5.1.1 HTTP/S Protocol

Web and HTTP Protocol

🗒️ HTTP (HyperText Transfer Protocol) is a protocol used for communication between web servers and clients, such as web browsers. HTTP key features are:

  • Client-Server Architecture

  • Stateless Protocol

  • Request Methods

  • Status Codes (200,404,500, etc)

  • Headers (additional information about the request/response)

  • Cookies (store info on the client-side)

  • Encryption (HTTPS)

📌 RFC 9110 - HTTP Semantics

HTTP defines a set of request to indicate the desired action and data to be performed for a given resource, in details:

  1. Request Line:

    • Method: Indicates the HTTP method being used (e.g., GET, POST).

    • URI (Uniform Resource Identifier): Specifies the resource being requested.

    • HTTP Version: Specifies the version of HTTP being used (e.g., HTTP/1.1).

    Example:

    bashCopy codeGET /example/resource HTTP/1.1
  2. Headers:

    • Host: Indicates the domain name of the server (e.g., www.example.com).

    • User-Agent: Identifies the user agent (e.g., browser or application) making the request.

    • Accept: Specifies the media types that are acceptable for the response.

    • Accept-Econding: is similar to Accept, but it restricts the content coding that are acceptable int he response (e.g., gzip, deflate).

    • Content-Type: Indicates the media type of the resource sent in the request (for POST and PUT requests).

    • Connection: (e.g., keep-alive) indicates that it keep connection to the remote web server open for an unspecified amount of time and without initiating a new connection every time (as in HTTP 1.0 vs).

    • Authorization: Provides credentials for authenticating the client with the server.

    Example:

    bashCopy codeHost: www.example.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  3. Body (for POST and PUT requests):

    • Contains the data being sent to the server, typically in JSON, XML, or form-urlencoded format.

    Example:

    bashCopy codePOST /example/resource HTTP/1.1
    Host: www.example.com
    Content-Type: application/json
    
    {"key": "value"}

    So, in summary, an HTTP request is composed of a request line, headers, and an optional body. The request line specifies the method, URI, and HTTP version. Headers provide additional information about the request, and the body contains data when needed, such as in POST and PUT requests.

Request Method

Focusing on method HTTP requests there are:

  1. GET:

    • Purpose: Retrieve data from the specified resource.

    • Characteristics: The GET method is idempotent, meaning that making the same request multiple times should produce the same result. It is also safe, indicating that it should not have the side effect of modifying the resource.

  2. POST:

    • Purpose: Submit data to be processed to a specified resource.

    • Characteristics: POST requests are not idempotent and may have side effects on the server (e.g., updating a database or creating a new resource).

  3. PUT:

    • Purpose: Update a resource or create a new resource if it does not exist.

    • Characteristics: The PUT method is idempotent. When using PUT, the client specifies the resource's URI, and the data sent in the request typically represents the updated or new state of the resource.

  4. DELETE:

    • Purpose: Request that a resource be removed.

    • Characteristics: The DELETE method is idempotent. It is used to delete the resource identified by the URI.

  5. PATCH:

    • Purpose: Apply partial modifications to a resource.

    • Characteristics: The PATCH method is not idempotent and is used to apply partial modifications to a resource. It is often used when only a small part of the resource needs to be updated.

  6. HEAD:

    • Purpose: Retrieve the headers for a resource, similar to a GET request, but without the actual data.

    • Characteristics: The HEAD method is considered idempotent and safe. It is often used to check for the existence of a resource or to retrieve metadata.

  7. OPTIONS:

    • Purpose: Retrieve information about the communication options for the target resource.

    • Characteristics: The OPTIONS method is typically used to describe the communication options for the target resource. It allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action.

  8. TRACE:

    • Purpose: Perform a message loop-back test along the path to the target resource.

    • Characteristics: The TRACE method is used for diagnostic purposes. It echoes the received request, which can be useful for debugging or testing proxy servers.

An HTTP response also consists of several components, providing information about the server's response to a client's request. Here are the key components of an HTTP response:

  1. Status Line:

    • HTTP Version: Specifies the version of HTTP being used (e.g., HTTP/1.1).

    • Status Code: A three-digit code indicating the result of the request (e.g., 200 for OK, 404 for Not Found).

    • Reason Phrase: A brief, human-readable explanation of the status code.

    Example:

    Copy codeHTTP/1.1 200 OK
  2. Headers:

    • Content-Type: Specifies the media type of the resource sent in the response.

    • Content-Length: Indicates the size of the response body in bytes.

    • Content-Ecoding: Specifies the encoding transformations applied to the response body in order to safely transport it.

