1 00:00:01,570 --> 00:00:02,980 HTP. 2 00:00:04,160 --> 00:00:07,790 So HTP stands for hypertext transfer protocol. 3 00:00:08,830 --> 00:00:12,960 Today, it's used to access Web applications on the World Wide Web. 4 00:00:13,840 --> 00:00:22,720 So it is the underlying protocol that helps us to retrieve Web applications, HTP is basically a client 5 00:00:22,720 --> 00:00:23,980 server protocol. 6 00:00:24,870 --> 00:00:31,050 And it has a message based model to carry traffic between the server and the client, so the client 7 00:00:31,050 --> 00:00:35,700 request resource on the server and the server runs a response message to the client. 8 00:00:36,650 --> 00:00:46,340 HTP 1.0 was the first release, which, well, it's considered obsolete today, but it's still possible 9 00:00:46,340 --> 00:00:49,970 to see if you're testing an application on an Internet. 10 00:00:50,570 --> 00:00:51,860 So bear that in mind. 11 00:00:52,490 --> 00:00:57,950 HTP 1.0 one has replaced the older version and it's the most common version that's out there. 12 00:00:57,950 --> 00:01:06,440 Use today resistant connexions option method and improvement in caching mechanisms are just a few of 13 00:01:06,440 --> 00:01:08,270 the better features of one point one. 14 00:01:09,560 --> 00:01:17,750 As the Internet evolves, HTP is extended and leveraged with new features, even new releases come out 15 00:01:17,750 --> 00:01:20,740 to support today's more complex applications. 16 00:01:21,350 --> 00:01:27,650 So latest version was published in May 2015 as HTP to now. 17 00:01:27,650 --> 00:01:30,500 HTP, too, has many great features. 18 00:01:31,170 --> 00:01:36,080 Basically, this new release removes the performance based issues for Web applications. 19 00:01:37,150 --> 00:01:41,260 And it's also supported by modern Web browsers and updated servers. 20 00:01:42,360 --> 00:01:47,320 All right, so after this new version pops up, I need to update some of my rhetorical sentences about. 21 00:01:48,630 --> 00:01:55,860 Normally it's a text based protocol, but now it's a binary protocol with HDB to. 22 00:01:56,790 --> 00:02:05,730 Now, it is an application layer protocol in the TCP IP model, so that means it uses stateful TCP as 23 00:02:05,730 --> 00:02:13,350 a transport mechanism, although HTP in and of itself is a connection, this protocol that makes requests 24 00:02:13,350 --> 00:02:22,680 and responses to use different TCP connections, but with HTP two, they can use the same TCP connection. 25 00:02:23,890 --> 00:02:30,610 And by the way, it uses the default port 80 on the server, unless the Web server and the client are 26 00:02:31,120 --> 00:02:32,710 configured to use a different port. 27 00:02:33,700 --> 00:02:41,520 I want to flag that up for you as a pen tester, because an application can be served on another port. 28 00:02:43,870 --> 00:02:48,010 So first, let's talk about the HDP request and responses. 29 00:02:49,210 --> 00:02:52,870 And HTP request is made by the Web browser. 30 00:02:54,340 --> 00:02:58,990 And HDB responses are sent by the server. 31 00:03:00,200 --> 00:03:03,530 So let's have a look at the HTTP request message. 32 00:03:04,800 --> 00:03:07,530 Request messages are comprised of two parts. 33 00:03:08,590 --> 00:03:11,120 The message headers and the message body. 34 00:03:12,090 --> 00:03:19,440 Headers provide both a server and a client instructions on how to handle the message, so the structure 35 00:03:20,070 --> 00:03:22,290 of a request looks like this. 36 00:03:23,550 --> 00:03:32,190 First, the mandatory lying comes, and this lying consists of an HTP method, the path or you URL of 37 00:03:32,190 --> 00:03:38,070 the resource and the supported HTP version, then request headers come. 38 00:03:39,020 --> 00:03:42,470 And then headers are followed by a mandatory blank line. 39 00:03:43,770 --> 00:03:50,640 And finally, the message body is added to the request, and that is the real HDP request data. 40 00:03:51,860 --> 00:03:54,020 And this request is sent to the server. 41 00:03:54,960 --> 00:04:02,370 OK, so now let's have a look at the structure of an HTTP response, the structure of a response message 42 00:04:02,370 --> 00:04:04,600 is similar to a request message. 43 00:04:05,190 --> 00:04:12,390 Again, the mandatory first line now this time it consists of the HTTP version, HDB status code and 44 00:04:12,390 --> 00:04:13,080 phrase. 