HTTP
Hello members of Turkish Hack Team, in this content, I will explain the HTTP, which is one of the web protocols.
Hypertext Transfer Protocol, or HTTP in short, is a communication protocol widely accepted as the foundation of internet communication. This protocol, with a client-server based structure, regulates data exchange between web browsers and web servers. HTTP, forming the essence of the web and enabling users to access online content, is a crucial backbone of today's information society.
The primary purpose of HTTP is to facilitate users' requests from client devices to web servers and to process corresponding responses. Requests and responses typically include HTML files, images, videos, and other media content. This protocol is designed to smoothly conduct large-scale information transfer over the internet.
The historical roots of HTTP date back to the late 20th century. The first prototype developed by Tim Berners-Lee in 1989 was officially introduced in 1991 with the document "HTTP (Hypertext Transfer Protocol) Overview." This document laid the foundations of the protocol that would become the backbone of the web by explaining the fundamental features and workings of HTTP in detail.
The initial versions of HTTP were generally text-based and had a simple structure. However, as internet traffic increased and content diversity expanded over time, HTTP versions also evolved. Versions like HTTP/1.0, HTTP/1.1, and later HTTP/2 were developed to enhance performance, provide better parallel processing capabilities, and offer more efficient data compression methods.
In this context, HTTP represents more than just a technical protocol; it plays a central role in the digital transformation of our era. Thanks to Berners-Lee's vision, this protocol born out of his efforts has transformed information access in our age and laid the foundation for a global communication infrastructure.
HTTPS is a secure version of HTTP. It encrypts data between the server and the client. This encryption serves to:
Prevent visibility of the data you send or receive by third parties.
Ensure the authenticity of the server you are communicating with.
You can also see the certification holder's image from here.
An essential component ensuring secure communication is SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. These certificates are used to authenticate the identity of a website and encrypt communication.
The SHA-256 fingerprint is presented along with the public key of the certificate holder. This fingerprint is checked by the user to verify the integrity and ownership of the certificate. Since the certificate is signed by an authority and the fingerprint correctly matches, users can have confidence that the certificate is trustworthy.
The public key of a certificate holder is presented to clients (such as web browsers) for use in authentication processes. However, the integrity and reliability of the key are also crucial. This is where the SHA-256 fingerprint comes into play. The fingerprint is used to ensure the integrity of the public key and guarantee that the certificate has not been altered in any way. In short, this fingerprint helps users verify the authenticity and reliability of the certificate.
When you visit a website, the browser fetches certificate data and verifies the integrity of the certificate using the SHA-256 fingerprint within it. If the fingerprint does not match or the certificate is not valid, the browser issues a warning, informing the user about a potential security risk.
What is a URL?
A URL is a string of instructions we use to access content on the internet.
Protocol: Specifies which protocol to use to access the resource, such as HTTP, HTTPS, or FTP (File Transfer Protocol).
User: Some web services require authentication to access the resource; you can enter a username and password in this section.
Domain: The domain name of the server you want to access.
Connection Port: This section specifies the port number of the connection point. HTTP commonly uses port 80, and HTTPS uses port 443 (usually). However, any value between 1 and 65535 can be entered here.
Path: Specifies the file name and path of the resource you want to access.
Parameter: This section includes parameters required by the server to open the URL.
Fragment: This is a reference to a specific location on the desired actual page. It is often used for pages with long content, and a specific section of the page can be directly displayed as soon as the user accesses it.
HTTP REQUEST-RESPONSE
REQUEST
Making a request to a site is possible even with the "GET /HTTP/1.1" line. But now, let's look at slightly richer content.
Line No:
Sends a GET request to go to the homepage ("/") using the HTTP 1.1 protocol.
The site we want to visit is itsecgames.blogspot.com.
Web version number.
4-5-6) The accepted formats here are the types of formats that the client can accept when data is received from the server.
The web page that redirected us to this.
The expression "DNT: 1" is part of the "Do Not Track" (DNT) header of HTTP headers. This expression indicates that the "Do Not Track" feature is enabled in the user's browser or client, meaning the user does not want their online activities to be tracked.
