December 13, 2014

Akash Mahajan

#

This module will set the base for anyone interested in learning about

Hyper Text Transfer Protocol (HTTP) basics with regards to Web

Security.

10+ years of industry experience.

Director - The App Sec Lab

OWASP Bangalore Chapter Lead

Co-Founder and Community Manager at null - The Open Security

Group

akashmahajan@gmail.com | +91 9980527182 | @makash

HTTP Basics

Introduction

About me

Akash Mahajan

Curl

So for the greater good, please speak up

You have no idea what I am talking about. Great we will learn together

You know more than me. Great, please correct my mistakes and cover

any gaps

I expect full participation from everyone

Learn the fundamentals of HTTP (Language/Platform agnostic)

*Have fun and learn a lot*

#

Information for Participants

Software Requirements

Chances are I am going to be wrong about

2/10 things that I talk about {data-

background="#ffc928"}

2 Kinds of audience here

Participate! {data-

background=images/participate.jpg}

Objectives

Agenda

Basics of Hyper Text Transfer Protocol (HTTP)

*Hands-On* with Command Line Web Client

Basics of TLS/SSL (Time permitting)

#

Hyper Text Transfer Protocol

From Wikipedia

HTTP is a request/response standard of a client and a server. A client is

the end-user, the server is the web site. The client making a HTTP

request—using a web browser, spider, or other end-user tool—is referred

to as the user agent.

The responding server—which stores or creates resources such as

HTML files and images—is called the origin server. In between the user

agent and origin server may be several intermediaries, such as proxies,

gateways, and tunnels.

Clients make request and servers respond

It can't be the other way.

Servers can not initiate any communication on their own in HTTP

HTTP has no notion of state. One connection has no relationship to another.

HTTP

Basics of HTTP

Basics of HTTP cont...

HTTP is client-server

HTTP is stateless

So since the HTTP protocol has no idea about state, it is the applications

responsibility to maintain state.

How do the above affect building web applications?

Server needs to identify each client uniquely

They do this by storing a unique value on the client

Since HTTP is stateless, each request made needs to contain unique

value. For all practical purposes this unique value is like a password

We put this in the browser address line

http://google.com/search?q=HTTP

What actually went to the google server

GET /search?q=HTTPHost: www.google.com

Safe Methods

GET, HEAD, OPTIONS

Not Safe Methods

POST, PUT, DELETE

Other Methods

CONNECT

So how do web applications track users?

Side-effects of being Stateless

What does it look like? HTTP GET

HTTP Methods/Verbs

HTTP Response Status Codes

1xx – Informational Messages

2xx – Success

200 OK

3xx – Redirects

301, 302

4xx – Client Errors

404, 403, 400

5xx – Server Errors

500, 502, 503, 505

Request

Response

Request Header

Request Body

QueryString

Response Header

Response Body

terminal

Or Start | Run

cmd

Some terms to remember

Hands-On HTTP with Curl

Open a terminal

#

$ curl http://akashm.com/box/ip.php

$ curl http://akashm.com/box/ip.php -v

$ curl http://akashm.com/box/ip.php -I

$ curl http://akashm.com/box/ip.php -Iv

$ curl http://akashm.com/box/post.php

HTTP GET a Page

HTTP GET a Page -- verbose

HTTP HEAD a Page

HTTP HEAD a Page -- verbose

HTTP POST a page

HTTP GET some query string

$ curl http://akashm.com/box/post.php?name=Akash&lname=Mahajan

$ curl http://akashm.com/box/post.php -d ""

$ curl http://akashm.com/box/post.php -d "firstname=Akash&lastname=Mahajan"

$ curl -v http://akashm.com/box/sess.php

$ curl -v http://akashm.com/box/sess.php -c cookie.jar

$ curl -v http://akashm.com/box/sess.php -b cookie.jar

#

HTTP POST a page with empty data

HTTP POST a page with data

Using curl to mimic a web browser

What a session id looks like

Lets save the cookie value

Lets use the cookie value

Basics of TLS/SSL

Encrypted Communication – Eavesdropping and Tampering

Secure Identification of a Network – Are you talking to the right server?

SSL/TLS

SSL certificate contains a certificate chain which begins with server’s

public key certificate and ends with Certificate Authority’s root certificate

How does client verify SSL cert?

Live Demo

Certificate Hierarchy

QnA