45 00:04:13,740 --> 00:04:16,740 Then the HDB response headers come. 46 00:04:17,610 --> 00:04:20,340 And then the headers are followed by mandatory blank line. 47 00:04:21,530 --> 00:04:28,190 And then finally, the message body comes and that's the HTP response data just like that, and then 48 00:04:28,190 --> 00:04:30,110 this response is sent to the client. 49 00:04:31,650 --> 00:04:37,080 Now, sometimes if there is no data to be sent between each party, the message body can be neglected. 50 00:04:38,150 --> 00:04:42,530 So now let's have a look at how to examine these messages from the browser. 51 00:04:44,400 --> 00:04:52,740 So HTP messages contain useful data to gather information about applications or also to manipulate applications. 52 00:04:53,960 --> 00:05:02,480 So what we need to do is capture the whole HTP traffic sources between us and the Web server to extract 53 00:05:02,480 --> 00:05:03,200 the information. 54 00:05:04,030 --> 00:05:09,310 Now, there are several ways to capture the traffic, and the most common way is to use a local HTP 55 00:05:09,310 --> 00:05:10,040 proxy. 56 00:05:10,930 --> 00:05:14,080 I'll show you that in detail in the next video. 57 00:05:14,650 --> 00:05:22,270 For now, I am going to observe right here in my browser, HDB Traffic with the developer tool. 58 00:05:24,100 --> 00:05:29,780 So developer tools are very useful to analyze the application in the Web browser. 59 00:05:30,370 --> 00:05:34,000 So first I just open the web developer tool. 60 00:05:35,370 --> 00:05:38,280 And there are several tabs within this internal tool. 61 00:05:39,360 --> 00:05:44,550 And HDP messages are listed and viewed under the network tab. 62 00:05:46,120 --> 00:05:50,140 And then go to the vulnerable applications login page. 63 00:05:52,340 --> 00:05:55,850 So as you see here, HDTV requests are listed below. 64 00:05:57,110 --> 00:06:02,840 And also, we can list documents by their types, our only list HTML documents now. 65 00:06:03,750 --> 00:06:07,530 Now, I'm going to click on the first request to see the details. 66 00:06:08,570 --> 00:06:14,900 And over here, the right pane of the tool, there are details about the request, such as HTTP headers, 67 00:06:14,900 --> 00:06:16,760 cookies, parameters and so on. 68 00:06:17,770 --> 00:06:20,170 Now, this view may be different in other browsers. 69 00:06:21,060 --> 00:06:26,160 And now the tool displays data about the request and response in its own particular way. 70 00:06:27,110 --> 00:06:34,730 OK, so normally there are three items in the first line of every HTTP request separated by spaces. 71 00:06:35,690 --> 00:06:39,870 But developer tools show the request not quite like this. 72 00:06:40,730 --> 00:06:46,600 So this is not the raw data, but you can get the raw data as well. 73 00:06:47,660 --> 00:06:52,850 So the first part contains a URL, htp method and version information. 74 00:06:56,740 --> 00:07:03,010 Now, an HTP method defines how to use a source on the server or what to do with it. 75 00:07:04,120 --> 00:07:10,950 As I said before, the client should inform the server about the action that it wants to perform on 76 00:07:10,950 --> 00:07:12,360 the requested resource write. 77 00:07:13,730 --> 00:07:20,990 So a Web browser can display, delete or update a resource by declaring an HTTP method in the request 78 00:07:21,770 --> 00:07:26,330 now because there are several HTTP methods, they all work differently. 79 00:07:27,650 --> 00:07:31,520 But mostly what you'll see is get and post method's. 80 00:07:32,750 --> 00:07:35,680 Get is, I would say, the most used one. 81 00:07:37,010 --> 00:07:43,550 And what it does is it helps to display a resource on the server, get requests to not have a message 82 00:07:43,550 --> 00:07:47,240 body, so you cannot send data in the message body. 83 00:07:47,720 --> 00:07:55,520 But it doesn't mean that you cannot send data with the get method because get can transmit any parameter 84 00:07:55,520 --> 00:07:59,460 to the requested resource in the you are ill with a query string. 85 00:08:00,290 --> 00:08:03,590 So this is a practical way to send data. 86 00:08:04,620 --> 00:08:13,580 But a parameter like that becomes part of the URL, and that means it's prone to sniffing and as a weapon 87 00:08:13,590 --> 00:08:19,860 tester, you should try to force the application while transmitting confidential data, whether it uses 88 00:08:19,860 --> 00:08:21,090 get or not. 89 00:08:22,380 --> 00:08:28,560 The post method is similar to the get method, and it's used to retrieve data from the server. 90 00:08:30,320 --> 00:08:33,140 So now I'm going to log into the application. 