When an HTTP request is sent, the server typically processes the request and sends the response back to the client. However, unless the connection is explicitly closed, the server can keep the connection open to respond to future requests. In this case, the connection between the client and the server remains active, and more data exchange can occur.
The "Connection: close" header indicates that the server will close the connection in response to the request. In other words, instead of responding to subsequent requests from the client, the server terminates the communication by closing the connection. This is used especially when the server wants to respond to a single request and then close the connection.
"Upgrade-Insecure-Requests: 1" is an HTTP header that specifies a request for browsers to upgrade the protocol to HTTPS.
If a client has previously downloaded a resource (such as a web page or a file) and later wants to download the same resource again, it can use the "If-Modified-Since" header to ask the server. If the resource has been updated on the server since the last time the client downloaded it, the server sends the full content. However, if the resource has not changed since that date, the server only sends a "304 Not Modified" response, and the client uses its existing local copy.
The server is asked about the control of the requested file using this header. If the server's ETag value for the resource is equal to this value, it means the resource has not changed.
RESPONSE
Line No:
The "HTTP/1.1 304 Not Modified" response is an HTTP status code sent by a server when a client (such as a browser) requests the current version of a resource, but the resource has not changed on the server.
Determines how long browsers or caching systems can store this resource.
Indicates when the server generated the data.
This header tells that the response can be cached for 0 seconds in the cache and that this condition is private.
"ETag" is an HTTP header used to represent the content of a resource with a unique identifier. ETag helps the server track changes in the content of a resource and determine if the resource is up-to-date.
Specifies the web server software used by the server.
Indicates the intention to close the connection for future data.
HTTP METHODS
GET Request
This is used to retrieve information from a web server.
POST Request
This is used to send data to a web server and potentially create new records.
PUT Request
This is used to send data to a web server to update information.
DELETE Request
This is used to delete information/records from a web server.
HTTP STATUS CODES
HTTP (Hypertext Transfer Protocol) is a protocol that enables data communication over the internet. In communication using HTTP, the client (usually a browser) and the server use standardized status codes for specific situations and responses. These status codes specify how the communication will proceed, whether the process was successful, or what type of errors occurred.
For example, the "200 OK" status code indicates that the server successfully processed the client's request and sent the expected content as a response. The "404 Not Found" status code indicates that the server could not find the requested resource. Similarly, the "500 Internal Server Error" status code indicates that the server could not process the request due to an unexpected error.
These status codes help both clients and servers understand the communication process. They are essential for determining the meaning of responses and intervening when necessary. HTTP status codes are created to provide reliable and consistent communication over the internet using a standard language and reference. Here are all the status codes0
HTTP Status Codes - Wikipedia
Cookie
A website uses small text files called cookies to enhance user experience, manage sessions, and provide personalized content. Cookies are stored in users' browsers, enabling information exchange between the website server and the browser. For example, when a user logs into a website, a cookie created by the server is placed in the browser with the "Set-Cookie" header. This cookie verifies the validity of the user's session and helps send user-specific information to the server in subsequent requests. Now, let's briefly look at the steps:
The user (client) goes to the server.
The server sends a page requesting a password.
Kod:
HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 14 Apr 2022 09:08:19 GMT
Content-Type: text/html; charset=UTF-8
HTML DATA…The user (client) fills out and submits the form.
Kod:
POST / HTTP1.1
Host: cookies.tht
User-Agent: “null”
Content-Type: application/x-wwwform-urlencoded
Content-Length: 9
password=turkhackteamThe server sends a cookie for the user to register.
Kod:
HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Wed, 14 Apr 2022 09:08:19 GMT
Set-Cookie: password=turkhackteam
Content-Type: text/html; charset=UTF-8
HTML DATA…The user (client) logs in with this cookie in subsequent requests.
Kod:
GET / HTTP/1.1
Host: cookies.tht
User-Agent: “null”
Cookie: password=turkhackteamThank you for finding my writing worthwhile. I hope I've been able to explain such a fundamental protocol to everyone.
Source: @hacofic https://www.turkhackteam.org/konular/http-web-protocol.2045662/
Source: @hacofic https://www.turkhackteam.org/konular/http-web-protocol.2045662/
Son düzenleme:
