hexadecimal, 10 in decimal)   
- 27. CRLF Injection A CRLFinjection vulnerability exists if an attacker can inject the CRLF characters into a web application. 
- 28. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 29.
- 30. HTTP Request Headers Theclient and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. Whitespace before the value is ignored. Cookie, User-Agent, or Referer precise the context so that the server can build the answer.
- 31. HTTP Request Headers ShellShockExploitation CVE-2014-6271
- 32. HTTP Request Headers CVE-2019-5418- File Content Disclosure on Rails
- 33. HTTP Request Headers Accept Accept-Charset Accept-Encoding Accept-Language Accept-Ranges Access-Control-Request-Method, Access-Control-Request-Headers Authorization Cache-Control Vai Range Max-Forwards Pragma Proxy-Authorization Referer TE Transfer-Encoding X-Forwarded-For X-Requested-With X-Forwarded-Host Proxy-Connection Save-Data …..….. ….. Connection Content-Encoding Content-Length Content-MD5 Content-Range Content-Type Date Warning Upgrade Origin Trailer User-Agent If-Unmodified-Since Expect From Host If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Cookie
- 34. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 35.
- 36. Status Code andReason Phrase 1xx: Informational - Request received, continuing process 2xx: Success - The action was successfully received, understood, and accepted 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request
- 37. Status Code 100 :Continue 101 : Switching Protocols 200 : OK 201 : Created 202 : Accepted 203 : Non-Authoritative Info 204 : No Content 205 : Reset Content 206 : Partial Content 300 : Multiple Choices 301 : Moved Permanently 302 : Found 303 : See Other 304 : Not Modified 305 : Use Proxy 307 : Temporary Redirect 414 : Request-URI Too Large 415 : Unsupported Media Type 416 : Requested range not satisfiable 417 : Expectation Failed 500 : Internal Server Error 501 : Not Implemented 502 : Bad Gateway 503 : Service Unavailable 504 : Gateway Time-out 505 :HTTP Version not supported 400 : Bad Request 401 : Unauthorized 402 : Payment Required 403 : Forbidden 404 : Not Found 405 : Method Not Allowed 406 : Not Acceptable 407 : Proxy Authentication Required 408 : Request Time-out 409 : Conflict 410 : Gone 411 : Length Required 412 : Precondition Failed 413 : Request Entity Too Large
- 38.
- 39. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 40.
- 41. HTTP Response Headers Theresponse-header fields allow the server to pass additional information about the response which cannot be placed in the Status- Line. These header fields give information about the server and about further access to the resource identified by the Request-URI. Response headers, like Age, Location or Server are used to give a more detailed context of the response.
- 42. HTTP Response Headersdisclose server information
- 43.
- 44. HTTP/1.1 https://tools.ietf.org/html/rfc2616HTTP Methods Directory& File Name Parameters & it’s value HTTP version CR & LF character HTTP Request headers Status code Response body Response headers
- 45.
- 46.