SlideShare ist ein Scribd-Unternehmen logo

HTTP Basics Demo

InMobi Technology
InMobi Technology

This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan. technology.inmobi.com/events/null-owasp-g4h-december-meetup Abstract: This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools. To practice along please install curl (http://curl.haxx.se/download.html).

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
December 13, 2014 Akash Mahajan # This module will set the base for anyone interested in learning about Hyper Text Transfer Protocol (HTTP) basics with regards to Web Security. 10+ years of industry experience. Director - The App Sec Lab OWASP Bangalore Chapter Lead Co-Founder and Community Manager at null - The Open Security Group akashmahajan@gmail.com | +91 9980527182 | @makash HTTP Basics Introduction About me Akash Mahajan
Curl So for the greater good, please speak up You have no idea what I am talking about. Great we will learn together You know more than me. Great, please correct my mistakes and cover any gaps I expect full participation from everyone Learn the fundamentals of HTTP (Language/Platform agnostic) *Have fun and learn a lot* # Information for Participants Software Requirements Chances are I am going to be wrong about 2/10 things that I talk about {data- background="#ffc928"} 2 Kinds of audience here Participate! {data- background=images/participate.jpg} Objectives Agenda
Basics of Hyper Text Transfer Protocol (HTTP) *Hands-On* with Command Line Web Client Basics of TLS/SSL (Time permitting) # Hyper Text Transfer Protocol From Wikipedia HTTP is a request/response standard of a client and a server. A client is the end-user, the server is the web site. The client making a HTTP request—using a web browser, spider, or other end-user tool—is referred to as the user agent. The responding server—which stores or creates resources such as HTML files and images—is called the origin server. In between the user agent and origin server may be several intermediaries, such as proxies, gateways, and tunnels. Clients make request and servers respond It can't be the other way. Servers can not initiate any communication on their own in HTTP HTTP has no notion of state. One connection has no relationship to another. HTTP Basics of HTTP Basics of HTTP cont... HTTP is client-server HTTP is stateless
So since the HTTP protocol has no idea about state, it is the applications responsibility to maintain state. How do the above affect building web applications? Server needs to identify each client uniquely They do this by storing a unique value on the client Since HTTP is stateless, each request made needs to contain unique value. For all practical purposes this unique value is like a password We put this in the browser address line http://google.com/search?q=HTTP What actually went to the google server GET /search?q=HTTP Host: www.google.com Safe Methods GET, HEAD, OPTIONS Not Safe Methods POST, PUT, DELETE Other Methods CONNECT So how do web applications track users? Side-effects of being Stateless What does it look like? HTTP GET HTTP Methods/Verbs HTTP Response Status Codes
1xx – Informational Messages 2xx – Success 200 OK 3xx – Redirects 301, 302 4xx – Client Errors 404, 403, 400 5xx – Server Errors 500, 502, 503, 505 Request Response Request Header Request Body QueryString Response Header Response Body terminal Or Start | Run cmd Some terms to remember Hands-On HTTP with Curl Open a terminal #
$ curl http://akashm.com/box/ip.php $ curl http://akashm.com/box/ip.php -v $ curl http://akashm.com/box/ip.php -I $ curl http://akashm.com/box/ip.php -Iv $ curl http://akashm.com/box/post.php HTTP GET a Page HTTP GET a Page -- verbose HTTP HEAD a Page HTTP HEAD a Page -- verbose HTTP POST a page HTTP GET some query string
$ curl http://akashm.com/box/post.php?name=Akash&lname=Maha jan $ curl http://akashm.com/box/post.php -d "" $ curl http://akashm.com/box/post.php -d "firstname=Akash&l astname=Mahajan" $ curl -v http://akashm.com/box/sess.php $ curl -v http://akashm.com/box/sess.php -c cookie.jar $ curl -v http://akashm.com/box/sess.php -b cookie.jar # HTTP POST a page with empty data HTTP POST a page with data Using curl to mimic a web browser What a session id looks like Lets save the cookie value Lets use the cookie value Basics of TLS/SSL
Encrypted Communication – Eavesdropping and Tampering Secure Identification of a Network – Are you talking to the right server? SSL/TLS
SSL certificate contains a certificate chain which begins with server’s public key certificate and ends with Certificate Authority’s root certificate How does client verify SSL cert?
Live Demo Certificate Hierarchy QnA

Empfohlen

Hosting
HostingHosting
Hosting
Fajar Baskoro
 
Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273
hussulinux
 
Web server and web-hosting
Web server and web-hostingWeb server and web-hosting
Web server and web-hosting
AK DigiHub
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
hussulinux
 
PHP MySQL Training : Module 2
PHP MySQL Training : Module 2PHP MySQL Training : Module 2
PHP MySQL Training : Module 2
hussulinux
 
