Vulnarex | Elite Cybersecurity Learning Platform

#Mastering the HTTP Protocol#link

In the previous lesson, we traced the lifecycle of a web request. Now we're going to zoom in on the HTTP protocol itself — the language that browsers and servers use to communicate. As a security professional, HTTP is the protocol you'll interact with more than any other. Every vulnerability you test, every exploit you craft, and every defense you implement will involve HTTP in some way.

HTTP Request Structure

An HTTP request consists of a request line, headers, an optional blank line, and an optional body. Let's examine a real request:

http

POST /api/login HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: application/json
Content-Length: 42
Accept: application/json
Cookie: session_id=abc123def456

{"username": "admin", "password": "s3cret!"}

Component	Example	Purpose
Request Line	POST /api/login HTTP/1.1	Method, path, and protocol version
Host	www.example.com	Target server (required in HTTP/1.1)
User-Agent	Mozilla/5.0...	Identifies the client software
Content-Type	application/json	Format of the request body
Cookie	session_id=abc123...	Session identifier sent automatically
Body	{"username": "admin"}	Data sent to the server

HTTP Methods

HTTP defines a set of request methods that indicate the desired action to be performed on a resource. Understanding these methods is essential for both building and testing web applications.

Method	Purpose	Idempotent?	Has Body?
GET	Retrieve a resource	Yes	No
POST	Submit data / create resource	No	Yes
PUT	Replace/update a resource entirely	Yes	Yes
PATCH	Partially update a resource	No	Yes
DELETE	Remove a resource	Yes	Rarely
HEAD	Get headers only (no body)	Yes	No
OPTIONS	List allowed methods for a resource	Yes	No

info

💡 An idempotent method means making the same request multiple times produces the same result. GET, PUT, and DELETE are idempotent — deleting a resource twice has the same effect as deleting it once. POST is NOT idempotent — submitting an order twice creates two orders.

STRICT SECURE AUDIT RULE

⚠️ Many web applications don't properly enforce HTTP method restrictions. An endpoint designed for GET might still process a POST request. This is a common source of vulnerabilities. Always test endpoints with unexpected methods during security assessments.

HTTP Response Structure

The server's response mirrors the request structure. It includes a status line, headers, and optionally a body:

http

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 58
Server: nginx/1.18.0
Set-Cookie: session_id=xyz789; HttpOnly; Secure
X-Frame-Options: DENY
Cache-Control: no-store

{"status": "success", "message": "Login successful"}

HTTP Status Codes

Status codes tell the client what happened with their request. They're grouped into five classes:

Range	Class	Common Codes
1xx	Informational	100 Continue, 101 Switching Protocols
2xx	Success	200 OK, 201 Created, 204 No Content
3xx	Redirection	301 Moved Permanently, 302 Found, 304 Not Modified
4xx	Client Error	400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests
5xx	Server Error	500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable

callout

Status codes are a goldmine for reconnaissance. A 401 vs 403 response can tell you whether a resource exists. A 500 error might reveal stack traces with sensitive information. Always pay attention to status codes during security testing.

Critical HTTP Headers for Security

Several HTTP headers exist specifically to enforce security policies. Understanding these is crucial for both attacking and defending web applications:

▪Content-Security-Policy (CSP) — Restricts what resources the browser can load
▪X-Frame-Options — Prevents clickjacking by controlling iframe embedding
▪Strict-Transport-Security (HSTS) — Forces HTTPS connections
▪X-Content-Type-Options — Prevents MIME-type sniffing attacks
▪Set-Cookie with HttpOnly flag — Prevents JavaScript access to cookies
▪Set-Cookie with Secure flag — Cookie only sent over HTTPS
▪Access-Control-Allow-Origin — Controls cross-origin resource sharing (CORS)

Inspecting HTTP Headers with cURL

root@vulnarex:~#curl -I https://www.example.com

info

💡 The -I flag in cURL sends a HEAD request and returns only headers. Use -i to include headers AND the body in the output. Use -v for verbose mode to see the full request/response exchange including TLS details.

HTTP vs. HTTPS

HTTP transmits data in plaintext — anyone on the network can read or modify the traffic. HTTPS adds a TLS (Transport Security Layer) encryption layer on top of HTTP, providing confidentiality, integrity, and authentication. In HTTPS, the TLS handshake occurs before any HTTP data is exchanged, ensuring that all subsequent communication is encrypted.

STRICT SECURE AUDIT RULE

⚠️ HTTPS encrypts the content of requests and responses, but it does NOT hide the destination IP address, domain name (via SNI in most cases), or the size and timing of requests. Traffic analysis can still reveal sensitive information even over HTTPS.

quiz BLOCK (★ 50 XP)

A security tester discovers that changing a request from GET to POST on an admin endpoint still processes the request successfully. What vulnerability class is MOST likely present?

Select your proof vectors above