preamble
Recently, I have often thought that I should not stop here, but I am conscious of my slow progress and I am at a loss, so I am going to scrap my own review, so let's start with the status code.
Since I'm an OCD person, I'll just write all the packet formats and stuff together later on by the way.
Request data format
four-part
- requesting line
- request header
- blank line
- Request for data (text)
requesting line
The first line of each request packet is the request line, in the following format
Request method + space + uri + space + protocol / protocol version
Example: GET / HTTP/1.1
Request method
Commonly used:
GET, POST, HEAD,
PUT, PATCH, OPTIONS,
DELETE, CONNECT, TRACE
The most commonly used: GET, POST
-
POST vs. GET
Usually GET is used to request resources to get resources, after all, the name is called GET
POST is usually used to submit data, but also used to request resources, POST is more hidden, the submitted data will not be displayed in the browser address bar is also more secure. -
HEAD
Same as GET, except that the server doesn't pass back resources for getting headers. -
PUT
Uploads the latest content to a specified resource location, mainly for uploading files and updating overall data. -
PATCH
Updating of local resources -
DELETE
Requests the server to delete the resource identified in the request -
CONNECT
The HTTP/1.1 protocol is reserved for proxies that can change the connection to a pipeline. -
OPTIONS
Enables the server to pass back all HTTP request methods supported by this resource. Usually in the response header ALLOW. -
TRACE
Echoes requests received by the server, mainly for testing or diagnostics.
request header
Accept
Indicates the MIME type supported by the browser
text/html,application/xhtml+xml,application/xml;q=0.9
The slash is preceded by type and followed by subtype;
q denotes the weight, e.g. above application/xml;q=0.9.
Indicates that this type of browser rendering type weights 0.9, and defaults to 1 if nothing else is written.
Referer
For anti-theft chain, anti CSRF
Request the site to determine whether it is a whitelist to turn to, otherwise judged as empty gloves, such as you want to jump directly from a xxx site to Baidu a background, Baidu background with the referer to do the limitations, then you must jump to failure.
User-Agent
What is displayed is information about the client itself, such as what type of browser your client has, what operating system your client is using, etc.
So there are times when some servers will interact with the database for UA, then UA can also cause SQL injection
HOST
Domain name or IP of the server
X_FORWARDED_FOR
XFF for short, usually used by the server side to obtain the user's real IP, but can modify the request packet to fake the real IP.
Content-Type
Three formats available
- application/x-www-form-urlencoded
This is the normal parameter text format
- multipart/form-data
Format mainly used for uploading files (chunked transfers)
- application/json
Key-value pairs
{"id":1, "name": "whoisdhan"}
Content-Length
Record how many bytes the data portion takes up
(Some middleware overflow vulnerabilities can be found, such as the tomcat overflow vulnerability in 2024)
Transfer-Encoding
When the Content-Length is uncertain you can use.
Transfer-Encoding:chunked
chunked, which means that your Content-Length will be disabled when you set this.
Meanwhile chunked transfers can sometimes effectively bypass the waf
Cookie
There's nothing to say.cookie、session、tokenVarious authentication mechanisms, such as security and connection status, are involved.
Connection
Keep-Alive means a short link, i.e., a connection established for a period of time that needs to be maintained.
Close means close the connection, one request at a time accordingly, this is the http way.
Accept-Encoding
Usually specifies the compression method, whether compression is supported, and what compression method is supported
This can increase the efficiency of transmission, otherwise a large image would take a long time to transmit each time.
Accept-Language
Difference between language and character set: Chinese is a language, Chinese has a variety of character sets, such as big5, gb2312, gbk and so on.
Upgrade-Insecure-Requests
Let the browser automatically upgrade the request from http to https. this is understood as a website that has both http and https, but in order not to report errors, automatically let the browser upgrade the request to https.
So sometimes there are we request http but it also automatically upgrades you to https.
Cache-Control
Cache cache related, that is, cache control related.
- Common values (Defaults to private) There:
private, no-cache, max-age, must-revalidate, and so on.
