🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page
  • Request types:
  • Authentication:
  • HTTP Headers:

Was this helpful?

  1. Web Application Hacking

Web 101

PreviousCrawlingNextClients

Last updated 2 years ago

Was this helpful?

Request types:

Method

GET & POST

These are the only request methods a browser will make on its own.

PUT, PATCH, DELETE

Are the work of JS invoking requests. Typically Put will update an entire data point, and Patch will update a specific point or add to it.

HEAD

Same as a get request but lacks the response body. This would only really be useful if you are trying to save bandwidth or maybe bypass poorly set up detection rules.

CONNECT

This sets up 2-way coms for use in proxy scenarios.

OPTIONS

Lets a User-Agent ask what methods are allowed. Not always accurate and can be based off of your request history.

TRACE

This will become your favorite method in time. It allows you to reflect back your http request off of the server so you can see exactly what the server is going to see. This can show if anything has been modified by intermediate nodes.

Developers should turn off TRACE as it is a security hole. For example; this method can allow malicious JS page injections to access cookies that have HTTP only flags, which are meant to disallow JS reads.

Authentication:

After authenticating to a site, the app will store your authentication in the browser so that way you don't have to manually reauthenticate every time you request a new page. This is typically stored with a cookie or using the (http)basic authentication protocol.

Basic authentication: Will look like Authorization: Basic JIKsJiWEchipDVGU2v This HTTP field is a base64 encoded user:pass with a colon separating the two. If you see this type of authentication being used then look into attacks.

Cookie authentication: Since HTTP is not stateful, cookies are used to hold sessions and these days much more. Typically singe sites are allowed to store 50-150 cookies at a max of 4KB each. Cookie key:value pairs are for the most part non standard and are left to the developer to name at will. There are some standard cookie flags to know.

Cookie field

secure

This attribute tells the browser to only send it to HTTPS sites

httponly

Tells the browser only to let HTTP(S) requests read/send the cookie. Meaning that no cross-site attacks that utilize scripting languages can read this cookie.

max-age

This is used to set the expiry of the cookie in either seconds or a finite date and time. This is important because if we want to use a victims cookie we are limited by this time frame. Also if the user clicks to logout of a site rather than just close the tab, the site will send an HTTP request to the user to tell the browser to expire the cookies. Which will also limit our attack time frame.

Its important to understand Same-Origin and Cookie Policies for when site data or browser stored data is passed to sites.

HTTP Headers:

The Content-Type header tells the browser what the media type is so it knows how to render the data returned. Response headers do not always populate this field. Because of this, most browsers implement MIME sniffing. MIME sniffing is where the browser reads the first few bytes of the data returned in the response to determine the content type. This can be turned off by the application by setting the X-Content- Type-Options: nosniff The Location header is used in 3XX response codes to tell the browser what to request for the redirect.

CSRF
Further reading
Page cover image