Scribd Logo
Upload

Welcome to Scribd!

  • 6.5 HTTP Operations

    Uploaded by

    Islam Deif
    4 views10 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views10 pages

    6.5 HTTP Operations

    Uploaded by

    Islam Deif

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    6.5 Understanding Network Applications

    HTTP Operations

    From the 2016 Cisco Annual Security Report, Cisco analyzed web traffic and determined that HTTPS requests have been
    gradually (but significantly) increasing since January 2015. For example, 24% of the web requests in January 2015 used the
    HTTPS protocol; the rest of them still used HTTP.

    Security analysts should have a good understanding of the HTTP protocol operations since many attacks involve using
    HTTP. Security analysts should be able to analyze traffic captures that contain HTTP traffic to identify anomalies in the
    HTTP traffic.

    HTTP Protocol Fundamentals


    HTTP is a client/server protocol where the web browser is the client and the web server is the server. HTTP is a stateless
    application layer protocol. The default port for HTTP is TCP port 80, but other ports can be used.

    48%
    A client's web browser sends an HTTP request to the web server. An HTTP request has three parts:

    Initializing...
    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 1/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals
    Initializing...
    • The HTTP request method, URI, and the HTTP protocol name and version

    • The HTTP request headers are used to define the operating parameters of the HTTP transaction, and to provide
    information about the client.

    • The HTTP request body

    The web server sends an HTTP response to the client’s web browser. An HTTP response has three parts:

    • HTTP protocol name and version, and the status code. For example, a status code of 200 means the processing of the
    HTTP request was successful.

    • The HTTP response headers are used to define the operating parameters of the HTTP transaction, and to provide
    information about the web server.

    • The HTTP response body

    URI and URL


    The URI identifies a resource either by location, or a name, or both. The official register of URI scheme names is maintained
    by IANA, at http://www.iana.org/assignments/uri-schemes. For each scheme, the RFC that defines the scheme is listed, for
    example "http:" is defined in RFC 2616.

    A URL is a subset of a URI that defines the location of a specific resource and how to retrieve it. The part that makes a URI
    a URL is inclusion of the “access mechanism/protocol” or “network location,” such as http://, https://, and ftp://.

    For example, the http://www.example.com/index.html URL will request the file that is named index.html in the root
    directory of the www.example.com web server.

    Below is an example of a URL and descriptions of each part of the URL.

    http://www.example.cisco.com:80/video?docid=96673783583808&hl=en#00h01m15s

    • Protocol: http (can also be https, ftp, and so on)

    • Host: www.example.cisco.com

    – Host (or Prefix) = www. Subdomain = example.cisco.com. Domain = cisco.com. Top-Level Domain = .com.

    • Port: If the port is not specified, port 80 is assumed.

    • Path: /video. Path typically refers to a file or location on the web server. You can think of a path as a directory structure.

    • Parameters: ?docid=96673783583808&hl=en. The docid=96673783583808 parameter in this example reference a


    specific video file in the path. The hl=en parameter specify the language, for example, setting the video subtitle to
    English.

    – URL parameters are also referred to as “query strings," which contain extra information in the form of key-value pairs
    called parameters. URLs can have many parameters. Parameters start with a question mark (?) and are separated
    with an ampersand (&).

    – Fragment or named anchor: #00h01m15s. Typically the fragment is used to refer to an internal section within a web
    document. In this case, the fragment means skip to 1 minute and 15 seconds into the video.

    Some characters cannot be part of a URL (for example, a space), and some other characters have a special meaning in a
    URL. URL encoding is used to deal with this problem, for example, a space can be encoded as a "+" sign or as "%20".

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 2/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    "%20" is the percent encoding for the binary octet "00100000", which in ASCII corresponds to the space character.

    HTTP Request Methods


    HTTP defines different request methods to indicate the desired action to be performed on the identified resource. The
    common HTTP request methods include GET, HEAD, POST, PUT, and DELETE, to name a few.

    • The GET method retrieves data from the specified resource.

    • The HEAD method asks for a response identical to that of a GET request, but without the response body

    • The POST method creates data on the specified resource.

    • The PUT method request is used to update data on the specified resource.

    • The DELETE method deletes the specified resource.

    HTTP Request and Response Packets Capture Example


    The figure below shows a screenshot from Wireshark showing details of HTTP packets. The client's HTTP GET requests
    are shown in red, and the web server's responses are shown in blue. In this example, the client generated the HTTP GET
    request using the wget command from a Linux host.