PHP MySQL Training : Module 3
PHP MySQL Training : Module 3PHP MySQL Training : Module 3
PHP MySQL Training : Module 3
hussulinux
 
Web Fundamental
Web FundamentalWeb Fundamental
Web Fundamental
SiliconExpert Technologies
 
How to Speed up your Website
How to Speed up your WebsiteHow to Speed up your Website
How to Speed up your Website
HTS Hosting
 

Empfohlen

Hosting
HostingHosting
Hosting
Fajar Baskoro
 
Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273Linux Apache Php Mysql Lamp1273
Linux Apache Php Mysql Lamp1273
hussulinux
 
Web server and web-hosting
Web server and web-hostingWeb server and web-hosting
Web server and web-hosting
AK DigiHub
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
hussulinux
 
PHP MySQL Training : Module 2
PHP MySQL Training : Module 2PHP MySQL Training : Module 2
PHP MySQL Training : Module 2
hussulinux
 
PHP MySQL Training : Module 3
PHP MySQL Training : Module 3PHP MySQL Training : Module 3
PHP MySQL Training : Module 3
hussulinux
 
Web Fundamental
Web FundamentalWeb Fundamental
Web Fundamental
SiliconExpert Technologies
 
How to Speed up your Website
How to Speed up your WebsiteHow to Speed up your Website
How to Speed up your Website
HTS Hosting
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecture
sudip pudasaini
 
HTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web TechnologiesHTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web Technologies
hoctudau
 
Heavy Web Optimization: Frontend
Heavy Web Optimization: FrontendHeavy Web Optimization: Frontend
Heavy Web Optimization: Frontend
Võ Duy Tuấn
 
High performance website
High performance websiteHigh performance website
High performance website
Chamnap Chhorn
 
Get and post methods
Get and post methodsGet and post methods
Get and post methods
baabtra.com - No. 1 supplier of quality freshers
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Web architecture - overview of techniques.
Web architecture - overview of techniques.Web architecture - overview of techniques.
Web architecture - overview of techniques.
Ruslan Shevchenko
 
Get method and post method
Get method and post methodGet method and post method
Get method and post method
baabtra.com - No. 1 supplier of quality freshers
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best Practices
AWS Germany
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006
guestfbf1e1
 
Plaxo OSCON 2006
Plaxo OSCON 2006Plaxo OSCON 2006
Plaxo OSCON 2006
gueste8e0fb
 
WordPress vs Other Content Management System
WordPress vs Other Content Management SystemWordPress vs Other Content Management System
WordPress vs Other Content Management System
HTS Hosting
 
GET and POST in PHP
GET and POST in PHPGET and POST in PHP
GET and POST in PHP
Vineet Kumar Saini
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architecture
Ralu Mihordea
 
Introduction to Rest Protocol
Introduction to Rest ProtocolIntroduction to Rest Protocol
Introduction to Rest Protocol
Avinash Ketkar
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
Intro the WordPress REST API by tomhermans
Intro the WordPress REST API by tomhermansIntro the WordPress REST API by tomhermans
Intro the WordPress REST API by tomhermans
Tom Hermans
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for Scalability
Tuenti
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
Web Directions
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for php
aimaq9a
 
Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHP
Matthew Turland
 
KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7
phuphax
 

Weitere ähnliche Inhalte

Was ist angesagt?

HTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web TechnologiesHTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web Technologies
hoctudau
 
High performance website
High performance websiteHigh performance website
High performance website
Chamnap Chhorn
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006
guestfbf1e1
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
guestb2ed5f
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for Scalability
Tuenti
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
Web Directions
 

Was ist angesagt? (20)

Web Architecture
Web ArchitectureWeb Architecture
Web Architecture
 
HTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web TechnologiesHTML5 CSS3 The Future of Web Technologies
HTML5 CSS3 The Future of Web Technologies
 
Heavy Web Optimization: Frontend
Heavy Web Optimization: FrontendHeavy Web Optimization: Frontend
Heavy Web Optimization: Frontend
 
High performance website
High performance websiteHigh performance website
High performance website
 
Get and post methods
Get and post methodsGet and post methods
Get and post methods
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
Web architecture - overview of techniques.
Web architecture - overview of techniques.Web architecture - overview of techniques.
Web architecture - overview of techniques.
 
