Hey guys, Rocky here! 👋
Welcome back to Day 1 of the Daily Web Hacking series on Hacklivly! Today, we’re dissecting HTTP Basics in extreme detail. By the end of this guide, you’ll understand HTTP like it’s your favorite meme template. Let’s roll!
—
HTTP: The Backbone of the Web
HTTP (HyperText Transfer Protocol) is the rulebook for how clients (like your browser) and servers (where websites live) communicate. Without HTTP, the web would be like a group chat where everyone speaks different languages. Let’s break it down:
Client-Server Model: The Coffee Shop Analogy
Imagine you’re at a coffee shop:
- You (Client): “Can I get a latte?” (This is an HTTP Request).
- Barista (Server): “Here’s your latte!” (This is an HTTP Response).
But instead of coffee, you’re exchanging data—HTML, images, login credentials, or cat videos.
—
The Anatomy of an HTTP Request
When you type hacklivly.com into your browser, here’s what actually happens:
1. The Request Line
Every HTTP request starts with a request line:
GET /daily-web-hacking HTTP/1.1
- HTTP Method:
GET (fetch data).
- Path:
/daily-web-hacking (the resource you’re asking for).
- HTTP Version:
HTTP/1.1 (the protocol version).
2. Headers: The Secret Notes
Headers add context to your request. Think of them as sticky notes for the server:
Host: hacklivly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html, */*
Cookie: session_id=1234abcd
- Host: Tells the server which website you’re targeting (important for servers hosting multiple sites).
- User-Agent: Your browser’s fingerprint (Chrome, Firefox, etc.).
- Accept: What data formats your browser can handle (HTML, images, etc.).
- Cookie: Your session ID (so the server remembers you’re logged in).
Hacker Tip: Changing the User-Agent to Googlebot sometimes tricks servers into showing hidden content!
3. Body (Optional)
Used for sending data to the server, like form submissions:
POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
username=rocky&password=Sup3rSecret!
—
The Anatomy of an HTTP Response
The server replies with a structured message:
1. Status Line
HTTP/1.1 200 OK
- HTTP Version:
HTTP/1.1 (matches the request).
- Status Code:
200 (success!).
- Status Message:
OK (human-friendly description).
2. Headers
Server headers tell your browser how to handle the response:
Content-Type: text/html
Set-Cookie: session_id=1234abcd; Secure; HttpOnly
Server: Apache/2.4.1 (Unix)
- Content-Type: The format of the data (HTML, JSON, etc.).
- Set-Cookie: Assigns you a session cookie.
Secure means it’s only sent over HTTPS; HttpOnly blocks JavaScript from accessing it.
- Server: Exposes the server software (Apache, Nginx). Hackers use this to find vulnerabilities!
3. Body
The actual content you requested:
<html>
<head><title>Web Hacking 101</title></head>
<body>Welcome to Hacklivly!</body>
</html>
—
HTTP Methods: The Hacker’s Toolkit
While GET and POST are the most common, HTTP has several methods (verbs) that hackers abuse:
| Method | Purpose | Hacker Angle |
|————|————-|——————-|
| GET | Retrieve data | Can expose sensitive data in URLs (e.g., /user?id=123). |
| POST | Submit data | Used for login forms. SQL injection often happens here. |
| PUT | Upload data | Misconfigured servers let attackers upload malicious files. |
| DELETE | Remove data | No auth checks? Delete the entire database. 😈 |
| HEAD | Get headers only | Reconnaissance—check if a page exists without downloading it. |
| OPTIONS | List allowed methods | Find misconfigured methods (e.g., PUT enabled). |
Example Attack: If a server allows DELETE /users/5 without authentication, an attacker can wipe user accounts.
—
Status Codes: The Server’s Secret Language
Status codes are grouped into five classes:
| Code | Meaning | Hacker Insight |
|———-|————-|———————|
| 200 OK | Success! | Look for sensitive data in the response body. |
| 301 Moved Permanently | Redirect | Find hidden endpoints by following redirects. |
| 401 Unauthorized | Login required | Test for weak default credentials (admin/admin). |
| 403 Forbidden | No access | Bypass with directory traversal (e.g., ../). |
| 404 Not Found | Page missing | Scan for common files (/admin, /backup). |
| 500 Internal Server Error | Server messed up | Often leaks debug info (database passwords!). |
Pro Tip: Use curl -I https://hacklivly.com to fetch only headers and status codes for recon!