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 3/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    HTTP GET requests contain user agent information to help the web server identify the web browser and configuration of the
    client. In this example, the user agent is wget/1.13-4(linux-gnu). The user agent information that is sent by the web
    browser is used by the web server to identify the browser, the browser version, and the OS that the host is running on. The
    user agent is one of the fields in the HTTP header section of HTTP request. HTTP header fields are used to define the
    operating parameters of an HTTP transaction. A core set of the HTTP header fields is standardized in RFCs 7230, 7231,
    7232, 7233, 7234, and 7235.

    Web sites often include code to detect the web browser version and adjust the web page design according to the user agent
    information that is received. Various web browsers have a feature to spoof their identification to force certain server-side
    content. For example, the Firefox user agent changer add-on extension can be used to change the Firefox user agent.
    Attackers often manipulate the user agents in their attacks, such as embedding a malicious script in the user agent string.

    In the user agent string example that is shown below, the browser is Firefox version 48.0 running on Windows 7:

    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0

    The user agent is one of the HTTP headers in the HTTP request. The other request headers in this example are Accept
    (content-types that are acceptable for the response), Host (identifies the web server), and Connection (control option for the
    connection). A core set of the HTTP header fields is standardized in RFCs 7230, 7231, 7232, 7233, 7234, and 7235. In this
    HTTP request example, there is no HTTP request body, the request body is optional in the HTTP request.

    Examining the web server's HTTP response in blue from the Wireshark screenshot, 200 is the OK status code. The HTTP
    response headers include information about the web server and version (Apache/2.2.22), the content type (text/HTML), and
    so on. The HTTP response body contains the requested web page:

    It works!
    This is the default web page for this server.
    The web server software is running but no content has been added, yet.

    The figure below shows the actual web page that is being requested in this example.

    HTTP Status Codes

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 4/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    The HTTP server responses are classified by a numerical status code. Status codes indicate the reasons behind successful
    and failed HTTP requests. The IANA maintains the official registry of the HTTP status codes.

    Status codes starting with 1xx are Informational, 2xx are Success, 3xx are Redirection, 4xx are Client Error, and 5xx are
    Server Error.

    Common status codes include the following:

    • 100 = Continue: The server has received the request headers and the client should proceed to send the request body
    (in the case of a request for which a body needs to be sent; for example, a POST request).

    • 200 = OK: The processing of the request that was sent by the client was successful.

    • 301 = Moved Permanently: The resource has permanently moved to a different URI.

    • 302 = Found: The requested resource resides temporarily under a different URI. The client is invited by a response with
    this code to make a second, otherwise identical, request to the new URL specified in the location field. However, many
    web browsers implemented the 302 status code in a manner that violates the HTTP/1.0 specification, changing the
    request type of the new request. Therefore, one of the other status codes that was added with the HTTP/1.1
    specification is status code 307.

    • 307 = Temporarily Moved: The request should be repeated with another URI; however, future requests should still use
    the original URI. The 307 status code indicates to client that the request method should not be changed when reissuing
    the original request. For example, a POST request should be repeated using another POST request.

    • 401 = Unauthorized (Authentication Required): The request first requires authentication with the server.

    • 403 = Forbidden: Access is denied.

    • 404 = Not Found: The server cannot find the requested URI.

    • 407 = Proxy Authentication Required: The request first requires authentication with the proxy.

    • 500 = Internal Server Error: This generic web server error message is given when an unexpected condition is
    encountered and no more specific message is suitable.

    HTTP Cookies
    Another important HTTP feature an analyst needs to be aware of is the use of the HTTP cookies. Once an attacker has
    access to the web browser cookies for a particular web site, the attacker has access to all the information that is stored in
    the cookies.

    An HTTP cookie is a small piece of data that is sent from the web server and stored in the user's web browser while the
    user is browsing. Cookies are used by the web server to remember stateful information (such as items added in the
    shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or
    recording which pages were visited in the past). Cookies can also be used to remember arbitrary pieces of information that
    were previously entered by the user in form fields such as name and address.

    A web browser add-on, such as the Cookies Manager for Firefox (shown below), can be used to manage the Firefox
    browser's cookies. In this example, one of the cookies for the cisco.com domain is the language preference, where it is
    currently set to en (English).

