Hacking Knowledge
  • 🏠​ Homepage
    • Welcome
    • About Me
    • Disclaimer
    • Conventions
  • 🔑Cybersecurity Basics
    • Introduction
    • Vulnerabilities
    • Cyberattacks
      • Cyber Kill Chain
      • Malware
    • Security Models
      • Methodologies
    • Legal Support
    • Career Paths
    • Certifications
    • Related Concepts
  • 🐧Linux
    • Introduction
    • Functional Structure
      • File Permissions
      • Environment Variables
      • Crontabs
    • Commands
      • Operators
    • Useful Shell Resources
    • Related Concepts
  • ⊞ Windows
    • Introduction
    • Functional Structure
      • File Permissions
      • Environment Variables and System Tools
      • System Events
    • Commands
    • Related Concepts
  • 🌐Networks
    • Introduction
    • Networking Frameworks
      • OSI Model
      • TCP/IP Model
    • Protocols
      • ARP
      • TCP
      • NetBIOS
      • SNMP
      • DNS
      • HTTP
      • Telnet
      • FTP
      • TFTP
      • SMB
      • RDP
      • SSH
      • SMTP
      • POP 3
      • IMAP
      • Oracle TNS
      • IPMI
    • Hypervisors
    • Related Concepts
    • Tools and Utilities
  • 🔐Cryptography
    • Introduction
    • Encoding (WIP)
    • Encryption (WIP)
      • Types of encryption (WIP)
      • Methods of Encryption (WIP)
    • Hashing
      • Well-known Hashes (WIP)
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 👣Digital Forensics
    • Introduction
    • Basic Plan
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 🎯Penetration Testing
    • Introduction
    • Categorization
    • Process Stages
      • Pre-engagement
      • Information Gathering
        • OSINT
          • Dorking
          • Searching breach data dumps
        • Enumeration
          • Get information from SSL certificates
          • Retrieve information from IMAP/POP3 servers
          • Redirect HTTP traffic using Feroxbuster and ZAP
          • Mount accesible NFS Shares
          • Bruteforce subdomains
        • Tools and Utilities
        • Useful Tips
      • Vulnerability Assessment
      • Exploitation
        • Tools and Utilities
        • Useful Tips
      • Post-Exploitation
        • Techniques (WIP)
        • Privilege Escalation
          • Linux Privilege Escalation
          • Windows Privilege Escalation
        • Tools and Utilities
        • Useful Tips
      • Lateral Movement
      • Proof-of-Concept
      • Post-engagement
        • Sample Report (WIP)
    • Related Concepts
  • 📡Web Exploitation
    • Introduction
    • OWASP Top 10
      • Broken Access Control
      • Cryptographic Failures
      • Injection
      • Insecure Design
      • Security Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-side Request Forgery
    • Attack Techniques
      • Local File Inclusion
      • Remote File Inclusion
      • Cross-Site Scripting
      • Command injection
      • XXE Injection
      • Abuse File Upload
      • Cross-Site Request Forgery
      • Header Poisoning
      • HTTP Parameter Pollution
      • Content Security Policy Bypass
      • Exposed .htaccess and .htpasswd files
      • Server-Side Request Forgery
      • Server-Side Template Injection
      • Cookie Hijacking
      • Null Byte Poisoning
      • PHP - Abuse PHP Type Juggling
      • PHP - Bypass using filters
      • WordPress - Abuse Theme Configuration on templates
      • WordPress - Getting credentials from configuration files
      • CVE - Log4Shell
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 🗄️Database Attacks
    • Introduction
    • SQL
      • MySQL
      • MSSQL
      • SQLite3
    • Attack Techniques
      • SQL Injection
        • Authentication Bypass
      • NoSQL Injection
      • MS SQL - xp_cmdshell Abuse
      • MongoDB - Impersonation via credentials change
    • Related Concepts
    • Tools and Utilities
    • Useful Tips
  • 👥Active Directory
    • Introduction
    • Related Concepts (WIP)
    • Tools and Utilities (WIP)
    • Useful Tips (WIP)
  • ☁️CLOUD HACKING
    • Introduction
    • Related Concepts
    • Tools and Utilities (WIP)
    • Useful Tips (WIP)
  • 📜Scripting
    • Introduction
    • Reverse Shell
    • Bind shell
    • Web Shell
  • 🚩Practical Skill Development
    • Learning Platforms
      • Hack The Box
      • TryHackMe
      • picoCTF
    • Featured Labs
    • CTF Competitions
  • 📝Write-Ups
    • Introduction
    • HTB Starting Point
      • Meow (Tier 0)
      • Fawn (Tier 0)
      • Dancing (Tier 0)
      • Redeemer (Tier 0)
      • Explosion (Tier 0)
      • Preignition (Tier 0)
      • Mongod (Tier 0)
      • Synced (Tier 0)
      • Appointment (Tier 1)
      • Sequel (Tier 1)
      • Crocodile (Tier 1)
      • Responder (Tier 1)
      • Three (Tier 1)
      • Ignition (Tier 1)
      • Bike (Tier 1)
      • Funnel (Tier 1)
      • Pennyworth (Tier 1)
      • Tactics (Tier 1)
      • Archetype (Tier 2)
      • Oopsie (Tier 2)
      • Vaccine (Tier 2)
      • Unified (Tier 2)
      • Included (Tier 2)
      • Markup (Tier 2)
      • Base (Tier 2)
    • HTB Machines
      • Nibbles (Easy)
      • BountyHunter (Easy)
      • Crafty (Easy)
      • Chemistry (Easy)
    • HTB Challenges
    • HTB Advanced labs
  • Group 1
Powered by GitBook
On this page
  • Request-Response Model
  • Client Request
  • Server Response

Was this helpful?

