Security Testing - HTTP Protocol BASICS

HTTP Protocol

The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the foundation for data communication for the World Wide Web (ie. internet) since 1990. HTTP is a generic and stateless protocol which can be used for other purposes as well using extension of its request methods, error codes and headers.

Basically, HTTP is an TCP/IP based communication protocol, which is used to deliver data such as HTML files, image files, query results etc over the Web. It provides a standardized way for computers to communicate with each other. HTTP specification specifies how clients request data will sent to the server, and how servers respond to these requests.

Understanding the protocol is very important to get good hands on Security testing. You will be able to appreciate the importance of the protocol when we intercept the packet data between the webserver and the client.

Basic Features

There are following three basic features which makes HTTP a simple but powerful protocol:

• HTTP is connectionless: The HTTP client ie. browser initiates an HTTP request and after a request is made, the client disconnects from the server and waits for a response. The server process the request and re-establish the connection with the client to send response back.
• HTTP is media independent: This means, any type of data can be sent by HTTP as long as both the client and server know how to handle the data content. This is required for client as well as server to specify the content type using appropriate MIME-type.
• HTTP is stateless: As mentioned above, HTTP is a connectionless and this is a direct result that HTTP is a stateless protocol. The server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different request across the web pages.

HTTP/1.0 uses a new connection for each request/response exchange where as HTTP/1.1 connection may be used for one or more request/response exchanges.

Architecture

Following diagram shows a very basic architecture of a web application and depicts where HTTP sits:

The HTTP protocol is a request/response protocol based on client/server based architecture where web browser, robots and search engines, etc. act like HTTP clients and Web server acts as server.

• Client - The HTTP client sends a request to the server in the form of a request method, URI, and protocol version, followed by a MIME-like message containing request modifiers, client information, and possible body content over a TCP/IP connection.
• Server - The HTTP server responds with a status line, including the message's protocol version and a success or error code, followed by a MIME-like message containing server information, entity metainformation, and possible entity-body content.

Disadvantages

• HTTP is NOT a secured protocol.
• HTTP uses port 80 as default for communication.
• HTTP operates at Application Layer.
• No Encryption/digital certificates required for using HTTP

Http Protocol Details

Inorder to understand the HTTP Protocol indepth, click on each on of the below links.

• HTTP Parameters
• HTTP Messages
• HTTP Requests
• HTTP Responses
• HTTP Methods
• HTTP Status Codes
• HTTP Header Fields
• HTTP Security