Continuing in the series of TryHackMe walkthroughs - here is the HTTP in Detail room from the How the Web Works module.
Some good info in this free room, and the practical at the end is a nice hands on.
Two of the sections we touch on some OWASP mapping.
Enjoy! Transcript below the video if you would rather read =)
More fun strategy content out soon
Audio Transcript
Hey, today we're gonna walk through the seven tasks in the http in detail room on try hack me part of the web fundamentals learning path. Stay tuned during the video and we'll find out which of the seven tasks, map to two OWASP techniques, and we'll cover those in detail and give you some information.
Now, if there's a learning path, task or module you would like to see me covered, please feel free to drop a comment in the section below and just let us know.. And after the video, please feel free to also listen to the audio transcript of this entire room. It is there for your taking so you can listen while you hack.
All right, so we're gonna cover the Web fundamentals learning path in the How the Web Works module, and we're gonna do http and detail. Now, TryHackMe has done a good job. They provided a YouTube video here to kind of give some of the lectures. They've also provided, you know, an example side right here in your web browser on the.
So as we go down here, we'll see it's gonna walk through what is HTTP and what is HTTPS? You know, one of the big differences between the two is that they're the exact same thing. They're the exact same protocol. The only difference is that one uses secure encryption and the other does not, and that is where the S comes for.
Okay. Task two, it's gonna talk about requests and responses, kind of breaks down what our URL is. The schema user port. This is a really good graphic that they provide. And we start to kind of dip into some of the URLs. And here towards the bottom, we actually start talking about making your request. Now this is our first real introduction into the kind of things that we would see in a web application proxy, like Burp or Zap.
So you're gonna see Git, you know, the page being requested, and the protocol version down here is an example of something that you might see in something like, , you know, you would be able to kind of go through and configure and mess around with these different settings.
Okay, task three, we're gonna talk about HTTP methods. Get post put and delete. If you are pen testing, uh, APIs, a lot of times you may be doing post request. There's also get requests. This is what a standard browser uses. You know, anytime you load a page, you're getting that. And then down here at the bottom, the questions below give you some actual kind of specific, practical examples of how you would use each of those. Get put post and delete.
Okay. Task four, HTTP status codes. Anytime you interact with a web object, it's gonna send back some sort of status code for it. One thing to that I learned when I was going through this for the first time many years ago, was that a 400 error is gonna be, I messed up a 500 error is gonna be you messed up.
So if you submit a request and you get a 400 error back, that means that I did something wrong. If you submit a request and you get a 500 error back, it means that the server messed up. So down here at the bottom we have a common HTTP status codes. You're gonna see 301 and 302. Those are the redirects.
Like if you hosting your own website and you want to put in some rules, these 400 requests, you're gonna, you know, this is, you have put in the wrong information. 404 is kind of a common status code that people have. You know, throughout the internet, 404, that is, you try to request the page. That doesn't exist, but a 500 is you.
Maybe you did request a page that existed, but the server could not present it to you.
Task five, we're gonna talk about headers, and this is where we start getting into web application proxiesstart making sense.. Things like host user, user agents, cookies, accepting coding. So we have common response headers here.
We're gonna have set cookie cache control. Now, at the beginning of the video, I did mention there was one task that had a couple mappings to OWASP, and this is that task. So let's go, let's, uh, look into the OWASP stuff real quick. When we're talking about cookies, there are two main OWASP categories. that make the most sense.
One is software and data integrity failures. Down here at the bottom you see a C W E for cookies without validation and integrity. Can see down here in the list of the maps, cws, you have two CWE 565 and 784. They both talk about cookies, uh, without validating who, Senate and OWASP category number five, security misconfigs.
in this list of CWEs, one that really stands out to me is CWE 315 clears tech storage of sensitive information in a cookie. So if we were going through a web browser and we were looking at those cookies, and let's say that one of them, one of the responses back had like a password or something, or like a API token in, said in the cookie, it would be, you know, you could steal that and do something.
Task six. We're talking about cookies more. This is all about cookies, this section. So it's pretty important to pay attention to, and you're gonna see some additional examples of what these requests look like. Uh, you can see some more information about cookies, like name equals Adam. One of the cws that was mentioned just the minute ago was being able to modify a cookie without the server validating that you were allowed to do.
So in this example, let's say name equals Adam, we could change that to name equals admin instead. And if the server didn't validate that request, then you would be the admin from that point forward.