—
Headers: The Devil’s in the Details
Headers are a goldmine for attackers. Let’s explore critical ones:
1. Security Headers
- Content-Security-Policy (CSP): Defines allowed scripts. Bypass it if misconfigured.
- X-Frame-Options: Blocks clickjacking. If missing, exploit it!
- Strict-Transport-Security (HSTS): Forces HTTPS. No HSTS? Downgrade to HTTP and sniff traffic.
2. Recon Headers
- Server: Apache 2.4.1? Google exploits for that version.
- X-Powered-By: PHP 5.6? That’s outdated and vulnerable.
3. Authentication Headers
- WWW-Authenticate: Challenges you to log in. Test for weak authentication.
- Authorization: Contains
Basic or Bearer tokens. Steal them for access.
Hacker Move: Spoof the X-Forwarded-For header to bypass IP restrictions!
—
Cookies: Your Digital ID
Cookies let servers remember you. Here’s how hackers abuse them:
1. Session Hijacking
Steal cookies via:
- XSS Attacks: Inject malicious JavaScript to steal
document.cookie.
- Packet Sniffing: Intercept unencrypted (HTTP) traffic.
2. Cookie Attributes
- Secure: Only sends cookies over HTTPS.
- HttpOnly: Blocks JavaScript access.
- SameSite: Stops cross-site request forgery (CSRF).
Attack Scenario: If SameSite=Lax is missing, launch a CSRF attack to transfer funds from a logged-in user.
—
HTTP vs HTTPS: Encryption Matters
HTTPS adds TLS encryption to HTTP. Here’s why hackers care:
- Without HTTPS: Eavesdrop on passwords, cookies, and data.
- With HTTPS: Still vulnerable to misconfigurations (e.g., weak TLS versions).
Tool Alert: Use Wireshark to sniff HTTP traffic or sslstrip to downgrade HTTPS to HTTP.
—
Real-World Attack Walkthrough
Let’s tie this all together with a hypothetical attack:
- Recon: Use
curl -I to check headers. Find Server: Apache 2.2.8 (a known vulnerable version).
- Exploit: Google “Apache 2.2.8 exploit” and find a directory traversal bug.
- Craft Request: Send
GET /../../etc/passwd HTTP/1.1 to leak system files.
- Profit: Extract passwords or escalate access.
—
Homework: Play with HTTP
- Open Chrome DevTools (F12 → Network tab).
- Visit a site and inspect the HTTP requests/responses.
- Find cookies, headers, and status codes.
- Use curl to replicate a request:
curl -X POST -d "username=test&password=test" -v http://hacklivly.com/login
—
Why This Matters for Part 2: Reconnaissance
Tomorrow, we’ll dive into Part 2: Reconnaissance—the art of gathering intel before an attack. HTTP basics are your foundation:
- Find Hidden Endpoints: Analyze HTTP responses for clues.
- Fingerprint Servers: Use headers to identify software versions.
- Map Attack Surfaces: Discover APIs, forms, and misconfigured methods.
—
Final Thoughts
HTTP is the DNA of the web. Mastering it lets you:
- Hunt Vulnerabilities: Spot misconfigurations in headers, cookies, and methods.
- Automate Attacks: Write scripts to send malicious HTTP requests.
- Defend Better: Secure your apps by understanding the attacker’s lens.
Next Up: We’ll weaponize this knowledge in Part 2: Reconnaissance. We’ll use tools like Nmap, Burp Suite, and DirBuster to map targets and find weak spots.
Rocky signing off! ✌️
—
P.S. If you’re hyped for Part 2, share this with your squad! Let’s build a community of ethical hackers. 💪
Discussion Question: What’s the weirdest HTTP status code you’ve encountered? Mine’s 418 I’m a teapot (yes, it’s real). Drop your answers below! 👇
