1.3 HTTP/HTTPS

HTTP (Hypertext Transfer Protocol):

  • HTTP is an application layer protocol used for transmitting hypermedia documents, such as HTML files, over the internet. It follows a client-server model, where clients (e.g., web browsers) send requests to servers (e.g., web servers) to retrieve or manipulate resources.

  • HTTP operates over TCP/IP (Transmission Control Protocol/Internet Protocol), typically using port 80 for unencrypted communication and port 443 for encrypted communication (HTTPS).

  • It is stateless, meaning each request from a client is independent and not related to previous requests. However, mechanisms like cookies and session management can be used to maintain state across multiple requests.

  • HTTP/1.1, the widely used version of the HTTP protocol, introduced features like persistent connections, pipelining, and chunked transfer encoding to enhance performance and efficiency. It standardized the Host header for distinguishing between virtual hosts on a server, supported range requests for fetching specific segments of resources, and implemented cache control mechanisms for optimizing resource delivery.

HTTP Request

  • An HTTP request is composed of several components:

    • Request Line: Includes the HTTP method (e.g., GET, POST), the requested URI (Uniform Resource Identifier), and the HTTP version (e.g., HTTP/1.1).

    • Request Headers: Additional metadata sent along with the request, such as user-agent (identifying the client software), accept (supported content types), content-type (type of data in the request body), and cookies.

    • Request Body: Optional data sent with the request, typically used in POST, PUT, or PATCH requests to transmit form data, JSON, XML, or binary payloads.

  • Example HTTP request:

    GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8

HTTP Response

  • An HTTP response consists of the following components:

    • Status Line: Contains the HTTP version, a status code indicating the outcome of the request (e.g., 200 OK, 404 Not Found), and a status message.

    • Response Headers: Additional metadata about the response, such as content type, content length, caching directives, and cookies.

    • Response Body: The actual content sent back to the client, such as HTML, JSON, XML, or binary data.

  • Example HTTP response:

    phpCopy codeHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234

<!DOCTYPE html>
<html>
<head>
<title>Example</title>
</head>
<body>
<h1>Hello, World!</h1>
</body>
</html>

Status codes

Status CodeStatus TextMeaning

200

OK

The request has succeeded.

201

Created

The request has been fulfilled and a new resource has been created.

204

No Content

The server successfully processed the request, but there is no content to return.

301

Moved Permanently

The requested resource has been permanently moved to a new location.

302

Found

The requested resource has been temporarily moved to a different location.

400

Bad Request

The server cannot process the request due to client error (e.g., malformed request syntax).

401

Unauthorized

The request requires authentication, but the client has not provided valid credentials.

403

Forbidden

The server understood the request, but refuses to authorize it.

404

Not Found

The requested resource could not be found on the server.

405

Method Not Allowed

The request method is not supported for the requested resource.

500

Internal Server Error

The server encountered an unexpected condition that prevented it from fulfilling the request.

502

Bad Gateway

The server received an invalid response from an upstream server.

503

Service Unavailable

The server is currently unable to handle the request due to temporary overload or maintenance.

504

Gateway Timeout

The server did not receive a timely response from an upstream server while acting as a gateway or proxy.

HTTPS (Hypertext Transfer Protocol Secure)

  • HTTPS is an extension of HTTP that adds encryption and secure communication protocols (SSL/TLS) to ensure the confidentiality, integrity, and authenticity of data exchanged between the client and server.

  • It encrypts the data transmitted over the network, preventing eavesdropping and man-in-the-middle attacks.

  • HTTPS uses SSL/TLS certificates to establish a secure connection between the client and server, providing authentication and encryption of data in transit.

  • URLs using HTTPS start with "https://" instead of "http://", and browsers display a padlock icon to indicate a secure connection.

  • HTTPS typically operates over port 443, and secure connections are established through a process called SSL/TLS handshake, where the client and server exchange cryptographic keys to encrypt data transmission.

HTTP is a protocol used for communication between clients and servers, where clients send requests to servers, and servers respond with appropriate responses. HTTPS adds security to HTTP by encrypting data transmission using SSL/TLS encryption protocols, but all them aren't immune by threats, with encryption we can prevent man in the middle attack, but not most common like as SQLi, XSS and many others.

Previous1.2 Web App ArchitectureNext1.4 Web App Pentesting Methodology

Last updated