Test seven is basically the practical for this room and you can go through and look at the side. It gives you a bunch of, you know, the built a cool little application for you here that you can go through and kind of do like get post, put deletes.
As you walk through the app, the practical here, as you walk through the practical here, you know, the first one is make it get request to slash room. Put room in here and we hit it. Go. And it's gonna come back with, you know, your flag is right here. But this is also what the response would look like in a web application proxy as well.
So as you received that response back, you'd be able to go into Burp, look at it and say, okay, I want to do something different. I wanna change maybe a cookie down here, or maybe I wanna change the content. That's expected because I'm about to enter our payload. You could do all sorts of things. So that was just a quick walkthrough of the http and detail room.
Uh, pretty good practical examples in there. And this is part of the, you know, the, the foundational path to getting into that junior penetration tester route where we will have some more kind of HandsOn. . Let's take a look at these techniques and map them to things like the mire attack matrix, or maybe let's look at some of these O Os techniques in actual detail.
Thanks for watching, and if you would like to see a task or learning path or anything like that, drop a comment below. Let us know what you wanna see next. And if you found this video helpful or you'd liked it, please consider giving a thumbs up or subscribing. It really does help the channel. Task one.
What is http? What is http? HTTP is what's used whenever you view a website developed by Tim Burners Lee and his team between 1989 through 1991. HTTP is the set of rules used for communicating with web servers for the transmitting of webpage data, whether that is HTML images, videos, et cetera. What is https?
H T TPSs is the secure version of http. HTTPS data is encrypted, so it not only stops people from seeing the data you are receiving and sending, but it also gives you assurances that you're talking to the correct web server and not something impersonating it. Task two requests. In responses when we access a website, your browser will need to make requests to a web server for assets such as HTML images and download the responses.
Before that, you need to tell the browser specifically how and where to access these resources. This is where URLs will help. What is a url? If you've used the internet, you've used a URL before. U R L is predominantly an instruction on how to access a resource on the internet. The below image shows what a U URL looks like with all of its features.
This instructs on what protocol to use for accessing the resource such as http, https, FTP, user. Some services require authentication. To log in, you can put a username and password into the URL to log in. Host the domain name or IP address of the server you wish to access, or the port that you are going to connect to.
Usually 80 for HTTP and 443 for htt. But this can be hosted on any port between 1 65 thunk was in 535 path, the file, name or location of the resource you are trying to access. Query string extra bits of information that can be sent to the requested path. For example, divided by blog ID equals one would tell the blog path that you wish to receive the blog article with the idea of one fragment.
This is a reference to a location on the actual page requested. This is commonly used for pages with long. And can have a certain part of the page directly linked to it, so it is viewable to the user as soon as they access the page making a request. It's possible to make a request to a web server with just one line, G e t http, divided by 1.1, but for a much richer web experience, you'll need to send other data as well.
This other data is sent in what is called headers, where headers contain extra information to give to the web server you're communicating with. But we'll go more into this in the header task example requests. See the task for specific examples to break down each line of this request line one. This request is sending the GI method, request the homepage with and telling the web server.
We are using HTTP protocol version 1.1. Line two, we tell the web server we want the website. Tri acme.com. Line three. We tell the web server. We are using the Firefox version 87 browser line four. We are telling the web server that the webpage that referred us to this one as https colon slash slash try hack me.com.
Line five. HTTP requests always end with a blank line to inform the web server that the request has. Example, see the task for specific examples to break down each line of the response line. One, HTTP 1.1 is the version of the HTTP protocol the server is using and then followed by the HTTP status code in this case, 200.
Okay, which tells us the request is completed successfully. Line two. This tells us the web server, software and version number line three, the current. Time and time zone of the web server. Line four. The content type header tells the client what sort of information is going to be sent, such as HTML images, videos, pdf, XML line five content.
Link tells the client how long the response is. This way we can confirm no data is missing. Line six. HTTP response contains a blank line to confirm the end of the http response line. 7 4 14 DM information that has been requested in this instance. The homepage. Task three H TTP method. HTTP methods are a way for the client to show their intended action when making an HTTP request.
There are a lot of http. But we'll cover the most common ones, although mostly you'll deal with the get and post method. Get requests. This is used for getting information from a web server, post requests. This is used for submitting data to the web server and potentially creating new records, put requests.