The most relevant explanation is that he comes into play when you visit a web page and want to go back:
- 1. Open a new window
If the value is private, no-cache, must-revalidate, then the server will be revisited whenever a new window is opened for access. If you specify max-age (in seconds), then the server will not be revisited for a period of time within this value.
Example:
Cache-control: max-age=5
(Indicates that when this page is accessed, it will not go to the server if it is accessed again within 5 seconds) - 2. Enter in the address bar
A value of private or must-revalidate will only access the server on the first visit, but not on subsequent visits.
The value is no-cache, then it will be accessed every time.
A value of max-age prevents repeat access until it expires. - 3、Press the back button
values of private, must-revalidate, and max-age will not be revisited.
A value of no-cache repeats the access every time the - 4. Press the Refresh button
No matter what the value is, it will repeat the visit
If-Modified-Since
Modified means modified
Sends the last modification time of the cached page on the browser side to the server, which compares it to the last modification time of the actual file on the server.
- If the time is consistent, then return 304, taken from the cache of your last get.
- Inconsistent, returns 200 and discards the old file cache, returning you a new one in the server.
If-None-Match
Meaning of match
It will be used here with ETag
How it works:
The request carries.
If-None-Match: ETag value
When the server receives the ETag, it checks to see if it has changed, and if it is not the same as the server's current ETag, it returns 200 and the new file.
Otherwise it returns 304 and lets the browser take the local cache file.
blank line
Used to keep request lines and request headers separate from data sections
Response Data Format
response line
Protocol/version + space + status code + space + status description
Example: HTTP/1.1 200 OK
status code
five categories
1xx message - the request has been received by the server, continue processing
2xx success - the request has been successfully received, understood, and accepted by the server
3xx Redirection - a subsequent action is required to complete the request
4xx Client Request Error - the request contains a lexical error or could not be executed
5xx Server Error - these status codes indicate that an internal error occurred while the server was trying to process the request. These errors are errors in the server itself, not in the request
Common Status Codes
- 1 at the beginning (Informational)
100 (Continue) Accepted request being processed, message class status code
101 (Switching Protocols)
- Beginning of 2 (success category)
200 (Success) The server has successfully processed the request.
201 (Created/Created), e.g. subscribing to a collection can be done with the
202 (Accepted/Accepted) The request has been accepted, but not yet processed
204 (No Content/No Content) The request was processed successfully, but there are no resources to return to the client. Returning the 204 status code here is often misreported as a vulnerability by leaky scanning tools.
- 3 at the beginning (Redirection)
301 (Moved Permanently) permanent redirection, that the resource has been assigned a new URL
302 (Found) A temporary redirect, which may be needed for temporary maintenance on the server side, or to prevent people from entering the backend.
303 (See Other) This status code is similar to 301 and 302. If the original request was a POST, the new document (given in the location header) should be retrieved with a GET. This status code is new in HTTP 1.1. Basically, 302 is used more often.
304 (Not Modified) The requested page has not been modified since the last request, which is the status code returned by If-Modified-Since above.
- Beginning of 4 (Client Error)
400 (Bad Request/Error Request) The server does not understand the syntax of the request.
401 (Unauthorized/Unauthorized) indicates that the request sent needs to have authentication information through HTTP authentication, the client does not have valid identity information in the authorization header information to access the password-protected page. This is often found in api batch runs.
403 (Forbidden) The server rejects the request and does not allow access.
404 (Not Found) The server cannot find the requested page.
405 (Method Not Allowed/Method Not Allowed), the requested method is not allowed, change the requested method.
406 (Not Acceptable/Inaccessible) indicates that the MIME type of the requested resource does not match the type specified in the Accept header in the client.
- Beginning of 5 (Server Error)
500 (Internal Server Error/Internal Server Error) means that the server has encountered an error, possibly a bug in the web application or some temporary crash.
501 (Not Extended/has not been implemented) means that the server does not support a feature required by the current request.
