Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

Chapter 7 HTTP Hacks

Abstract Hyper Text Transfer Protocol or HTTP for short, is probably the most known protocol of the Internet. Today it is so dominant that plenty of people even think HTTP (or the WWW) is the Internet.

There are not only information sites, shopping portals, search engines, e-mail and forum services, but also office software, wikis, blogs, calendars, social networks, chat software, e-government applications and so on. The list could be extended as desired. Google even built a whole operating system that consist completely of web applications and data stored in the cloud (it depends on you if you like that or not).

It should not be surprising that most attacks nowadays are aimed at web applications and that the web browser is the favorite attack tool. Enough reasons to have a deeper look at the security of the web.

7.1 Protocol Overview

HTTP is a stateless plaintext protocol. That means every request is sent as simple text and is independent of the previous one. Therefore it's quite easy to play “web browser” for yourself. Use the good old program telnet or the famous netcat tool to connect to some web server on port 80 and send it the following request:

telnet datenterrorist.de 80 GET / HTTP/1.0

You're done. That's all you really need for a valid HTTP 1.0 request. Close the input with an empty line by pressing return and the server will send you a response back as if you had triggered the request with a normal browser. Let's see in detail what has happened here.

GET is the so called HTTP method, there are more available as you can see in the Table 7.1. GET should be used to request a resource, POST therefore, to send data, a POST request is guaranteed to be sent only one time or the user is asked if he or she wants to resend it. Additionally HTTP 1.0 defines a HEAD method, that implements a GET method without expecting the content body namely the HTML page, image or whatever, the server just sends the HTTP headers back. HTTP 1.1 defines five more methods: PUT to create a new resource or update an existing one, DELETE to delete a resource, OPTIONS to request the available methods and other properties such as available content encodings, TRACE for debugging

Table 7.1 HTTP methods

Method

Description

GET

Request a resource

POST

Send data to store or update it on the server

HEAD

Receive just the header of a request

PUT

Create or update a resource

DELETE

Delete a resource

OPTIONS

List all methods, content types and encodings supported by the web server

TRACE

Send the input back as output

CONNECT

Connect this server/proxy to another HTTP server/proxy

Fig. 7.1 HTTP-request-header

purpose and CONNECT to make the web server open a connection to another web server or proxy.

The method TRACE should always be disabled on your web servers, because attackers are able to abuse it by implementing a so called cross site scripting attack (see Sect. 7.11).

Additionally HTTP 1.1 requests are required to have a host header.

telnet codekid.net 80 GET / HTTP/1.1

Host: codekid.net

All other header options that you can use (see Fig. 7.1), are optional. By sending the option Connection we can tell the web server that we will send other requests and they should not close the connection after this one. Content-Length defines the length of the content body in bytes, Content-Type the MIME type. Other important request options are Referer, that includes the URL that generated this request,

Fig. 7.2 HTTP-response-header

Authorization, which is used by HTTP-Auth to implement login functionality and

Cookie, that includes all cookies.

Cookies are name/value pairs, that the server asks the client to save and resend with every request. You can read more about cookies in Sect. 7.6 about cookie manipulation.

Basic Mode HTTP auth just uses Base64 to encode but not encrypt the username/password combination. For real security one should use Digest Access Authentication! Otherwise an attacker could just grab them like demonstrated in Sect. 7.7.

Figure 7.2 shows a typical HTTP response. The only fixed portion beside the HTTP version is the status code as well as the status message.

HTTP status codes can be classified into five different groups. If it begins with a 1 the server asks for the next request being different (e.g. with a newer HTTP version). If it starts with a 2 the request was successful and free of any errors. A 3 indicates a successful but redirected request. A 4 signals a failure. The most commonly known is 404 which means that the requested resource could not be found and 403 that says that the access attempt is not authorized. If you get a 5 at the beginning, your request produced a serious failure such as the 500 Internal Server Error message. A list of the most important status codes and their description can be found in Table 7.2.

Another important HTTP response headers beside content-length, content-type and content-encoding are Location, that includes the requested URL and SetCookie to set a cookie on the client.

Table 7.2 Most important HTTP status codes

Code

Description

200

Successful request

201

Resource was newly created

301

Resource moved permanently

307

Resource moved temporarily

400

Invalid request

401

Authorization required

403

Access denied

404

Resource could not be found

405

Method not allowed

500

Internal server error

A description of the complete HTTP protocol including all status codes can be found in the RFC 2616 under w3.org/Protocols/rfc2616/rfc2616.html.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel