HomeSecurity Testing Concepts

Security Testing – HTTP Protocol Basics

Security Testing – HTTP Protocol Basics
In order to get a good command on Security Testing, understanding the HTTP/HTTPS protocols is important. The following things will help you in understanding the HTTP protocol in detail:
  • HTTP Protocol stands for Hypertext Transfer Protocol.
  • HTTP Protocol is nothing but a networking protocol which is a set of rules for transferring files (i.e. text, images, audio, video, HTML and other multimedia files) over the Internet.
  • HTTP Protocol is an application-level protocol
    • Example: When a User provides his username into the username field on the application, password into the password field on the application and clicks on ‘Login’ button on the application, the username, and password data will be transferred to the Application server over the Internet by HTTP Protocol. And after the Application server validates the provided username and password against the credentials specified in the Database for the user as correct, the same HTTP Protocol with transfer the response code over the Internet back to the Client system. Based on the received response code, the Client system will allow the User from getting logged into the Application. In this example, the HTTP Protocol transfers the required information between Client and Server machines using the Internet connection.
  • HTTP Protocol versions:
    • HTTP/0.9
    • HTTP/1.0
    • HTTP/1.1
    • HTTP/2.0 (Latest Version as on April 25, 2018)
  • HTTP Messages: The following are the two types of HTTP messages
    • HTTP Request: Requests sent by the client to the Server.
    • HTTP Response: Response sent back to the client by the Server.
  • Web Application Architecture and HTTP Protocol: The following diagram will depict the Web Application Architecture and how the information is transferred between Client and Server using HTTP Protocol over the Internet using HTTP Request and HTTP Response.
    • Client sends the HTTP request to the server by specifying request method, URI, protocol version, modifiers, client information and body over the Internet connection (i.e. TCP/IP).
    • Server responds with a success or error code, body content and other meta and server information.

 

