This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Abstract:
This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools.
To practice along please install curl (http://curl.haxx.se/download.html).
Tata AIG General Insurance Company - Insurer Innovation Award 2024
HTTP Basics Demo
1. December 13, 2014
Akash Mahajan
#
This module will set the base for anyone interested in learning about
Hyper Text Transfer Protocol (HTTP) basics with regards to Web
Security.
10+ years of industry experience.
Director - The App Sec Lab
OWASP Bangalore Chapter Lead
Co-Founder and Community Manager at null - The Open Security
Group
akashmahajan@gmail.com | +91 9980527182 | @makash
HTTP Basics
Introduction
About me
Akash Mahajan
2. Curl
So for the greater good, please speak up
You have no idea what I am talking about. Great we will learn together
You know more than me. Great, please correct my mistakes and cover
any gaps
I expect full participation from everyone
Learn the fundamentals of HTTP (Language/Platform agnostic)
*Have fun and learn a lot*
#
Information for Participants
Software Requirements
Chances are I am going to be wrong about
2/10 things that I talk about {data-
background="#ffc928"}
2 Kinds of audience here
Participate! {data-
background=images/participate.jpg}
Objectives
Agenda
3. Basics of Hyper Text Transfer Protocol (HTTP)
*Hands-On* with Command Line Web Client
Basics of TLS/SSL (Time permitting)
#
Hyper Text Transfer Protocol
From Wikipedia
HTTP is a request/response standard of a client and a server. A client is
the end-user, the server is the web site. The client making a HTTP
request—using a web browser, spider, or other end-user tool—is referred
to as the user agent.
The responding server—which stores or creates resources such as
HTML files and images—is called the origin server. In between the user
agent and origin server may be several intermediaries, such as proxies,
gateways, and tunnels.
Clients make request and servers respond
It can't be the other way.
Servers can not initiate any communication on their own in HTTP
HTTP has no notion of state. One connection has no relationship to another.
HTTP
Basics of HTTP
Basics of HTTP cont...
HTTP is client-server
HTTP is stateless
4. So since the HTTP protocol has no idea about state, it is the applications
responsibility to maintain state.
How do the above affect building web applications?
Server needs to identify each client uniquely
They do this by storing a unique value on the client
Since HTTP is stateless, each request made needs to contain unique
value. For all practical purposes this unique value is like a password
We put this in the browser address line
http://google.com/search?q=HTTP
What actually went to the google server
GET /search?q=HTTP
Host: www.google.com
Safe Methods
GET, HEAD, OPTIONS
Not Safe Methods
POST, PUT, DELETE
Other Methods
CONNECT
So how do web applications track users?
Side-effects of being Stateless
What does it look like? HTTP GET
HTTP Methods/Verbs
HTTP Response Status Codes
5. 1xx – Informational Messages
2xx – Success
200 OK
3xx – Redirects
301, 302
4xx – Client Errors
404, 403, 400
5xx – Server Errors
500, 502, 503, 505
Request
Response
Request Header
Request Body
QueryString
Response Header
Response Body
terminal
Or Start | Run
cmd
Some terms to remember
Hands-On HTTP with Curl
Open a terminal
#
6. $ curl http://akashm.com/box/ip.php
$ curl http://akashm.com/box/ip.php -v
$ curl http://akashm.com/box/ip.php -I
$ curl http://akashm.com/box/ip.php -Iv
$ curl http://akashm.com/box/post.php
HTTP GET a Page
HTTP GET a Page -- verbose
HTTP HEAD a Page
HTTP HEAD a Page -- verbose
HTTP POST a page
HTTP GET some query string
7. $ curl http://akashm.com/box/post.php?name=Akash&lname=Maha
jan
$ curl http://akashm.com/box/post.php -d ""
$ curl http://akashm.com/box/post.php -d "firstname=Akash&l
astname=Mahajan"
$ curl -v http://akashm.com/box/sess.php
$ curl -v http://akashm.com/box/sess.php -c cookie.jar
$ curl -v http://akashm.com/box/sess.php -b cookie.jar
#
HTTP POST a page with empty data
HTTP POST a page with data
Using curl to mimic a web browser
What a session id looks like
Lets save the cookie value
Lets use the cookie value
Basics of TLS/SSL
8. Encrypted Communication – Eavesdropping and Tampering
Secure Identification of a Network – Are you talking to the right server?
SSL/TLS
9.
10.
11. SSL certificate contains a certificate chain which begins with server’s
public key certificate and ends with Certificate Authority’s root certificate
How does client verify SSL cert?