91 00:08:36,590 --> 00:08:39,350 As you see, the data is sent via the post method. 92 00:08:40,470 --> 00:08:43,380 And she was the post request from a list. 93 00:08:44,390 --> 00:08:50,790 And the post method has the message body, and it mostly transmits the data to the server in this way. 94 00:08:51,590 --> 00:08:53,660 Now click the programs tab. 95 00:08:54,480 --> 00:09:01,200 Here is a login data that I entered, but the get method transmits data via query string in the early. 96 00:09:04,700 --> 00:09:05,360 So choose. 97 00:09:07,910 --> 00:09:11,660 The HTML injection example from the list in the page. 98 00:09:12,870 --> 00:09:16,920 And fill in the input fields with some data and hit at her. 99 00:09:17,910 --> 00:09:18,990 Click the request. 100 00:09:20,230 --> 00:09:22,840 And now look at the data in the euro. 101 00:09:24,170 --> 00:09:25,730 Then open the programs tab. 102 00:09:26,930 --> 00:09:30,530 And this time it is identified as a query string. 103 00:09:31,470 --> 00:09:41,940 So it is entirely and absolutely vital to use the post method while transmitting confidential data you 104 00:09:41,940 --> 00:09:42,390 get me. 105 00:09:44,170 --> 00:09:52,630 Now, in addition to the get and the post methods, there are a few others put the elite head and options, 106 00:09:53,350 --> 00:10:00,460 the put and delete methods are part of Web dev, which is an extension of the HTTP protocol. 107 00:10:01,960 --> 00:10:08,470 Put creates a new resource or replaces the target resource using the content contained in the body of 108 00:10:08,470 --> 00:10:09,210 the request. 109 00:10:10,000 --> 00:10:16,270 So as pen testers, we may be able to upload a malicious file to the server if this method is enabled. 110 00:10:17,290 --> 00:10:22,060 And that elite method deletes data on the server, as the name would suggest. 111 00:10:22,900 --> 00:10:27,220 So these are called dangerous methods and you might be able to guess why. 112 00:10:28,030 --> 00:10:34,480 So in other words, you should analyze the application for these available HTTP methods. 113 00:10:35,500 --> 00:10:43,240 So to check the available methods on a server and other HDTV method can be used, the options query, 114 00:10:44,050 --> 00:10:46,900 which is an HTTP method on the server. 115 00:10:47,880 --> 00:10:50,100 So click, edit and send. 116 00:10:51,520 --> 00:10:54,220 Now, I'm going to change the method to option. 117 00:10:55,310 --> 00:10:56,540 And delete this part. 118 00:10:57,570 --> 00:10:58,320 Vincent. 119 00:11:00,800 --> 00:11:08,030 And the server returns a response and declares an allowed header which stores the available methods. 120 00:11:09,110 --> 00:11:11,720 And let's have a look at the available methods. 121 00:11:13,060 --> 00:11:13,690 Here they are. 122 00:11:14,690 --> 00:11:17,570 So head is another method. 123 00:11:18,580 --> 00:11:22,210 And it checks whether a resource is present on the server or not. 124 00:11:23,350 --> 00:11:25,330 And it works the same way as a method. 125 00:11:26,380 --> 00:11:29,110 So this time I'm going to change the method to head. 126 00:11:30,040 --> 00:11:31,360 And send the request. 127 00:11:33,430 --> 00:11:36,130 And here is a basic header information for this application. 128 00:11:37,410 --> 00:11:40,020 So it's a quick way to get some information from the server. 129 00:11:41,080 --> 00:11:48,580 And HDP supports many headers, some of the headers that can be used for both requests and responses 130 00:11:49,480 --> 00:11:52,750 and others are specific to one of these message types. 131 00:11:53,620 --> 00:11:56,320 So why don't we start with some of the request headers? 132 00:11:58,210 --> 00:12:04,150 The homesteader specifies the hostname in the Eurail, it can also be an IP. 133 00:12:04,840 --> 00:12:11,080 The point here is that it is absolutely necessary if there are other Web applications on the same server 134 00:12:11,290 --> 00:12:13,600 that share the same IP address. 135 00:12:14,840 --> 00:12:19,190 User agent specifies information about the client software. 136 00:12:20,540 --> 00:12:28,970 Then if the request is generated by the Web browser, it is going to contain browser information, see 137 00:12:28,970 --> 00:12:30,040 why that would be useful. 138 00:12:30,800 --> 00:12:35,150 Cookie submits cookies to the server that the server previously issued. 