HTTP (Hyper Text Transfer Protocol) is basically a client-server protocol, wherein the client (web browser) makes a request to the server and in return the server responds to the request. The response by the server is mostly in the form of HTML formatted pages. HTTP protocol by default uses port 80, but the web server and the client can be configured to use a different port.

HTTP is a stateless protocol which means that server does not retain the information by each user. HTTP is the backbone of the World Wide Web (www) and for it being stateless simply means that it does not remember each and every client that connects to the internet and it does not matter if a single user sends multiple requests one after another, they all will still be treated as independent requests by the server.

We are currently using HTTP 2, its predecessors were HTTP 1.0 and 1.1, and the major differences between 1.X and 2, at a higher level, are:

• Http 2 is binary and not textual
• Http 2 is multiplexed, it can use a single connection for parallelism, Http one on the other hand is based on ordering and blocking.
• Http 2 uses compression in its headers to reduce the overhead.
• Http2 gives servers the capability to “push” responses to client servers proactively.

HTTP works through different methods and these methods are:

HTTP Request Methods

Method	Description
GET	Used to retrieve information from the given URL
POST	Used to send data to the server, for example, customer information, file upload, etc. using HTML forms
DELETE	Delete a File of the specified URL
PUT	Uploads a File of the specified URL
TRACE	Trace on the jsp resource returns the content of the resource.
HEAD	GET only HTTP headers and no document body
OPTIONS	HTTP methods that the server supports

There is major difference between GET and POST method which people fail to understand. Once you understand these properly, you can manipulate and increase the security of your web application. The differences are as follows:

GET	POST
Get request can be cached	Post request are never cached
Remain in browser history	Do not remain in browser history
It can be bookmarked	It cannot be bookmarked
Get request should never be used when dealing with sensitive data	Post should always be used for sensitive data
Get request has length restriction	post request have no length restriction
Get request should be used to retrieve data
It is less secure	It is more secure

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format

http://yahoo.com/

GET / HTTP/1.1

Host: yahoo.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Upgrade-Insecure-Requests: 1

There are several fields in the header, but we will discuss the more important ones:

Host: This field is in the header and it is used to identify individual website by a hostname if they are sharing the same IP address. The client web browser also sets a user-agent string to identify the type and version of the browser.

User-Agent: This field is set correctly to its default values by the web browser, but it can be spoofed by the end user. This is usually done by malicious user to retrieve contents designed for other types of web browsers.

Cookie: This field stores a temporary value shared between the client and server for session management.

Referer: This is another important field that you would often see when you are redirected from one URL to another. This field contains the address of the previous web page from which a link to the current page was followed. Attackers manipulate the Referer field using an XSS attack and redirect the user to a malicious website.

Accept-Encoding: This field defines the compression scheme supported by the client; gzip and Deflate are the most common ones. There are other parameters too, but they are of little use to penetration testers.

Response

Response: When a request is sent to the server; the server replies in the form of response. Following is an example of response:

HTTP/1.1 200 OK

Date: Sat, 10 Jun 2017 05:17:18 GMT

Set-Cookie: autorf=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/;

domain=in.yahoo.com

Content-Type: text/html; charset=UTF-8

Server: ATS

Expires: -1

Content-Length: 477864

HTTP Response Code: The Status-Code element is a 3-digit integer where first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. There are 5 values for the first digit

Code	Meaning	Example
1xx	Information	100: server agrees to handle client request.
2xx	Success	200: request succeeded.