Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 04. Web Foundations / 01. HTTP

HTTP

HTTP is the language used by applications to communicate over the web.

When you open a website, log into a portal, submit a form, or call an API, HTTP is usually the protocol carrying the conversation.

At its core, HTTP is extremely simple:

  1. A client sends a request.
  2. A server sends a response.
Browser ------------------> Web Server
         HTTP Request

Browser <------------------ Web Server
         HTTP Response

Real Example

You type:

https://operatoronthewire.com

Your browser sends:

GET / HTTP/1.1
Host: operatoronthewire.com
User-Agent: Chrome
Accept: text/html

Request

The server responds:

HTTP/1.1 200 OK
Content-Type: text/html

<html>
  <body>
    Welcome to OOTW
  </body>
</html>

Response

Note that the actual website is not actually deployed at the time of writing.


Request Structure

Every HTTP request consists of:

Request Line
Headers
(Optional Body)

Example:

POST /login HTTP/1.1
Host: operatoronthewire.com
Content-Type: application/x-www-form-urlencoded

username=antares&password=Password123

Request Line

The first line contains:

METHOD PATH VERSION

Example:

GET /index.html HTTP/1.1
PartMeaning
GETAction
/index.htmlResource
HTTP/1.1Protocol Version

HTTP Methods

Methods describe what we want to do.

GET

Retrieve data.

GET /users

Translation:

"Give me the users."

POST

Create something.

POST /users

Translation:

"Create a new user."

PUT

Replace an existing object.

PUT /users/5

Translation:

"Replace user 5 entirely."

PATCH

Modify part of an object.

PATCH /users/5

Translation:

"Change a few fields of user 5."

DELETE

Delete something.

DELETE /users/5

Translation:

"Delete user 5."

Headers

Headers are metadata.

Example:

Host: operatoronthewire.com
User-Agent: Chrome
Cookie: sessionid=12345
Authorization: Bearer abcdef

Think of headers as sticky notes attached to the request.

"Who am I?"
"Which browser am I?"
"Which session do I have?"
"How should the data be interpreted?"

Request Body

Not all requests have a body.

GET usually does not.

POST often does.

Example:

POST /login HTTP/1.1

username=admin&password=Password123

The body contains the actual data being sent.


Response Structure

Responses are very similar.

Status Line
Headers
Body

Example:

HTTP/1.1 200 OK
Content-Type: text/html

<h1>Hello</h1>

Status Codes

Status codes tell us what happened.


200 OK

Everything worked.

HTTP/1.1 200 OK

201 Created

Something was created.

HTTP/1.1 201 Created

301 / 302 Redirect

Go somewhere else.

HTTP/1.1 302 Found
Location: /login

401 Unauthorized

Authentication required.

HTTP/1.1 401 Unauthorized

403 Forbidden

Authenticated, but not allowed.

HTTP/1.1 403 Forbidden

404 Not Found

The resource does not exist.

HTTP/1.1 404 Not Found

500 Internal Server Error

Server exploded.

HTTP/1.1 500 Internal Server Error

URLs

A URL consists of several parts:

https://operatoronthewire.com:443/admin/login?id=5
ComponentValue
Schemehttps
Hostoperatoronthewire.com
Port443
Path/admin/login
Query String?id=5

Query Parameters

Example:

https://site.com/users?id=5&admin=true

The server receives:

id = 5
admin = true

Many web vulnerabilities originate here.


Cookies

Cookies allow websites to remember users.

Server:

Set-Cookie: sessionid=ABC123

Browser stores it.

Future requests:

Cookie: sessionid=ABC123

This is how websites remember that you are logged in.


Authentication

Example:

Authorization: Bearer eyJhb...

Or:

Authorization: Basic YWRtaW46cGFzc3dvcmQ=

Authentication is usually carried in headers.


Content Types

The server needs to know what data is being sent.

Examples:

Content-Type: text/html
Content-Type: application/json
Content-Type: application/xml
Content-Type: multipart/form-data

JSON

Modern APIs usually speak JSON.

Request:

POST /users

{
  "username": "antares",
  "role": "admin"
}

Response:

{
  "id": 5,
  "username": "antares"
}

HTTPS

HTTP itself is plaintext.

HTTPS is:

HTTP + TLS
Browser
    |
    | Encrypted
    |
Server

Without HTTPS:

Anyone on the network can read the traffic.

With HTTPS:

Traffic is encrypted.

SSL and TLS will be explored more in depth in the next class.