HTTP: Hyper Text Transfer Protocol How HTTP Works Behind the Browser

Development
HTTP: Hyper Text Transfer Protocol How HTTP Works Behind the Browser

In this post you will understand what HTTP is examples of HTTP request and response and how it works behind your browser. This is an important foundation to understand how the web works which will be very useful for web hacking bug bounty and pentesting.

What Is HTTP?

HTTP Hypertext Transfer Protocol is the main protocol used to send data between client browser and server web server.

Every time we access a website the browser sends an HTTP request and the server responds with an HTTP response. This process is not directly visible in the browser and what we usually see is HTML rendered into a web page where the HTML is the result of the HTTP response sent by the server.

Basic HTTP Flow

  1. When we access https://example.com/login in the browser
  2. The browser sends an HTTP request to the server
  3. The server processes the request and sends an HTTP response
  4. The browser displays the login page

HTTP is defined in RFC 7230 to 7235 which are the official standards for HTTP communication.

Example HTTP Request

GET /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: session=abc123

<body data if POST request>

HTTP request uses an empty line \r\n after the header to separate it from the body if present. Each line ends with \r\n according to the HTTP specification.

Important parts often used by attackers to exploit security vulnerabilities are:

Part Explanation Potential Security Issue
Method GET POST PUT DELETE Request method manipulation
URL or Path admin user?id=1 IDOR path traversal
Header Cookie Referer Host Session hijacking Host header injection
Body POST Form data JSON SQLi XSS command injection payload

For HTTP method details you can see HTTP Request Methods https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods.

Example HTTP Response

HTTP/1.1 200 OK  
Content Type: text/html  
Set-Cookie: session=abc123; HttpOnly  

<data HTML or JSON sent by the server>

Important headers:

  • Set Cookie can be abused if not properly secured such as in session hijacking attacks
  • Content Type can be used for XSS if not set correctly such as text/html for json data
  • Location is used for redirect and can be manipulated if not using secure redirect methods

For HTTP response details you can see HTTP Response Status Codes https://developer.mozilla.org/en-US/docs/Web/HTTP/Status.

HTTP vs HTTPS

  • HTTP without encryption easy to intercept MITM
  • HTTPS secure because it uses TLS or SSL

Encryption will automatically be used when you access sites with https:// and the browser will perform a TLS handshake to ensure a secure connection as well as verify the server certificate and decrypt data sent by the server if the TLS or SSL steps succeed.

But remember HTTPS does not prevent web hacking. HTTPS only protects data in transit from client to server and vice versa. This secures the transport layer not the application layer while web hacking generally occurs at the application layer because applications do not implement proper security and secure coding.

Read also:HTTPS is a Secure Website

HTTP Is Stateless

Stateless means each request does not know what happened before. Every request is a new request unrelated to the previous one. This means the server does not store information about user sessions between requests. Every time you access a page the server does not know whether you are logged in or not so how does the server know your login status?

To store login status websites use cookie and session which are used to determine whether a user is logged in. Cookie is small data stored in the user browser while session is data stored on the server.

If it were stateful then it would not be HTTP but another protocol such as WebSocket which allows two way and stateful communication between client and server.

By using cookie or session the server can remember user information between requests so users do not need to log in every time they access the same page but the browser must send the appropriate cookie on every request to the server.

Tools To View HTTP

  • Browser DevTools Tab Network can be used to view HTTP request and response but is less flexible
  • Burp Suite powerful proxy to intercept modify and replay requests very suitable for pentesters and bug hunters
  • Postman GUI tool for testing API and HTTP requests commonly used by developers for API testing
  • curl or httpie CLI tools for manual testing often used by system administrators and developers to send HTTP requests from the terminal or check server responses

Conclusion

HTTP is the main key of the web world and now you know how it works

You can use the following references to learn more about HTTP