Skip to content

HTTP

HTTP powers the web
Every web application penetration test revolves around understanding HTTP request/response structures , methods , headers , status codes , and state management mechanisms

HTTP Request Structure

GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html
Cookie: sessionid=abc123

HTTP Methods

  • GET - Retrieve resource (parameters in URL)
  • POST - Submit data (parameters in body)
  • PUT - Create/replace resource
  • PATCH - Partial update
  • DELETE - Remove resource
  • OPTIONS - List supported methods
  • HEAD - Headers only (no body)
  • TRACE - Diagnostic echo (XST attacks)

HTTP Status Codes

1xx - Informational (101 = Switching Protocols)
2xx - Success (200 = OK, 201 = Created, 204 = No Content)
3xx - Redirection (301 = Moved Permanently, 302 = Found, 307 = Temporary Redirect)
4xx - Client Error (400 = Bad Request, 401 = Unauthorized, 403 = Forbidden, 404 = Not Found, 405 = Method Not Allowed, 429 = Rate Limited)
5xx - Server Error (500 = Internal Server Error, 502 = Bad Gateway, 503 = Service Unavailable)

HTTP Headers - Security Critical

Request Headers: * Cookie - Session tokens * Authorization - Credentials (Bearer, Basic) * X-Forwarded-For - Original client IP (often spoofable) * Referer - Previous page (information leakage) * Origin - Request origin (CORS)

Response Headers: * Set-Cookie - Session token assignment * Location - Redirect target (open redirect check) * Access-Control-Allow-Origin - CORS policy * Content-Security-Policy - XSS mitigation * Strict-Transport-Security - HSTS enforcement * X-Frame-Options - Clickjacking prevention * X-Content-Type-Options - MIME sniffing prevention * Referrer-Policy - Referrer leakage control

HTTPS / TLS

HTTP + TLS encryption = HTTPS (port 443) TLS handshake establishes encrypted tunnel before HTTP traffic flows

Key Attacks

  • HTTP Request Smuggling - Desync between proxy and backend parsing
  • Host Header Injection - Cache poisoning and password reset poisoning
  • CRLF Injection - Response splitting via newline injection
  • Path Traversal - ../ in URL paths to access restricted files
  • Open Redirect - Unvalidated redirect parameters for phishing

HTTP/2 and HTTP/3

  • HTTP/2 - Multiplexed streams , header compression , server push
  • HTTP/3 - Uses QUIC (UDP-based) instead of TCP , faster handshake
  • Both maintain same semantics (methods, headers, status codes)