This is used for submitting data to a web server to update information. Delete request. This is used for deleting information records from a web server. Task four, HTTP status codes, HTTP status codes. In the previous task, you learned that when a HTTP server responds, the first line always contains a status code informing the client of the outcome of their request and also potentially how to handle it.
These status codes can be broken down into five different. 100 through 199 Information response. These are sent to tell the client the first part of their request has been accepted and they should continue sending the rest of their request. Ease codes are no longer very common, 200 through 299 success.
This range of status codes is used to tell the client their request was successful, 300 through 399 redirection. These are used to redirect the client's request to another resource. This can be either to a different webpage or a different website. Altogether, 400 through 499 client errors used to inform the client that there was an error with their.
500 through 599 server errors. This is reserved for errors happening on the server side and usually indicate quite a major problem with the server handling the request. Common H TTP status codes. There are a lot of different HTTP status codes. And that's not including the fact that applications can even define their own.
We'll go over the most common HTTP responses. You are likely to come across 200. Okay? The request was completed successfully. 201 created a resource, has been created, 301 permanent redirect. This redirects the client's browser to a new webpage or tells search engines that the page has moved somewhere else.
And to look there instead. 302 temporary redirect, similar to the above permanent redirect. But as the name suggests, this is only a temporary change and it may change again in the near future 400. Bad request. This tells the browser that something was either wrong or missing in their request. This could sometimes be used if the web server resource that is being requested, expected a certain parameter that the client didn't send, 401 not authorized.
You are not currently allowed to view this resource until you have authorized with the web application, most commonly with a username and password. 403 forbidden. You do not have permission to view this resource whether you are logged in or not. 405 method not allow. The resource does not allow this method request.
For example, you send a get request to the resource create account when it was expecting a post request instead. 404 page not found. The page resource you requested does not exist. 500 internal service error. The server has encountered some kind of error with your request that it doesn't know how to handle properly.
503 service unavailable. This server cannot handle your request as it's either overloaded or down for. Click the view site button on the right to see what some of these HTTP status messages look like in a browser. Task, five headers, headers are additional bits of data you can send to the web server when making request.
Although no headers are strictly required when making a HTTP request, you'll find it difficult to view a website properly. Common request headers, these are headers that are sent from the client to the server host. Some web servers host multiple websites, so by providing the host headers, you can tell at which one you require.
Otherwise, you'll just receive the default website for the server. User agent. This is your browser software and version. Telling the web server your browser software helps it format the website properly for your browser. And also, some elements of html, JavaScript, and CSS are only available in certain browsers content link.
When sending data to a web server, such as in a form, the content link tells the web server how much data to expect in the web request. This way, the server can ensure it isn't missing any data accepting. Tells the web server what types of compression methods the browser supports, so the data can be made smaller for transmitting over the internet hookie data sent to the server to help remember your information.
Common response headers. These are the headers that are returned to the client from the server After a request set, cookie information to store, which gets sent back to the web server on each request. Cash control. How long stored the content of the response in the browser's cash before it requested?
Again, content type. This tells the client what type of data is being returned. I E H T M L, css, JavaScript images, PDF video, etter. Using the content type header. The browser then knows how to process the data, content and coding. What method has been used to compress the data to make it smaller when sending it over the.
Task six cookies. You've probably heard of cookies before. They're just a small piece of data that is stored on your computer. Cookies are saved when you receive a set cookie header from a web server. Then every further request you make, you'll send the cookie data back to the web server. Because HTTP is stateless.
Cookies can be used to remind the web server who you are, some personal settings for the website or whether you've been to the website before. Let's take a look at this as an example. HTTP request. Hokey can be used for many purpose. But are most commonly used for website authentication. The cookie value won't usually be a clear text string where you can see the password, but a token view in your cook is you can easily view what cookies your browser is sending to a website by using the developer tools in your browser.
If you're not sure how to get to the developer tools in your browser, click on the view site button at the top of this task for how to guide once you have developer tools. Click on the network tab. This tab will show you a list of all the resources your browser has requested. You can click on each one to receive a detailed breakdown of the request and response.
If your browser sent a cookie, you will see these on the cookies tab of the request. Task seven making requests. Click the view site button on the right. This is an emulator for making demo HTTP requests using what you've learned from the above tasks. You can use it to complete the below questions.