HTTP Communication

HTTP is a standard Client-Server protocol.

Client establishes a TCP connection with the server on port 80.
Client sends a HTTP request over that TCP connection.
Server replies.
1. Sends a response.
2. HTTP 1.0: Closes the connection.
3. HTTP 1.1/2: May keep it persistent for some time.

Server only issues replies to requests.

It may never contact clients directly.

Actually, servers can contact clients directly with WebSockets.

Great for low latency asynchronous communications (e.g. VoIP, telemetry).
Nightmare for security!

Client upgrades connection to a WebSocket.

Any participant can send message.

No polling is required. Usually no log is done.
Client and server must know the message format.

Request

$ curl https://elearning.ua.pt -D - -v

GET / HTTP/1.1
HOST: elearning.ua.pt
User-Agent: curl/7.68.0
Accept: */*

Response

$ curl https://elearning.ua.pt -D - -v

HTTP/1.1 200 OK
Date: Thu, 12 Nov 2020 17:01:16 GMT
Server: Apache
Set-Cookie: MoodleSession=qvnej3ar6u28ndar312jhg1veh; path=/
Expires: Mon, 20 Aug 1969 09:23:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0, no-transform
Last-Modified: Thu, 12 Nov 2020 17:01:16 GMT
Accept-Ranges: none

Anything can be a client

$ echo -ne 'GET / HTTP/1.1\r\nHost: elearning.ua.pt\r\nUser-Agent: Android 10\r\n\r\n' | ncat --ssl elearning.ua.pt 443

HTTP/1.1 200 OK
Date: Thu, 12 Nov 2020 17:20:12 GMT
Server: Apache
Set-Cookie: MoodleSession=ooma3far88iqh9nvssn598nsuu; path=/
Expires: Mon, 20 Aug 1969 09:23:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0, no-transform
Last-Modified: Thu, 12 Nov 2020 17:20:12 GMT
Accept-Ranges: none

Many programs can communicate with HTTP servers.

A socket is all that is required.

Even Bash can do it.

$ exec 5<>/dev/tcp/193.136.173.58/80
$ echo -e "GET / HTTP/1.1\r\nHost: www.ua.pt\r\n\r\n" >&5
$ cat <&5

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Thu, 12 Nov 2020 17:26:58 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://www.ua.pt/

There is no client-side security model.

All parts of a request can be crafted.

HTTP Headers, Methods, URLs
POST content can be manipulated freely.

Control must reside in the server-side context.

Remember that developers are pushing content to the client?

There are no input validation processes in the server.

As long as the HTTP protocol is "generally" observed.

Last updated 1 year ago

$ curl https://elearning.ua.pt -D - -v HTTP/1.1 200 OK Date: Thu, 12 Nov 2020 17:01:16 GMT Server: Apache Set-Cookie: MoodleSession=qvnej3ar6u28ndar312jhg1veh; path=/ Expires: Mon, 20 Aug 1969 09:23:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: post-check=0, pre-check=0, no-transform Last-Modified: Thu, 12 Nov 2020 17:01:16 GMT Accept-Ranges: none

$ echo -ne 'GET / HTTP/1.1\r\nHost: elearning.ua.pt\r\nUser-Agent: Android 10\r\n\r\n' | ncat --ssl elearning.ua.pt 443 HTTP/1.1 200 OK Date: Thu, 12 Nov 2020 17:20:12 GMT Server: Apache Set-Cookie: MoodleSession=ooma3far88iqh9nvssn598nsuu; path=/ Expires: Mon, 20 Aug 1969 09:23:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: post-check=0, pre-check=0, no-transform Last-Modified: Thu, 12 Nov 2020 17:20:12 GMT Accept-Ranges: none

$ exec 5<>/dev/tcp/193.136.173.58/80 $ echo -e "GET / HTTP/1.1\r\nHost: www.ua.pt\r\n\r\n" >&5 $ cat <&5 HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Thu, 12 Nov 2020 17:26:58 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://www.ua.pt/