139 00:12:36,050 --> 00:12:41,990 So cookies can be used for many reasons by the servers, software or developers, and we're going to 140 00:12:41,990 --> 00:12:47,540 come back to cookies a little bit later on in details, but we need to need to learn a few more things 141 00:12:47,540 --> 00:12:47,870 first. 142 00:12:48,950 --> 00:12:56,630 So referrer is used to indicate the address of the previous Web page, which the client requests the 143 00:12:56,630 --> 00:12:57,600 current page from. 144 00:12:58,550 --> 00:13:05,030 Also, this letter was misspelled in the original HTTP specification, and it's still used like that. 145 00:13:05,890 --> 00:13:07,510 Except encoding. 146 00:13:08,440 --> 00:13:15,910 Defines the compression scheme supported by the client grip and deflate are among the most common ones. 147 00:13:17,380 --> 00:13:25,090 So except tells the server about the content types that the client can accept, such as image type office 148 00:13:25,090 --> 00:13:26,710 document formats and so on. 149 00:13:27,730 --> 00:13:35,680 Conexion tells the other party to close the TCP connection if the TDP transmission has completed or 150 00:13:35,920 --> 00:13:38,080 keep it open for further messages. 151 00:13:39,020 --> 00:13:45,410 Content encoding tells the other party about the encoding used for the content of the message body such 152 00:13:45,410 --> 00:13:46,190 as Guiseppe. 153 00:13:47,950 --> 00:13:48,520 OK, great. 154 00:13:48,550 --> 00:13:50,620 So now let's have a look at the response message. 155 00:13:51,670 --> 00:13:56,950 So here is a status code which represents the result of the request. 156 00:13:57,670 --> 00:14:03,160 OK, so it's a numeric value and it's followed by a textual reason phrase. 157 00:14:04,230 --> 00:14:05,790 The OK message. 158 00:14:06,850 --> 00:14:11,570 So each HTP response message must contain a status code. 159 00:14:12,070 --> 00:14:19,210 There are five groups of status codes, status codes that start with one is informational. 160 00:14:20,150 --> 00:14:24,920 Status codes, it start with to define success message. 161 00:14:26,140 --> 00:14:34,240 Status codes, starting with three, are used for redirection status codes, starting with for defined 162 00:14:34,240 --> 00:14:41,380 errors caused by the client status codes that start with five defined errors caused by the server. 163 00:14:42,430 --> 00:14:46,790 For example, 200, 300 to four, a four or five hundred. 164 00:14:46,810 --> 00:14:48,430 Those are some of the more popular ones. 165 00:14:49,620 --> 00:14:56,190 So 200, OK, indicates that the request was successful and that the response body contains the result 166 00:14:56,190 --> 00:14:57,000 of the request. 167 00:14:58,280 --> 00:15:01,130 And then when I log out, I'll get a three or two. 168 00:15:02,490 --> 00:15:07,020 And the three of two found redirects the browser temporarily to a different U. 169 00:15:07,020 --> 00:15:10,110 URL, which is specified in a location header. 170 00:15:11,690 --> 00:15:16,490 Now, if I request a nonexistent resource, I will get a 404. 171 00:15:17,610 --> 00:15:23,700 Four or four not found indicates that the requested resource does not exist. 172 00:15:24,990 --> 00:15:27,300 OK, so some response headers. 173 00:15:28,630 --> 00:15:33,700 So the server header provides information about the server software used in the server computer. 174 00:15:34,820 --> 00:15:40,280 And some time some other details, such as installed modules in the server operating system, can be 175 00:15:40,280 --> 00:15:42,350 included as well, not mandatory. 176 00:15:43,890 --> 00:15:45,120 But you're looking at it here. 177 00:15:46,200 --> 00:15:49,960 So PRAGMA directs a browser not to cash. 178 00:15:49,980 --> 00:15:57,570 The response expires, tells a browser for how long the content of the response is valid. 179 00:15:58,400 --> 00:16:01,490 And the browser caches of content until that time. 180 00:16:02,380 --> 00:16:09,280 Content type identifies the type of content in the message body, such as text or HTML for HTML document 181 00:16:10,120 --> 00:16:14,740 content length specifies the length of the message body in byte. 182 00:16:16,050 --> 00:16:20,070 Cash control passes cashing directives to the browser. 183 00:16:21,390 --> 00:16:29,700 So in this response message, there is no set cookie header set Cookie submits to the client additional 184 00:16:29,700 --> 00:16:31,440 parameters named cookies. 185 00:16:32,490 --> 00:16:38,190 Now, cookies can be used for any reasons, but typically they're used for authorisation. 186 00:16:39,090 --> 00:16:42,590 Now we're going to recap cookies in the next section in full detail.