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 5/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    Cookies are passed between the web server and web browser using the Set-Cookie HTTP header field in the HTTP
    response, and the Cookie HTTP header in the HTTP request.

    The web server sends the following to the web browser in the HTTP response header to create a cookie on the web
    browser:

    Set-Cookie: <name>=<value>[; <name>=<value>]...


    [; expires=<date>][; domain=<domain_name>]
    [; path=<some_path>][; secure][; httponly]

    The web browser sends the cookie information back to the web server in the HTTP request header:

    Cookie: <name>=<value> [;<name>=<value>]...

    For example, the web browser sends its first HTTP request to www.example.org:

    GET /index.html HTTP/1.1


    Host: http://www.example.org

    The web server responds with two Set-Cookie headers:

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 6/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    HTTP/1.0 200 OK
    Content-type: text/html
    Set-Cookie: theme=light
    Set-Cookie: sessionToken=abc123; Expires=Wed, 01 Jun 2020 10:00:00 GMT

    The web browser sends another HTTP request to visit the ccna.html page on the website. This HTTP request contains the
    two cookies that the web server instructed the web browser to set:

    GET /ccna.html HTTP/1.1


    Host: http://www.example.org
    Cookie: theme=light; sessionToken=abc123

    The sessionToken cookie is a piece of data that can be used by the web server to identify a particular session. By
    examining the sessionToken cookie, the web server knows that this second HTTP request is related to the previous HTTP
    request. The web server answers by sending the requested web page, and possibly including more Set-Cookie headers in
    the HTTP response header in order to add new cookies, modify existing cookies, or delete cookies.

    Many websites use cookies as identifiers for the user sessions. If a web site uses cookies as session identifiers, attackers
    can impersonate users' requests by stealing, then using, the victims' cookies. From the web server's point of view, a request
    from the attacker then has the same authentication as the victim's requests; thus the request is performed on behalf of the
    victim's session.

    For example, if the unencrypted HTTP traffic including the cookies on a network are intercepted by an attacker using a man-
    in-the-middle type attack, the attacker can use the intercepted cookies to impersonate a user and perform malicious tasks.
    This problem can be resolved by securing the web server and web browser communications by using the HTTPS protocol
    (HTTP over SSL/TLS) to encrypt the connection. The web server can specify a Secure flag while setting the cookies, which
    will cause the web browser to send the cookies only over an encrypted connection.

    HTTP Referer
    Referer is another HTTP request header. The referer is the address of the previous web page from which a link to the
    currently requested page was followed. For example, when a user clicks a link in a web page, the web browser sends an
    HTTP request to the web server that is serving the destination web page. The HTTP request headers include the referer
    header, which indicates the last page that the user was on (the page where the user clicked the link).

    Note

    The word “referer” has been misspelled in the RFC and in most implementations, so that it has become standard
    usage and is now considered correct terminology.

    The figure below shows an example of an HTTP GET request where the referer is http://www.cisco.com. In this example,
    the user clicked a link from the www.cisco.com home page to access another web page.

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 7/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    Content Review Question

    Which three are important distinctions of HTTP? (Choose three.)

    Cookie information is sent in the URL.

    Cookie information is sent in the URI.

    Cookie information is sent in the response header.

    Cookie information is sent in the request header.

    Cookie information is sent in the request body.

    Cookie information is sent in the response body.

    Cookie information is sent via the response codes.

    Cookie information is always private and encrypted.

    Cookie information is stored on the client’s browser.

    Submit

    Answer

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 8/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    The correct answers are "Cookie information is sent in the response header," "Cookie information is sent in the
    request header," and "Cookie information is stored on the client’s browser."

    Content Review Question

    Match the server response codes with the proper description.

    Request was successful 200

    Resource moved permanently 301

    Requires authentication with server 401

    Access denied 403

    Not found 404

    Proxy Authentication Required 407

    Submit

    Content Review Question

    Which three are valid HTTP request methods? (Choose three.)

    GET

    QUIT

    PUT

    HEAD

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 9/10
    4/24/2018 Understanding Cisco Cybersecurity Fundamentals

    FETCH

    Submit

    Answer

    The correct answers are "GET," "PUT," and "HEAD."

    Content Review Question

    Which three are valid fields in the Set-Cookie HTTP header? (Choose three.)

    Expires

    Domain

    Session

    Encrypted

    Path

    Submit

    Answer

    The correct answers are "Expires," "Domain," and "Path."

    https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/6/pages/5 10/10

    You might also like