Get method and post method
Get method and post methodGet method and post method
Get method and post method
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best Practices
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006
 
Plaxo OSCON 2006
Plaxo OSCON 2006Plaxo OSCON 2006
Plaxo OSCON 2006
 
WordPress vs Other Content Management System
WordPress vs Other Content Management SystemWordPress vs Other Content Management System
WordPress vs Other Content Management System
 
GET and POST in PHP
GET and POST in PHPGET and POST in PHP
GET and POST in PHP
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architecture
 
Introduction to Rest Protocol
Introduction to Rest ProtocolIntroduction to Rest Protocol
Introduction to Rest Protocol
 
Scalable Reliable Secure REST
Scalable Reliable Secure RESTScalable Reliable Secure REST
Scalable Reliable Secure REST
 
Intro the WordPress REST API by tomhermans
Intro the WordPress REST API by tomhermansIntro the WordPress REST API by tomhermans
Intro the WordPress REST API by tomhermans
 
AJAX for Scalability
AJAX for ScalabilityAJAX for Scalability
AJAX for Scalability
 
Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5Dave Orchard - Offline Web Apps with HTML5
Dave Orchard - Offline Web Apps with HTML5
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for php
 

Ähnlich wie HTTP Basics Demo

RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
Li Yi
 
Software performance testing_overview
Software performance testing_overviewSoftware performance testing_overview
Software performance testing_overview
Rohan Bhattarai
 
RESTful services
RESTful servicesRESTful services
RESTful services
gouthamrv
 
10_introduction_php.ppt
10_introduction_php.ppt10_introduction_php.ppt
10_introduction_php.ppt
GiyaShefin
 

Ähnlich wie HTTP Basics Demo (20)

Web Scraping with PHP
Web Scraping with PHPWeb Scraping with PHP
Web Scraping with PHP
 
KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7KMUTNB - Internet Programming 2/7
KMUTNB - Internet Programming 2/7
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web Services
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
 
Software performance testing_overview
Software performance testing_overviewSoftware performance testing_overview
Software performance testing_overview
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
 
Restful web services
Restful web servicesRestful web services
Restful web services
 
A RESTful introduction
A RESTful introductionA RESTful introduction
A RESTful introduction
 
ASP.NET WEB API Training
ASP.NET WEB API TrainingASP.NET WEB API Training
ASP.NET WEB API Training
 
REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011REST in ( a mobile ) peace @ WHYMCA 05-21-2011
REST in ( a mobile ) peace @ WHYMCA 05-21-2011
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
introduction_php.ppt
introduction_php.pptintroduction_php.ppt
introduction_php.ppt
 
10_introduction_php.ppt
10_introduction_php.ppt10_introduction_php.ppt
10_introduction_php.ppt
 
Making the Most of HTTP In Your Apps
Making the Most of HTTP In Your AppsMaking the Most of HTTP In Your Apps
Making the Most of HTTP In Your Apps
 
Cqrs api v2
Cqrs api v2Cqrs api v2
Cqrs api v2
 
10_introduction_php.ppt
10_introduction_php.ppt10_introduction_php.ppt
10_introduction_php.ppt
 
Chapter 1.Web Techniques_Notes.pptx
Chapter 1.Web Techniques_Notes.pptxChapter 1.Web Techniques_Notes.pptx
Chapter 1.Web Techniques_Notes.pptx
 
PHP
PHPPHP
PHP
 
Implementing Comet using PHP
Implementing Comet using PHPImplementing Comet using PHP
Implementing Comet using PHP
 

Mehr von InMobi Technology

24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
InMobi Technology
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 

Mehr von InMobi Technology (20)

Optimizer Hints
Optimizer HintsOptimizer Hints
Optimizer Hints
 
Case Studies on PostgreSQL
Case Studies on PostgreSQLCase Studies on PostgreSQL
Case Studies on PostgreSQL
 
PostgreSQL 9.5 - Major Features
PostgreSQL 9.5 - Major FeaturesPostgreSQL 9.5 - Major Features
PostgreSQL 9.5 - Major Features
 
Toro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQL
Toro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQLToro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQL
Toro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQL
 
Building Spark as Service in Cloud
Building Spark as Service in CloudBuilding Spark as Service in Cloud
Building Spark as Service in Cloud
 
Building Machine Learning Pipelines
Building Machine Learning PipelinesBuilding Machine Learning Pipelines
Building Machine Learning Pipelines
 
Ensemble Methods for Algorithmic Trading
Ensemble Methods for Algorithmic TradingEnsemble Methods for Algorithmic Trading
Ensemble Methods for Algorithmic Trading
 
Backbone & Graphs
Backbone & GraphsBackbone & Graphs
Backbone & Graphs
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Introduction to Threat Modeling
Introduction to Threat ModelingIntroduction to Threat Modeling
Introduction to Threat Modeling
 
The Synapse IoT Stack: Technology Trends in IOT and Big Data
The Synapse IoT Stack: Technology Trends in IOT and Big DataThe Synapse IoT Stack: Technology Trends in IOT and Big Data
The Synapse IoT Stack: Technology Trends in IOT and Big Data
 