502 (Bad Gateway/Invalid Gateway) means that the server is acting as a gateway or proxy and is receiving invalid responses from upstream servers.
503 (Service Unavailable/service unavailable) indicates that the server is down for maintenance or overloaded and cannot respond properly (don't worry if you see this, don't panic if no one calls you)
504 (Gateway Timeout/Gateway Timeout) Timeout
505 (HTTP Version Not Supported/HTTP Version Not Supported) The server does not support the protocol you are requesting.
506 (Variant Also Negotiates/Variant Negotiations) Indicates that the server has an internal configuration error
507 (Insufficient Storage/Storage Error) means that the server is unable to store the content necessary to complete the request. This status code is usually seen when there is a problem with the database.
response header
Date
Server time when the server sends the resource
Date: Thu, 09 Dec 2024 06:40:25 GMT
GMT is the standard time for the location of Greenwich.
Server
The web server and the corresponding version just tell the client server information
X-Powered-By
Inform about the language or framework in which the website is written.
Note: not output by Apache or Nginx
Watch out for this when you infiltrate. It'll recognize fingerprints.
Expires
Expires:Thu, 19 Nov 1981 08:52:00
Tells the client that it can access the cached copy directly before this time
may lead to server-side and client-side time inconsistency issues.
With Cache-Control: max-age=* is more accurate because it is a relative time
Cache-Control
Cache-Control:private By default, the response can only be used as a private cache and cannot be shared among users.
Cache-Control:public Both the browser and the cache server can cache page information.
Cache-Control:must-revalidate For each client request, the proxy server must verify with the server that the cache is not out of date.
Cache-Control:no-cache Neither the browser nor the cache server should cache page information.
Cache-Control:max-age=10 is a notification to the browser to leave me alone for 10 seconds and refresh itself from the buffer.
Cache-Control:no-store Neither request nor response information should be stored on the other side's disk system.
Pragma
Indicates that this request does not want to fetch the cache, to give me the latest response content, pragma:no-cache is the same as cache-control:no-control
pragma:no-cache
Connection
Connection: close Indicates disconnection after this response is complete
Content-Type
Content-Type: text/html;charset=UTF-8 Tells the client the type of the resource file and the character encoding, the client decodes the resource by utf-8 and then parses the resource by html.
If you can see that the browser parsing is messed up, you can try to capture the response packet to modify the Content-Type field
Content-Length
Data size of the response body (in byte units)
Set-Cookie
The server sets a cookie, the browser sets a cookie based on the field, and the next time you send a packet to carry on.
Strict-Transport-Security(HSTC)
Indicates that only HTTPS access to the current resource is allowed, HTTP is prohibited.
Strict-Transport-Security: max-age=172800;includeSubDomains
Explanation:
- max-age=172800 sets the HTTPS request for all requests to this domain for 172800 seconds after the browser receives the request.
- includeSubDomains is optional, if it contains this value, then it means that this rule also applies to all subdomains of the site, i.e.: All requests from other subdomains during the 172800 seconds time period use HTTPS requests.
X-Frame-Options
The iframe tag can load the site, and if we add X-Frame-Options to our site, it won't be able to be loaded into the bad guys' site by someone else.
Modify the web server configuration to add the X-frame-options response header. There are three kinds of assignments as follows:
(1) DENY: The page cannot be embedded into any iframe or frame.
(2) SAMEORIGIN: the page can only be embedded in an iframe or frame by this page.
(3) ALLOW-FROM uri: can only be embedded in the frame of the specified domain.
X-Ua-Compatible
This response header appears mainly for compatibility with IE8 browser rendering issues
-
IE=Edge,chrome=1:
IE8 is going to render the page the way Edge browser does, and chrome=1 is going to allow the site to be rendered on clients that use Google Chrome Frame, and for those that don't, it will have no effect. Most domestic browsers have Google inline, so it is recommended to add it by default.
blank line
Used to keep the response line and response header separate from the response data section
Response body
There's not much to say here. What the server gives you is what you get.
The end of the article, thank you for reading my humble writing!。