Hypertext Transfer Protocol
Here we start the 'Web Security and Penetration' course.
Let's begin...
HTTP is a request-response protocol based on the client-server computational model. Thanks to the HTTP protocol you are viewing this website.
Your web browser (Firefox, Chrome, Safari...) acts as a client, and it makes an HTTP request to the hosting that contains this web page (which acts as a server). The server sends to the client resources such as HTML files.
This protocol includes terms such as TCP, URLS, Application Layers... that we will see in later posts.
(quick term)
HTTP Session: It is a sequence of request-response transactions. An HTTP client initiates a request by establishing a TCP (Transmission Control Protocol) connection to a port on a server (usually port 80). An HTTP server is listening on that port, waiting for clients.
We are going to see some methods:
GET
Easy one. Clients use this method to get information/resources from the server. Ex: your browser uses a GET method everytime you connect to this blog.
*(quick explanation): Every HTTP 'connection' has 3 fields. As you can see in the image: Red=Request, Blue=Header Section, Green=Body.
HEAD
Just like the GET method, but in this case the server answer without the body field. It's useful when you are looking just for some metadata.
POST
You use this method when you want to store something in the server database. Ex: The moment you are writting a comment.
DELETE
It explains itself. To delete some resources/files.
CONNECT
HTTP can deliver any sort of data.
If you are using HTTP it's possible to see what you are doing through sniffers, or a man-in-the-middle (even more dangerous if you are in a public Wifi). HTTPS connections were used for online payments, sensitive emails... and now this protocol is being spread all over the Net.
Everything in the HTTPS message is encrypted, including the headers, and the request/response load. To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning.
HTTPS is not connectionless and uses the port 443 by default (HTTP is connectionless and use the port 80 by default).
Let's begin...
What is HTTP?
HTTP is a request-response protocol based on the client-server computational model. Thanks to the HTTP protocol you are viewing this website.Your web browser (Firefox, Chrome, Safari...) acts as a client, and it makes an HTTP request to the hosting that contains this web page (which acts as a server). The server sends to the client resources such as HTML files.
This protocol includes terms such as TCP, URLS, Application Layers... that we will see in later posts.
(quick term)
HTTP Session: It is a sequence of request-response transactions. An HTTP client initiates a request by establishing a TCP (Transmission Control Protocol) connection to a port on a server (usually port 80). An HTTP server is listening on that port, waiting for clients.
How HTTP works?
In HTTP we can find methods (also referred as verbs), clients and servers use some keywords (these methods!) to communicate with each other.We are going to see some methods:
GET
Easy one. Clients use this method to get information/resources from the server. Ex: your browser uses a GET method everytime you connect to this blog.
 |
| GET method done through telnet in Ubuntu. Source: Wikipedia |
HEAD
Just like the GET method, but in this case the server answer without the body field. It's useful when you are looking just for some metadata.
POST
You use this method when you want to store something in the server database. Ex: The moment you are writting a comment.
DELETE
It explains itself. To delete some resources/files.
CONNECT
The CONNECT method converts the request connection to a
transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication
(HTTPS) through an unencrypted HTTP proxy.
Clients can try every method, but servers are configured to allow just some of them. Ex: It is not logical that every client can use a DELETE method in this blog.
Cool things about HTTP
HTTP is connectionless (Hosts can send a message without establishing a connection with the recipient). Every HTTP connection is consider like a new one for the server. Cookies and other tools are used to solve some 'problems' related to this field.HTTP can deliver any sort of data.
What's about HTTPS?
HTTPS or 'HTTP Secure' is an extension of HTTP. It brings security to some aspects of HTTP. They did it adding a SSL/TSL layer to protect the traffic.If you are using HTTP it's possible to see what you are doing through sniffers, or a man-in-the-middle (even more dangerous if you are in a public Wifi). HTTPS connections were used for online payments, sensitive emails... and now this protocol is being spread all over the Net.
Everything in the HTTPS message is encrypted, including the headers, and the request/response load. To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. This certificate must be signed by a trusted certificate authority for the web browser to accept it without warning.
HTTPS is not connectionless and uses the port 443 by default (HTTP is connectionless and use the port 80 by default).