What's new in Hadoop Yarn- Dec 2014
What's new in Hadoop Yarn- Dec 2014What's new in Hadoop Yarn- Dec 2014
What's new in Hadoop Yarn- Dec 2014
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Security News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet BangaloreSecurity News Bytes Null Dec Meet Bangalore
Security News Bytes Null Dec Meet Bangalore
 
Matriux blue
Matriux blueMatriux blue
Matriux blue
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
Running Hadoop as Service in AltiScale Platform
Running Hadoop as Service in AltiScale PlatformRunning Hadoop as Service in AltiScale Platform
Running Hadoop as Service in AltiScale Platform
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Big Data BI Simplified
Big Data BI SimplifiedBig Data BI Simplified
Big Data BI Simplified
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

HTTP Basics Demo

  • 1. December 13, 2014 Akash Mahajan # This module will set the base for anyone interested in learning about Hyper Text Transfer Protocol (HTTP) basics with regards to Web Security. 10+ years of industry experience. Director - The App Sec Lab OWASP Bangalore Chapter Lead Co-Founder and Community Manager at null - The Open Security Group akashmahajan@gmail.com | +91 9980527182 | @makash HTTP Basics Introduction About me Akash Mahajan
  • 2. Curl So for the greater good, please speak up You have no idea what I am talking about. Great we will learn together You know more than me. Great, please correct my mistakes and cover any gaps I expect full participation from everyone Learn the fundamentals of HTTP (Language/Platform agnostic) *Have fun and learn a lot* # Information for Participants Software Requirements Chances are I am going to be wrong about 2/10 things that I talk about {data- background="#ffc928"} 2 Kinds of audience here Participate! {data- background=images/participate.jpg} Objectives Agenda
  • 3. Basics of Hyper Text Transfer Protocol (HTTP) *Hands-On* with Command Line Web Client Basics of TLS/SSL (Time permitting) # Hyper Text Transfer Protocol From Wikipedia HTTP is a request/response standard of a client and a server. A client is the end-user, the server is the web site. The client making a HTTP request—using a web browser, spider, or other end-user tool—is referred to as the user agent. The responding server—which stores or creates resources such as HTML files and images—is called the origin server. In between the user agent and origin server may be several intermediaries, such as proxies, gateways, and tunnels. Clients make request and servers respond It can't be the other way. Servers can not initiate any communication on their own in HTTP HTTP has no notion of state. One connection has no relationship to another. HTTP Basics of HTTP Basics of HTTP cont... HTTP is client-server HTTP is stateless
  • 4. So since the HTTP protocol has no idea about state, it is the applications responsibility to maintain state. How do the above affect building web applications? Server needs to identify each client uniquely They do this by storing a unique value on the client Since HTTP is stateless, each request made needs to contain unique value. For all practical purposes this unique value is like a password We put this in the browser address line http://google.com/search?q=HTTP What actually went to the google server GET /search?q=HTTP Host: www.google.com Safe Methods GET, HEAD, OPTIONS Not Safe Methods POST, PUT, DELETE Other Methods CONNECT So how do web applications track users? Side-effects of being Stateless What does it look like? HTTP GET HTTP Methods/Verbs HTTP Response Status Codes
  • 5. 1xx – Informational Messages 2xx – Success 200 OK 3xx – Redirects 301, 302 4xx – Client Errors 404, 403, 400 5xx – Server Errors 500, 502, 503, 505 Request Response Request Header Request Body QueryString Response Header Response Body terminal Or Start | Run cmd Some terms to remember Hands-On HTTP with Curl Open a terminal #
  • 6. $ curl http://akashm.com/box/ip.php $ curl http://akashm.com/box/ip.php -v $ curl http://akashm.com/box/ip.php -I $ curl http://akashm.com/box/ip.php -Iv $ curl http://akashm.com/box/post.php HTTP GET a Page HTTP GET a Page -- verbose HTTP HEAD a Page HTTP HEAD a Page -- verbose HTTP POST a page HTTP GET some query string
  • 7. $ curl http://akashm.com/box/post.php?name=Akash&lname=Maha jan $ curl http://akashm.com/box/post.php -d "" $ curl http://akashm.com/box/post.php -d "firstname=Akash&l astname=Mahajan" $ curl -v http://akashm.com/box/sess.php $ curl -v http://akashm.com/box/sess.php -c cookie.jar $ curl -v http://akashm.com/box/sess.php -b cookie.jar # HTTP POST a page with empty data HTTP POST a page with data Using curl to mimic a web browser What a session id looks like Lets save the cookie value Lets use the cookie value Basics of TLS/SSL
  • 8. Encrypted Communication – Eavesdropping and Tampering Secure Identification of a Network – Are you talking to the right server? SSL/TLS
  • 9.
  • 10.
  • 11. SSL certificate contains a certificate chain which begins with server’s public key certificate and ends with Certificate Authority’s root certificate How does client verify SSL cert?