🌐

Understanding HTTP and HTTPS Fundamentals

Sep 18, 2024

TryHackMe HTTP Room Lecture Notes

Introduction

  • Presenter: John
  • Platform: TryHackMe
  • Topic: Understanding HTTP and HTTPS
  • Objective: Detailed exploration of HTTP protocol, requests, responses, methods, status codes, headers, and cookies.

Task 1: Understanding HTTP and HTTPS

  • HTTP: Hypertext Transfer Protocol
    • Developed by Tim Berners-Lee (1989-1991).
    • Protocol for communicating with web servers.
    • Transmits data such as HTML, images, videos.
  • HTTPS: Secure version of HTTP
    • Encrypts data to prevent unauthorized access.
    • Ensures communication with the authentic server.
  • Challenge: Identify security issues in a mock webpage.
    • Issue: Website not secure (insecure HTTP).
    • Flag found: THM invalid HTTP cert.

Task 2: Requests and Responses

  • URL (Uniform Resource Locator): Instructions to access resources online.
    • Components:
      • Scheme: Protocol to access resources (e.g., HTTP, HTTPS, FTP).
      • User: Username for services needing login.
      • Host: Domain name or IP of the server.
      • Port: Communication port (common are 80, 443, 8080).
      • Path: File name or resource location.
      • Query String: Extra information sent to path (e.g., ?ID=1).
      • Fragment: Page location reference.
  • HTTP Request Example:
    • Request Method: GET
    • Web Protocol Version: HTTP/1.1
    • Headers: Provide extra information.
  • HTTP Response Example:
    • Status Code: 200 OK
    • Headers include server software version, date/time, content type, and length.

Task 3: HTTP Methods

  • GET: Retrieve information.
  • POST: Submit data/create new records.
  • PUT: Submit data to update information (situational).
  • DELETE: Remove information/records (situational).
  • Questions:
    • Create account: POST
    • Update email: PUT
    • Remove picture: DELETE
    • View article: GET

Task 4: HTTP Status Codes

  • Status codes inform the client about request outcomes.
  • Categories:
    • 100s: Informational
    • 200s: Success
    • 300s: Redirection
    • 400s: Client Error
    • 500s: Server Error
  • Common Codes:
    • 200: OK
    • 201: Created
    • 301: Permanent Redirect
    • 302: Temporary Redirect
    • 400: Bad Request
    • 401: Unauthorized
    • 403: Forbidden
    • 404: Not Found
    • 405: Method Not Allowed
    • 500: Internal Server Error
    • 503: Service Unavailable

Task 5: Headers

  • Request Headers:
    • Host: Specifies which website is requested.
    • User-Agent: Browser and version.
    • Content-Length: Length of request data.
    • Accept-Encoding: Compression methods supported.
    • Cookies: Session data for authentication.
  • Response Headers:
    • Set-Cookie: Store data on client for server recognition.
    • Cache-Control: Browser caching instructions.
    • Content-Type: Data type returned.
    • Content-Encoding: Compression method used.

Task 6: Cookies

  • Cookies are small data pieces stored by the browser.
  • Used for authentication and personalization.
  • Viewing Cookies: Use developer tools in the browser.
  • Set-Cookie: Saves cookies to the client's system.

Task 7: Making Requests

  • HTTP Request Simulation:
    • Perform GET, POST, PUT, DELETE requests using the provided emulator.
  • Key Actions:
    • Modify request methods and parameters.
    • Observe server responses and flags returned.

Conclusion

  • Resources: TryHackMe Discord and subreddit for questions.
  • Encouragement: Continue learning and exploring web hacking.

Full transcript