Professional Documents
Culture Documents
HTTP Operations
From the 2016 Cisco Annual Security Report, Cisco analyzed web traffic and determined that HTTPS requests have been
gradually (but significantly) increasing since January 2015. For example, 24% of the web requests in January 2015 used the
HTTPS protocol; the rest of them still used HTTP.
Security analysts should have a good understanding of the HTTP protocol operations since many attacks involve using
HTTP. Security analysts should be able to analyze traffic captures that contain HTTP traffic to identify anomalies in the
HTTP traffic.
48%
A client's web browser sends an HTTP request to the web server. An HTTP request has three parts:
Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 1/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...
• The HTTP request method, URI, and the HTTP protocol name and version
• The HTTP request headers are used to define the operating parameters of the HTTP transaction, and to provide
information about the client.
The web server sends an HTTP response to the client’s web browser. An HTTP response has three parts:
• HTTP protocol name and version, and the status code. For example, a status code of 200 means the processing of the
HTTP request was successful.
• The HTTP response headers are used to define the operating parameters of the HTTP transaction, and to provide
information about the web server.
A URL is a subset of a URI that defines the location of a specific resource and how to retrieve it. The part that makes a URI
a URL is inclusion of the “access mechanism/protocol” or “network location,” such as http://, https://, and ftp://.
For example, the http://www.example.com/index.html URL will request the file that is named index.html in the root
directory of the www.example.com web server.
http://www.example.cisco.com:80/video?docid=96673783583808&hl=en#00h01m15s
• Host: www.example.cisco.com
– Host (or Prefix) = www. Subdomain = example.cisco.com. Domain = cisco.com. Top-Level Domain = .com.
• Path: /video. Path typically refers to a file or location on the web server. You can think of a path as a directory structure.
– URL parameters are also referred to as “query strings," which contain extra information in the form of key-value pairs
called parameters. URLs can have many parameters. Parameters start with a question mark (?) and are separated
with an ampersand (&).
– Fragment or named anchor: #00h01m15s. Typically the fragment is used to refer to an internal section within a web
document. In this case, the fragment means skip to 1 minute and 15 seconds into the video.
Some characters cannot be part of a URL (for example, a space), and some other characters have a special meaning in a
URL. URL encoding is used to deal with this problem, for example, a space can be encoded as a "+" sign or as "%20".
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 2/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
"%20" is the percent encoding for the binary octet "00100000", which in ASCII corresponds to the space character.
• The HEAD method asks for a response identical to that of a GET request, but without the response body
• The PUT method request is used to update data on the specified resource.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 3/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
HTTP GET requests contain user agent information to help the web server identify the web browser and configuration of the
client. In this example, the user agent is wget/1.13-4(linux-gnu). The user agent information that is sent by the web
browser is used by the web server to identify the browser, the browser version, and the OS that the host is running on. The
user agent is one of the fields in the HTTP header section of HTTP request. HTTP header fields are used to define the
operating parameters of an HTTP transaction. A core set of the HTTP header fields is standardized in RFCs 7230, 7231,
7232, 7233, 7234, and 7235.
Web sites often include code to detect the web browser version and adjust the web page design according to the user agent
information that is received. Various web browsers have a feature to spoof their identification to force certain server-side
content. For example, the Firefox user agent changer add-on extension can be used to change the Firefox user agent.
Attackers often manipulate the user agents in their attacks, such as embedding a malicious script in the user agent string.
In the user agent string example that is shown below, the browser is Firefox version 48.0 running on Windows 7:
The user agent is one of the HTTP headers in the HTTP request. The other request headers in this example are Accept
(content-types that are acceptable for the response), Host (identifies the web server), and Connection (control option for the
connection). A core set of the HTTP header fields is standardized in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. In this
HTTP request example, there is no HTTP request body, the request body is optional in the HTTP request.
Examining the web server's HTTP response in blue from the Wireshark screenshot, 200 is the OK status code. The HTTP
response headers include information about the web server and version (Apache/2.2.22), the content type (text/HTML), and
so on. The HTTP response body contains the requested web page:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.
The figure below shows the actual web page that is being requested in this example.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 4/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
The HTTP server responses are classified by a numerical status code. Status codes indicate the reasons behind successful
and failed HTTP requests. The IANA maintains the official registry of the HTTP status codes.
Status codes starting with 1xx are Informational, 2xx are Success, 3xx are Redirection, 4xx are Client Error, and 5xx are
Server Error.
• 100 = Continue: The server has received the request headers and the client should proceed to send the request body
(in the case of a request for which a body needs to be sent; for example, a POST request).
