Web 101

Request types:

Method

GET & POST

These are the only request methods a browser will make on its own.

PUT, PATCH, DELETE

Are the work of JS invoking requests. Typically Put will update an entire data point, and Patch will update a specific point or add to it.

HEAD

Same as a get request but lacks the response body. This would only really be useful if you are trying to save bandwidth or maybe bypass poorly set up detection rules.

CONNECT

This sets up 2-way coms for use in proxy scenarios.

OPTIONS

Lets a User-Agent ask what methods are allowed. Not always accurate and can be based off of your request history.

TRACE

This will become your favorite method in time. It allows you to reflect back your http request off of the server so you can see exactly what the server is going to see. This can show if anything has been modified by intermediate nodes.

Developers should turn off TRACE as it is a security hole. For example; this method can allow malicious JS page injections to access cookies that have HTTP only flags, which are meant to disallow JS reads.

Authentication:

After authenticating to a site, the app will store your authentication in the browser so that way you don't have to manually reauthenticate every time you request a new page. This is typically stored with a cookie or using the (http)basic authentication protocol.

Basic authentication: Will look like Authorization: Basic JIKsJiWEchipDVGU2v This HTTP field is a base64 encoded user:pass with a colon separating the two. If you see this type of authentication being used then look into CSRF attacks.

Cookie authentication: Since HTTP is not stateful, cookies are used to hold sessions and these days much more. Typically singe sites are allowed to store 50-150 cookies at a max of 4KB each. Cookie key:value pairs are for the most part non standard and are left to the developer to name at will. There are some standard cookie flags to know.

Cookie field

secure

This attribute tells the browser to only send it to HTTPS sites

httponly

Tells the browser only to let HTTP(S) requests read/send the cookie. Meaning that no cross-site attacks that utilize scripting languages can read this cookie.

max-age

This is used to set the expiry of the cookie in either seconds or a finite date and time. This is important because if we want to use a victims cookie we are limited by this time frame. Also if the user clicks to logout of a site rather than just close the tab, the site will send an HTTP request to the user to tell the browser to expire the cookies. Which will also limit our attack time frame.

Its important to understand Same-Origin and Cookie Policies for when site data or browser stored data is passed to sites. Further reading

HTTP Headers:

The Content-Type header tells the browser what the media type is so it knows how to render the data returned. Response headers do not always populate this field. Because of this, most browsers implement MIME sniffing. MIME sniffing is where the browser reads the first few bytes of the data returned in the response to determine the content type. This can be turned off by the application by setting the X-Content- Type-Options: nosniff The Location header is used in 3XX response codes to tell the browser what to request for the redirect.

PreviousCrawling NextClients

Last updated 2 years ago

Was this helpful?