> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-hacking-basics-to-know.md).
# Web 101
### Request types:
| Method | |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| GET & POST | These are the only request methods a browser will make on its own. |
| PUT, PATCH, DELETE | Are the work of JS invoking requests. Typically Put will update an entire data point, and Patch will update a specific point or add to it. |
| HEAD | Same as a get request but lacks the response body. This would only really be useful if you are trying to save bandwidth or maybe bypass poorly set up detection rules. |
| CONNECT | This sets up 2-way coms for use in proxy scenarios. |
| OPTIONS | Lets a User-Agent ask what methods are allowed. Not always accurate and can be based off of your request history. |
| TRACE | This will become your favorite method in time. It allows you to reflect back your http request off of the server so you can see exactly what the server is going to see. This can show if anything has been modified by intermediate nodes. |
{% hint style="danger" %}
Developers should turn off **TRACE** as it is a security hole. For example; this method can allow malicious JS page injections to access cookies that have HTTP only flags, which are meant to disallow JS reads.
{% endhint %}
### Authentication:
After authenticating to a site, the app will store your authentication in the browser so that way you don't have to manually reauthenticate every time you request a new page. This is typically stored with a cookie or using the (http)basic authentication protocol.
**Basic authentication:** \
Will look like `Authorization: Basic JIKsJiWEchipDVGU2v` This HTTP field is a base64 encoded `user:pass` with a colon separating the two. If you see this type of authentication being used then look into [CSRF](/web-application-hacking/web-techniques/csrf.md) attacks.
**Cookie authentication:** \
Since HTTP is not stateful, cookies are used to hold sessions and these days much more. Typically singe sites are allowed to store 50-150 cookies at a max of 4KB each. Cookie key:value pairs are for the most part non standard and are left to the developer to name at will. There are some standard cookie flags to know.
| Cookie field | |
| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| secure | This attribute tells the browser to only send it to HTTPS sites |
| httponly | Tells the browser only to let HTTP(S) requests read/send the cookie. Meaning that no cross-site attacks that utilize scripting languages can read this cookie. |
| max-age | This is used to set the expiry of the cookie in either seconds or a finite date and time. This is important because if we want to use a victims cookie we are limited by this time frame. Also if the user clicks to logout of a site rather than just close the tab, the site will send an HTTP request to the user to tell the browser to expire the cookies. Which will also limit our attack time frame. |
{% hint style="info" %}
Its important to understand Same-Origin and Cookie Policies for when site data or browser stored data is passed to sites. [Further reading](/web-application-hacking/web-techniques/sop.md)
{% endhint %}
### HTTP Headers:
The **Content-Type** header tells the browser what the media type is so it knows how to render the data returned. Response headers do not always populate this field. Because of this, most browsers implement *MIME sniffing.*\
\
**MIME sniffing** is where the browser reads the first few bytes of the data returned in the response to determine the content type. This can be turned off by the application by setting the **X-Content-**\
\
**Type-Options***: nosniff*\
The **Location** header is used in 3XX response codes to tell the browser what to request for the redirect.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.hackbook.io/web-application-hacking/web-hacking-basics-to-know.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.