Security Testing - HTTP Client-Server Architecture
HTTP Client-Server Architecture
  • HTTP protocol is:
    • Connectionless – Client will make an HTTP Request to the Server and its disconnects it. Once the Server processes the client request, the Server will reconnect with the client for the HTTP Response and disconnects. Here each and every HTTP Request / Responses needs new connections between Client and Server.
    • Stateless – After the Client and Server disconnect, they forget about each other and start fresh. They are only aware of each other during HTTP request/response.
    • Media Independent – Any type of data which can be handled by the Client and Server can be transferred over HTTP protocol by specifying MIME-type.
More details on HTTP Protocol: The following concepts will help you in understanding the HTTP Protocols in-depth:
  • HTTP Parameters: The following are the different types of parameters in HTTP Protocols that are required in building HTTP Requests and Responses.
    • HTTP Version: Example: HTTP/2.0
    • URI (Uniform Resource Identifier): Example: http://qafox.com/login?queries (i.e. http://qafox.com/login?username=qa&password=fox)
    • Data Time Formats: Example: Tue Apr 24 07:53:12 2018
    • Character Sets: Client preferred character set should be specified. Example: US-ASCII
    • Content Encoding: Encoding algorithms specified as parameters will be used by the HTTP Protocol to encode the content before transferring over the network. The purpose of encoding is to compress the documents and without losing the identity of the source. Example: Accept-encoding: gzip
    • Media Types: Example: content-type: image/png
    • Language Tags: Example: language-tag: en-US
  • HTTP Messages: There are two types of messages in HTTP Protocol:
    • HTTP Request: Requests sent by the client to the Server.
    • HTTP Response: Response sent back to the client by the Server.
  • HTTP Methods: The following are the different types of HTTP Methods:
    • GET: Used to retrieve information.
    • POST: Used to add new information.
    • PUT: Used to update existing information by updating/replacing all the group of values.
    • PATCH: Used to partially update existing information by only updating/replacing only the required values from all the group of values.
    • DELETE: Used to delete information.
    • HEAD:  Same as GET, but transfer status line and Headers without the message body.
    • CONNECT: Creates a direct/end-to-end tunnel to the server to which the provided request URI is referring to.
    • OPTIONS: Used to find the set of METHODS supported by Server. Server will provide GET, PUT and other supported METHODS by it in the response.
    • TRACE: Used to test the connection between the Client and Server by checking whether the test request goes to the Server and returns the response back to the Client.
  • HTTP Headers are used to send required information along with requests and responses.
  • HTTP Status Codes: Status code is a three digit integer returned by the Server as a response. Each and every status code returned by the Server in the response has a separate description based on how the request is processed by the Server. The following details will help you in understanding the HTTP Status Codes in detail:
    • Categorization of HTTP Status Codes: HTTP Status codes can be categorized into 5 types. The first digit in the status code will define the category into which it falls. The following are the 5 different types of status codes:
      • 1xx : Informational Status codes
      • 2xx : Success status codes
      • 3xx: Redirection status codes
      • 4xx: Client Side status codes
      • 5xx: Server Side status codes
    • Status Codes and Categories: The following are the different status codes which fall under different categories:
      • 1xx : Informational Status codes
        • 100 : Continue
        • 101 : Switching Protocols
      • 2xx : Success status codes
        • 200 : OK
        • 201 : Created
        • 202 : Accepted
        • 203 : Non-Authoritative Information
        • 204 : No content
        • 205 : Reset Content
        • 206 : Partial Content
      • 3xx : Redirection status codes
        • 300 : Multiple Choices
        • 301 : Moved Permanently
        • 302 : Found
        • 303 : See Other
        • 304 : Not Modified
        • 305 : Use Proxy
        • 306 : Unused
        • 307 : Temporary Redirect
      • 4xx : Client Side status codes
        • 400 : Bad Request
        • 401 : Unauthorized
        • 402 : Payment Required
        • 403 : Forbidden
        • 404 : Not Found
        • 405 : Method Not Allowed
        • 406 : Not Acceptable
        • 407 : Proxy Authentication Required
        • 408 : Request Timeout
        • 409 : Conflict
        • 410 : Gone
        • 411 : Length Required
        • 412 : Precondition Failed
        • 413 : Request Entity Too Large
        • 414 : Request-url Too Long
        • 415 : Unsupported Media Type
        • 416 : Requested Range Not Satisfiable
        • 417 : Expectation Failed
      • 5xx: Sever Side status codes
        • 500 : Internal Server Error
        • 501 : Not Implemented
        • 502 : Bad Gateway
        • 503 : Service Unavailable
        • 504 : Gateway Timeout
        • 505 : HTTP Version Not Supported
Request and Response Message Formats and their examples: Though we have understood the various concepts of HTTP protocol, the following formats and their examples are provided for making you more clear on these concepts:
  • HTTP Request Format: The following diagram represents HTTP Request Format:
Security Testing - HTTP Request Message Format
HTTP Request Message Format
  • HTTP Request Example: The following is an example for HTTP Request:

    GET /home.htm HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
    Host: www.qafox.com
    Accept-Language: en-us
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
  • HTTP Response Format: The following diagram represents HTTP Response Format:
Security Testing - HTTP Response Message Format
HTTP Response Message Format
  • HTTP Response Example: The following is an example for HTTP Response:

    HTTP/1.1 200 OK
    Date: Wed, 25 Apr 2018 11:01:27 GMT
    Server: Apache/2.2.14 (Win32)
    Last-Modified: Wed, 25 Apr 2018 11:01:27 GMT
    Content-Length: 98
    Content-Type: text/html
    Connection: Closed

    Conclusion: Understanding HTTP Protocol basics is very much required for mastering Security Testing. Hence all the basic concepts of HTTP protocol provided in this post needs to be understood and learned by the Security Testing enthusiasts.

    Please leave your questions/comments/feedback below.

    Happy Learning 🙂

    Arun Motoori (www.QAFox.com)

Comments (6)

Leave a Reply

Your email address will not be published. Required fields are marked *