    • Server: Provides information about the server software (web server banner: Apache, IIS, Google Web Server GWS).

    • Date: Specifies the date and time when the response was generated.

    • Set-Cookie: Sets cookies on the client for future requests.

    • Cache-Control: Controls caching behavior along the request/response chain (e.g., private, max-age=0)

    Example:

    yamlCopy codeContent-Type: text/html; charset=utf-8
    Content-Length: 1234
    Content-Encoding: gzip
    Server: Apache/2.4.18 (Ubuntu)
    Date: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, max-age=0
  3. Body:

    • Contains the actual data being sent from the server to the client. The format and content depend on the request and server implementation.

    Example:

    phpCopy codeHTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Content-Length: 1234
    
    <!DOCTYPE html>
    <html>
    <head>
        <title>Example Page</title>
    </head>
    <body>
        <h1>Hello, World!</h1>
    </body>
    </html>

So, an HTTP response includes a status line, headers, and an optional body. The status line indicates the outcome of the request, headers provide additional information about the response, and the body contains the actual data sent from the server to the client.

Response Status

HTTP response status codes indicate whether a specific HTTP request has been successfully completed. They are grouped in five classes:

  • 100-199 - Informational responses

  • 200-299 - Successful responses

  • 300-399 - Redirection messages

  • 400-499 - Client error responses

  • 500-599 - Server error responses

Attack on HTTP

  • Man-in-the-Middle (MitM) Attacks:

    • Description: Attackers intercept and eavesdrop on the communication between the client and the server.

    • Risk: Sensitive information, such as login credentials, can be captured in plain text.

  • Packet Sniffing:

    • Description: Passive monitoring of unencrypted network traffic to capture sensitive data.

    • Risk: Attackers can analyze and extract sensitive information, including usernames, passwords, and other data.

  • Session Hijacking:

    • Description: Attackers steal session cookies or session IDs to impersonate a legitimate user.

    • Risk: Unauthorized access to a user's account, potentially leading to data theft or manipulation.

  • Cross-Site Scripting (XSS):

    • Description: Injecting malicious scripts into web pages viewed by other users.

    • Risk: Attackers can execute scripts in the context of other users' browsers, leading to theft of sensitive information.

  • Cross-Site Request Forgery (CSRF):

    • Description: Forcing users to perform unintended actions without their consent.

    • Risk: Attackers can trick users into performing actions on a website where they are authenticated.

HTTPS

🗒️ HTTPS (HTTP Secure) is the encrypted version of HTTP that uses a combination of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocol and HTTP protocol to provide secure communication. When a client connects to an HTTPS-enabled website, the server sends its SSL/TLS certificate to the client. The client verifies the certificate to ensure that it is issued by a trusted certificate authority and that it is valid. If the certificate is valid, the client and the server establish a secure connection using a unique session key.

Attack on HTTPS

  • SSL/TLS Vulnerabilities:

    • Description: Exploiting vulnerabilities in the SSL/TLS protocol.

    • Risk: Potential for attacks such as POODLE, BEAST, or Heartbleed that target weaknesses in the encryption protocols.

  • Certificate Authorities (CA) Compromise:

    • Description: Compromising the integrity of the certificate authority system.

    • Risk: Fake SSL certificates could be issued, leading to potential man-in-the-middle attacks.

  • SSL Stripping:

    • Description: Downgrading an HTTPS connection to HTTP, intercepting the communication.

    • Risk: Allows attackers to exploit vulnerabilities in the unencrypted HTTP connection.

  • XSS (Cross-Site Scripting):

    • Description: XSS occurs when an attacker injects malicious scripts (typically JavaScript) into web pages that are viewed by other users. This injection often takes advantage of inadequate input validation or sanitization on the part of the web application.

    • Risk: Despite the use of HTTPS, which secures the transmission channel, XSS remains a threat. If an attacker successfully injects malicious scripts, they can execute in the context of other users' browsers. This can lead to stealing sensitive data, session hijacking, or defacing the website.

  • SQL Injection:

    • Description: SQL Injection is a vulnerability where an attacker manipulates or inserts SQL queries within input fields of a web application. This occurs when the application fails to properly validate or sanitize user input, allowing the injection of malicious SQL code.

    • Risk: HTTPS does not mitigate SQL Injection risks. If an attacker successfully exploits this vulnerability, they can manipulate database queries, potentially extracting, modifying, or deleting data from the database. The impact could include unauthorized access to sensitive information.

  • Mixed Content Attacks:

    • Description: Loading insecure (HTTP) resources on a secure (HTTPS) page.

    • Risk: Dilutes the security of the HTTPS connection, making it susceptible to certain types of attacks.

Last updated