> For the complete documentation index, see [llms.txt](https://davidjosearaujo.gitbook.io/notes-mcs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidjosearaujo.gitbook.io/notes-mcs/analysis-and-exploration-of-vulnerabilities/broken-authentication/http-communication.md). # HTTP Communication HTTP is a standard Client-Server protocol. 1. Client establishes a TCP connection with the server on port 80. 2. Client sends a HTTP request over that TCP connection. 3. Server replies. 1. Sends a response. 2. HTTP 1.0: Closes the connection. 3. HTTP 1.1/2: May keep it *persistent* for some time. Server only issues replies to requests. * It may never contact clients directly. Actually, servers can contact clients directly with WebSockets. * Great for low latency asynchronous communications (e.g. VoIP, telemetry). * Nightmare for security! Client upgrades connection to a WebSocket. Any participant can send message. * No polling is required. Usually no log is done. * Client and server must know the message format.

### Request ```bash $ curl https://elearning.ua.pt -D - -v GET / HTTP/1.1 HOST: elearning.ua.pt User-Agent: curl/7.68.0 Accept: */* ``` ### Response ```bash $ curl https://elearning.ua.pt -D - -v HTTP/1.1 200 OK Date: Thu, 12 Nov 2020 17:01:16 GMT Server: Apache Set-Cookie: MoodleSession=qvnej3ar6u28ndar312jhg1veh; path=/ Expires: Mon, 20 Aug 1969 09:23:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: post-check=0, pre-check=0, no-transform Last-Modified: Thu, 12 Nov 2020 17:01:16 GMT Accept-Ranges: none ``` #### Anything can be a client ```bash $ echo -ne 'GET / HTTP/1.1\r\nHost: elearning.ua.pt\r\nUser-Agent: Android 10\r\n\r\n' | ncat --ssl elearning.ua.pt 443 HTTP/1.1 200 OK Date: Thu, 12 Nov 2020 17:20:12 GMT Server: Apache Set-Cookie: MoodleSession=ooma3far88iqh9nvssn598nsuu; path=/ Expires: Mon, 20 Aug 1969 09:23:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: post-check=0, pre-check=0, no-transform Last-Modified: Thu, 12 Nov 2020 17:20:12 GMT Accept-Ranges: none ``` Many programs can communicate with HTTP servers. * A socket is all that is required. Even Bash can do it. ```bash $ exec 5<>/dev/tcp/193.136.173.58/80 $ echo -e "GET / HTTP/1.1\r\nHost: www.ua.pt\r\n\r\n" >&5 $ cat <&5 HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 Date: Thu, 12 Nov 2020 17:26:58 GMT Content-Type: text/html Content-Length: 169 Connection: keep-alive Location: https://www.ua.pt/ ``` There is no client-side security model. All parts of a request can be crafted. * HTTP Headers, Methods, URLs * POST content can be manipulated freely. Control must reside in the server-side context. * Remember that developers are pushing content to the client? There are no input validation processes in the server. * As long as the HTTP protocol is "generally" observed. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/notes-mcs/analysis-and-exploration-of-vulnerabilities/broken-authentication/http-communication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.