Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

Chapter 7 HTTP Hacks

Abstract Hyper Text Transfer Protocol or HTTP for short, is probably the most known protocol of the Internet. Today it is so dominant that plenty of people even think HTTP (or the WWW) is the Internet.

There are not only information sites, shopping portals, search engines, e-mail and forum services, but also office software, wikis, blogs, calendars, social networks, chat software, e-government applications and so on. The list could be extended as desired. Google even built a whole operating system that consist completely of web applications and data stored in the cloud (it depends on you if you like that or not).

It should not be surprising that most attacks nowadays are aimed at web applications and that the web browser is the favorite attack tool. Enough reasons to have a deeper look at the security of the web.

7.1 Protocol Overview

HTTP is a stateless plaintext protocol. That means every request is sent as simple text and is independent of the previous one. Therefore it's quite easy to play “web browser” for yourself. Use the good old program telnet or the famous netcat tool to connect to some web server on port 80 and send it the following request:

telnet 80 GET / HTTP/1.0

You're done. That's all you really need for a valid HTTP 1.0 request. Close the input with an empty line by pressing return and the server will send you a response back as if you had triggered the request with a normal browser. Let's see in detail what has happened here.

GET is the so called HTTP method, there are more available as you can see in the Table 7.1. GET should be used to request a resource, POST therefore, to send data, a POST request is guaranteed to be sent only one time or the user is asked if he or she wants to resend it. Additionally HTTP 1.0 defines a HEAD method, that implements a GET method without expecting the content body namely the HTML page, image or whatever, the server just sends the HTTP headers back. HTTP 1.1 defines five more methods: PUT to create a new resource or update an existing one, DELETE to delete a resource, OPTIONS to request the available methods and other properties such as available content encodings, TRACE for debugging

Table 7.1 HTTP methods




Request a resource


Send data to store or update it on the server


Receive just the header of a request


Create or update a resource


Delete a resource


List all methods, content types and encodings supported by the web server


Send the input back as output


Connect this server/proxy to another HTTP server/proxy

Fig. 7.1 HTTP-request-header

purpose and CONNECT to make the web server open a connection to another web server or proxy.

The method TRACE should always be disabled on your web servers, because attackers are able to abuse it by implementing a so called cross site scripting attack (see Sect. 7.11).

Additionally HTTP 1.1 requests are required to have a host header.

telnet 80 GET / HTTP/1.1


All other header options that you can use (see Fig. 7.1), are optional. By sending the option Connection we can tell the web server that we will send other requests and they should not close the connection after this one. Content-Length defines the length of the content body in bytes, Content-Type the MIME type. Other important request options are Referer, that includes the URL that generated this request,

Fig. 7.2 HTTP-response-header

Authorization, which is used by HTTP-Auth to implement login functionality and

Cookie, that includes all cookies.

Cookies are name/value pairs, that the server asks the client to save and resend with every request. You can read more about cookies in Sect. 7.6 about cookie manipulation.

Basic Mode HTTP auth just uses Base64 to encode but not encrypt the username/password combination. For real security one should use Digest Access Authentication! Otherwise an attacker could just grab them like demonstrated in Sect. 7.7.

Figure 7.2 shows a typical HTTP response. The only fixed portion beside the HTTP version is the status code as well as the status message.

HTTP status codes can be classified into five different groups. If it begins with a 1 the server asks for the next request being different (e.g. with a newer HTTP version). If it starts with a 2 the request was successful and free of any errors. A 3 indicates a successful but redirected request. A 4 signals a failure. The most commonly known is 404 which means that the requested resource could not be found and 403 that says that the access attempt is not authorized. If you get a 5 at the beginning, your request produced a serious failure such as the 500 Internal Server Error message. A list of the most important status codes and their description can be found in Table 7.2.

Another important HTTP response headers beside content-length, content-type and content-encoding are Location, that includes the requested URL and SetCookie to set a cookie on the client.

Table 7.2 Most important HTTP status codes




Successful request


Resource was newly created


Resource moved permanently


Resource moved temporarily


Invalid request


Authorization required


Access denied


Resource could not be found


Method not allowed


Internal server error

A description of the complete HTTP protocol including all status codes can be found in the RFC 2616 under

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science