hackers ahead Getting To Know: How Hackers Use The HTTP Protocol To Hack Your WebsiteThe Hypertext Transfer Protocol (HTTP) is the how computers on the World Wide Web communicate with each other.  It is used by all of today’s websites.  Although it is not constrained to using TCP/IP, the Internet Protocol Suite is its most popular implementation.  However, HTTP’s emphasis on reliable communication means it can be used on any other protocol or network.

HTTP uses a message-based model where a client sends a request message and the server returns a response message.  HTTP uses the TCP protocol as its transport mechanism.

Both HTTP request and response messages consist of one or more headers each on a separate line.  A typical HTTP request is shown below.

GET /home/course1  HTTP/1.1

Accept: image/gif, image/jpeg,

application/xshockwaveflash , application/msword, */*

Referer: http://twitter.com/365security

Accept-Language: en-gb, en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0)

Host: www.365computersecuritytraining.com

Cookie: lang=en; JSESSIONID=0000123456789ABCD

The first line of every HTTP request consists of three items:

  • The HTTP method:  The most commonly used method is GET and POST.  Though there are numerous methods these two are the most commonly used by attackers.  The GET method request resources from the server.
  • The requested URL:  Resources to be accessed by HTTP are identified using Uniform Resource Locators (URLs).  In this case the client wishes to go to /home/course1.
  • The HTTP version used:  The only versions in common use are 1.0 and 1.1.

Other interesting items in the HTTP request include:

  • The Accept header, used to tell the server what types of files the browser will accept.
  • The Referer header indicates the URL from which the request originated.
  • The User-Agent header provides information about the browser or software that generated the request.
  • The Host header specifies the hostname being accessed.
  • The Cookie header submits additionally parameters that the server has issued the client.

In addition to the GET and POST methods, the HTTP protocols supports other methods that are useful to a potential attacker.  These include:

  • HEAD – functions similar to a GET request and can be used for check whether a resource is present.
  • TRACE- can be used to detect the effect of any proxies between the client and server that may manipulate the request and can sometimes be used as part of attack against other website users.
  • PUT – if enabled, attackers may be able to upload malicious programs that can be executed on the server.

Using tools readily available an attacker can manipulate the contents of an HTTP request or response in order to trick the server into performing unwanted actions or hijack the session of an authorized user’s cookies.

The HTTP response from the server is similar in structure to the HTTP request but includes additional instructions, like cookie parameters, and an actual message body that contains the requested files, such as HTML documents.

Sources:

  1. http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
  2. http://www.http.header.free.fr/http.html
  3. http://en.wikipedia.org/wiki/List_of_HTTP_headers
  4. Discovering and Exploiting Security Holes, Wiley Publishing
  5. Network Security Fundamentals, Cenage Learning, M. Ciampa
Reblog this post [with Zemanta]
Share
Delicious
Save