• 200 = OK: The processing of the request that was sent by the client was successful.
• 301 = Moved Permanently: The resource has permanently moved to a different URI.
• 302 = Found: The requested resource resides temporarily under a different URI. The client is invited by a response with
this code to make a second, otherwise identical, request to the new URL specified in the location field. However, many
web browsers implemented the 302 status code in a manner that violates the HTTP/1.0 specification, changing the
request type of the new request. Therefore, one of the other status codes that was added with the HTTP/1.1
specification is status code 307.
• 307 = Temporarily Moved: The request should be repeated with another URI; however, future requests should still use
the original URI. The 307 status code indicates to client that the request method should not be changed when reissuing
the original request. For example, a POST request should be repeated using another POST request.
• 401 = Unauthorized (Authentication Required): The request first requires authentication with the server.
• 404 = Not Found: The server cannot find the requested URI.
• 407 = Proxy Authentication Required: The request first requires authentication with the proxy.
• 500 = Internal Server Error: This generic web server error message is given when an unexpected condition is
encountered and no more specific message is suitable.
HTTP Cookies
Another important HTTP feature an analyst needs to be aware of is the use of the HTTP cookies. Once an attacker has
access to the web browser cookies for a particular web site, the attacker has access to all the information that is stored in
the cookies.
An HTTP cookie is a small piece of data that is sent from the web server and stored in the user's web browser while the
user is browsing. Cookies are used by the web server to remember stateful information (such as items added in the
shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or
recording which pages were visited in the past). Cookies can also be used to remember arbitrary pieces of information that
were previously entered by the user in form fields such as name and address.
A web browser add-on, such as the Cookies Manager for Firefox (shown below), can be used to manage the Firefox
browser's cookies. In this example, one of the cookies for the cisco.com domain is the language preference, where it is
currently set to en (English).
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 5/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
Cookies are passed between the web server and web browser using the Set-Cookie HTTP header field in the HTTP
response, and the Cookie HTTP header in the HTTP request.
The web server sends the following to the web browser in the HTTP response header to create a cookie on the web
browser:
The web browser sends the cookie information back to the web server in the HTTP request header:
For example, the web browser sends its first HTTP request to www.example.org:
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 6/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 01 Jun 2020 10:00:00 GMT
The web browser sends another HTTP request to visit the ccna.html page on the website. This HTTP request contains the
two cookies that the web server instructed the web browser to set:
The sessionToken cookie is a piece of data that can be used by the web server to identify a particular session. By
examining the sessionToken cookie, the web server knows that this second HTTP request is related to the previous HTTP
request. The web server answers by sending the requested web page, and possibly including more Set-Cookie headers in
the HTTP response header in order to add new cookies, modify existing cookies, or delete cookies.
Many websites use cookies as identifiers for the user sessions. If a web site uses cookies as session identifiers, attackers
can impersonate users' requests by stealing, then using, the victims' cookies. From the web server's point of view, a request
from the attacker then has the same authentication as the victim's requests; thus the request is performed on behalf of the
victim's session.
For example, if the unencrypted HTTP traffic including the cookies on a network are intercepted by an attacker using a man-
in-the-middle type attack, the attacker can use the intercepted cookies to impersonate a user and perform malicious tasks.
This problem can be resolved by securing the web server and web browser communications by using the HTTPS protocol
(HTTP over SSL/TLS) to encrypt the connection. The web server can specify a Secure flag while setting the cookies, which
will cause the web browser to send the cookies only over an encrypted connection.
HTTP Referer
Referer is another HTTP request header. The referer is the address of the previous web page from which a link to the
currently requested page was followed. For example, when a user clicks a link in a web page, the web browser sends an
HTTP request to the web server that is serving the destination web page. The HTTP request headers include the referer
header, which indicates the last page that the user was on (the page where the user clicked the link).
Note
The word “referer” has been misspelled in the RFC and in most implementations, so that it has become standard
usage and is now considered correct terminology.
The figure below shows an example of an HTTP GET request where the referer is http://www.cisco.com. In this example,
the user clicked a link from the www.cisco.com home page to access another web page.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 7/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
Submit
Answer
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 8/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
The correct answers are "Cookie information is sent in the response header," "Cookie information is sent in the
request header," and "Cookie information is stored on the client’s browser."
Submit
GET
QUIT
PUT
HEAD
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 9/10
4/24/2018 Understanding Cisco Cybersecurity Fundamentals
FETCH
Submit
Answer
Which three are valid fields in the Set-Cookie HTTP header? (Choose three.)
Expires
Domain
Session
Encrypted
Path
Submit
Answer
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 10/10