HTTP Protocol:
HTTP(Hyper Text Transfer Protocol) is basically a client-server protocol, where the client makes a request to the server and in return the server responses to the request. The response by the server is mostly in the form of HTML formatted pages. HTTP protocol by default uses port 80, but the web server and the client can be configured to use a different port for the communication.
HTTP is a stateless protocol which means the server does not retain the information by each user. HTTP is a backbone of the World Wide Web(www) and for it being stateless simply means that it does not remember each and every client that connects to the internet and it does not matter if a single user sends multiple requests one after the another, they all will still be treated as independent request by the server.
The predecessors of HTTP 2 are HTTP 1.0 and 1.1, and the differences are
HTTP(Hyper Text Transfer Protocol) is basically a client-server protocol, where the client makes a request to the server and in return the server responses to the request. The response by the server is mostly in the form of HTML formatted pages. HTTP protocol by default uses port 80, but the web server and the client can be configured to use a different port for the communication.
HTTP is a stateless protocol which means the server does not retain the information by each user. HTTP is a backbone of the World Wide Web(www) and for it being stateless simply means that it does not remember each and every client that connects to the internet and it does not matter if a single user sends multiple requests one after the another, they all will still be treated as independent request by the server.
The predecessors of HTTP 2 are HTTP 1.0 and 1.1, and the differences are
HTTP 2 is binary
and not textual
HTTP 2 is multiplexed, it can use a single connection for parallelism, HTTP 1 on the other hand is based on ordering and blocking
HTTP 2 uses compression in its headers to reduce the overhead
HTTP 2 gives servers the capability to “push” responses to client servers proactively
HTTP works through different methods and these methods are,
GET – Used to retrieve information from the given URL
POST – Used to send data to the server. For eg., Customer information, file upload etc. using HTML forms
DELETE – Delete a File of the specified URL
PUT – Uploads a File of the specified URL
TRACE – Trace on the jsp resource returns the content of the resource
HEAD – GET only HTTP headers and no document body
OPTIONS – HTTP methods that the server supports
HTTP 2 is multiplexed, it can use a single connection for parallelism, HTTP 1 on the other hand is based on ordering and blocking
HTTP 2 uses compression in its headers to reduce the overhead
HTTP 2 gives servers the capability to “push” responses to client servers proactively
HTTP works through different methods and these methods are,
GET – Used to retrieve information from the given URL
POST – Used to send data to the server. For eg., Customer information, file upload etc. using HTML forms
DELETE – Delete a File of the specified URL
PUT – Uploads a File of the specified URL
TRACE – Trace on the jsp resource returns the content of the resource
HEAD – GET only HTTP headers and no document body
OPTIONS – HTTP methods that the server supports
The major difference
between GET and POST are,
A HTTP client sends a request to the server in the form of request
messages which includes following format,
REQUEST:
Method: GET
Host: This field in the header, it is used to identify individual website by a hostname is they are sharing the same IP address.
User-Agent: The client web browser also sets a user-agent string to identify the type and version of the browser. This field is set with default values by the web browser, but it can be spoofed by the end user.
Cookie: This field stores a temporary value shared between the client and server for session management.
Referer: This field is known to be redirection from one URL to another. It contains address of the previous web page from which a link to the current page was followed.
Accept-Encoding: This field defines the compression scheme supported by the client, gzip and deflate are the most common ones.
Method: GET
Host: This field in the header, it is used to identify individual website by a hostname is they are sharing the same IP address.
User-Agent: The client web browser also sets a user-agent string to identify the type and version of the browser. This field is set with default values by the web browser, but it can be spoofed by the end user.
Cookie: This field stores a temporary value shared between the client and server for session management.
Referer: This field is known to be redirection from one URL to another. It contains address of the previous web page from which a link to the current page was followed.
Accept-Encoding: This field defines the compression scheme supported by the client, gzip and deflate are the most common ones.
RESPONSE:
HTTP Version: It will return the server supporting HTTP version
Date: The data and time that the message was originated
Set-Cookie: This field, if defined, it will contain a random value that can be used by the server to identify the client and store temporary data.
Server: It displays the information about the web server hosting the website
Content-Length: This field contains a value indicating the number of bytes in the body of the response.
HTTP Authentication – Basic and Digest:
HTTP authentication uses methodologies via which web servers and browsers securely exchanges the credentials like user names and passwords. HTTP authentication or we can also call it as Digest authentication follows the predefined methods/standards which use encoding techniques and MD5 cryptography hashing over HTTP protocol.
HTTP authentication uses methodologies via which web servers and browsers securely exchanges the credentials like user names and passwords. HTTP authentication or we can also call it as Digest authentication follows the predefined methods/standards which use encoding techniques and MD5 cryptography hashing over HTTP protocol.
Basic Access Authentication using Base64 Encoding:
In basic authentication we will be using base64 encoding for generating our cryptography string which contains the information of username and password. Note that we can use any of the encoding techniques like URL, Hexadecimal or any other we want.
The web page is asking for input from the client,
We have provided “hackingarticles” as username and “ignite” is a password.
The syntax of basic authentication is,
Value = username:password
Encoded Value = base64(Value)
Authorization Value = Basic <Encoded Value>
here, the encoded value of hackingarticles:ignite is, aGFja2luZ2FydGljbGVzOmlnbml0ZQ==
with the help of Burpsuite – Proxy, we can capture the request which has Authorization value as same.
Digest Access Authentication: RFC 2069
Digest Access Authentication uses the hashing methodologies to generate the cryptography result.
The syntax of RFC 2069 is,
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
Response=MD5(Hash1:nonce:Hash2)
Hash1 → It contains the MD5 hash value of (username:realm:password) where realm is any string provided by server and username and password are the input provided by client.
Hash2 → It contains the MD5 hash value of (method:digestURI) where method could be GET or POST depending on the page request and digestURI is the URL of the page where the request is being sent.
Response → It is a final string which is being sent to the server and contains the MD5 hash value of (hash1:nonce:hash2) where hash1 and hash2 are generated above and nonce is an arbitrary string that could be used only one time provided by the server to the client.
RFC 2617 is an enchanced version of RFC2069.
Digest Access Authentication: RFC 2617
RFC 2617 digest authentication also uses MD5 hashing algorithm but the final hash value is generated with some additional parameters.
The syntax of RFC 2617 is,
Hash1=MD5(username:realm:password)
Hash2=MD5(method:digestURI)
Response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)
Hash1 → It contains the MD5 hash value of (username:realm:password) where realm is any string provided by the server and the username and password are the input provided by the user from client side.
Hash2 → It contains the MD5 hash value of (method:digestURI) where method could be GET or POST depending on the page request and digestURI is the URL of the page where the request is being forwarded.
Response → It is a final string which is being sent to the server and contains the MD5 hash value of (Hash1:nonce:nonceCount:cnonce:qop:Hash2) where Hash1 and Hash2 are generated from above steps.