  1. Networks
  2. Protocols

HTTP

The HyperText Transfer Protocol is used for communication on the web, defining how messages are formatted and transmitted between a client and a server. It is based on a request-response model. Operates in the Application layer typically on port 80

Request-Response Model

Is the core communication pattern used in the HTTP protocol, where a client such as a web browser, sends a request to a server, and the server processes that request and sends back a response such as a web page or a resource. In HTTP this is implemented as follows:

Client Request

The client initiates communication by sending an HTTP request to the server. This request contains various details, including:

  • Method: Specifies the type of action, such as retrieving, sending, or deleting data, among others. The most common HTTP methods are:

    • GET: Used for getting content from a web server

    • POST: Used for submitting data to the web server and potentially creating records

    • PUT: Used for submitting data to a web server to update information

    • DELETE: Used for deleting information/records from a web server

    • HEAD: The only difference between HEAD and GET requests is that for HTTP HEAD, the server only returns headers without a body

    • OPTIONS: Returns the HTTP methods that the server supports

    • CONNECT: Converts the request connection to a transparent TCP/IP tunnel

    • TRACE: Does a message loopback test along the path to the target resource

  • URL: Uniform Resource Locator, provides a resource's location and the protocol to retrieve it. Have the structure: scheme://user:password@host:port/path?query#fragment. This can be broken down as follows:

    • Scheme: The protocol to use for accessing the resource

    • User-Password: For services that require authentication to log in, a username and password can be put into the URL

    • Host: The domain name or IP address of the server you wish to access

    • Port: The Port that you are going to connect to

    • Path: The file name or location of the resource you are trying to access

    • Query String: Extra bits of information that can be sent to the requested path, receive values that are passed are parameters to the service

    • Fragment: Reference to a location on the actual page requested. This is commonly used for pages with long content and can have a certain part of the page directly linked to it

  • Headers: Contain information about the client such as browser type, and accepted data formats, among others. Here are some of the most common:

    • Host: Tell it which website you require, otherwise you'll just receive the default website for the server

    • User-Agent: Tell your browser software and version number

    • Content-Length: Tells the web server how much data to expect in the web request. This way the server can ensure it isn't missing any data

    • Accept-Encoding: Tells the web server what types of compression methods the browser supports so the data can be made smaller for transmitting over the internet

    • Cookie: Data sent to the server to help remember the information of the client

  • Body: Optional data sent with certain requests, usually when submitting a form

Server Response

The server processes the request and sends an HTTP response back to the client. This response includes:

  • Status Code: Indicates whether the request was successful or if there was an issue. These are categorized based on the type of information they provide as follows:

    Type
    Description

    100-199 - Information Response

    These are sent to tell the client the first part of their request has been accepted and they should continue sending the rest of their request. These codes are no longer very common

    200-299 - Success

    This range of status codes is used to tell the client their request was successful

    300-399 - Redirection

    These are used to redirect the client's request to another resource. This can be either to a different webpage or a different website altogether

    400-499 - Client Errors

    Used to inform the client that there was an error with their request

    500-599 - Server Errors

    This is reserved for errors happening on the server side and usually indicates quite a major problem with the server handling the request

    Also, some of the most common status codes are:

Code
Description

200 - OK

The request was completed successfully

201 - Created

A resource has been created, for example, a new user or post

301 - Permanent Redirect

This redirects the client's browser to a new webpage or tells search engines that the page has moved somewhere else and to look there instead

302 - Temporary Redirect

Similar to the above permanent redirect, but as the name suggests, this is only a temporary change and it may change again soon

400 - Bad Request

This tells the browser that something was either wrong or missing in their request. This could sometimes be used if the web server resource that is being requested expects a certain parameter that the client didn't send

401 - Not Authorized

You are not currently allowed to view this resource until you have been authorized by the web application, most commonly with a username and password

403 - Forbidden

You do not have permission to view this resource whether you are logged in or not

405 - Method Not Allowed

The resource does not allow this method request, for example, you send a GET request to the resource /create-account when it was expecting a POST request instead

404 - Page Not Found

The page/resource requested doesn't exist

500 - Internal Service Error

The server has encountered some kind of error with your request that it doesn't know how to handle properly

503 - Service Unavailable

The server cannot handle your request as it's either overloaded or down for maintenance

  • Headers: Additional information about the server or the response. Some of the most common are:

    • Set-Cookie: Information to store which gets sent back to the web server on each request

    • Cache-Control: How long to store the content of the response in the browser's cache before it requests it again

    • Content-Type: This tells the client what type of data is being returned to know how to process the data

    • Content-Encoding: The method that has been used to compress the data to make it smaller when sending it over the internet

  • Body: The actual content requested by the client, such as an HTML page, JSON data, or an image, among others

PreviousDNSNextTelnet

Last updated 2 months ago

Was this helpful?

🌐