Web Fundamentals Room

 
web1.png
 

The link for this lab is located here: https://tryhackme.com/room/webfundamentals


This room is designed as a basic intro to how the web works. It covers HTTP requests and responses, web servers, cookies and then puts them all to use in a mini CTF at the end.


Internet_browsing.jpg

Task 2 - How Do We Load Websites?

Initially, when we request a website on the Internet, a DNS request is made. DNS (Domain Name System) takes website names (google.com) and translates them to IP addresses. The IP address uniquely identifies each internet connected device (your phone, smart TV, desktop, tablet, smart thermometer, etc…..). IP addresses are four groups of numbers, ranging from 0-255 (eg.. 192.168.0.1)

Once the browser knows the server’s IP address, it can ask the server for the web page. This is done via an HTTP GET request. GET is an example of an HTTP verb, which are different types of requests you can make to a web server.

The server responds to the GET request with the web page content. If the web page is loading extra resources, like JavaScript images or CSS files, those get retrieved in separate GET requests.

For most websites, these requests will use HTTPS which is the secured (encrypted) version of HTTP. HTTPS uses TLS 1.3 in order to communicate without:

  • Other parties being able to read the data

  • Other parties being able to modify the data

A web server is software that receives and responds to HTTP(S) requests. Some of the most popular include Apache, Nginx and Microsoft IIS.

By default, HTTP runs on port 80 and HTTPS runs on port 443.

The content of the web page is normally a combination of HTML, CSS and JavaScript.

  • HTML defines the structure of the page

  • CSS changes the look of the page

  • JavaScript makes pages interactive or loads extra content

Questions

Q1:What request verb is used to retrieve page content? A: GET

Q2: What port do web servers normally listen on? A: 80

Q3: What is responsible for making websites look fancy? A: CSS

task4.jpg

Task 3 - More HTTP (Verbs and Request Formats)

There are 9 different HTTP “verbs”. Each one has a different function.

POST requests are used to send data to a web server, like adding a comment or performing a login. There are more but most are not commonly used.

An HTTP request can be brokem down into parts. The first line is a verb and a path for the server such as:

GET /index.html

The second section is headers, which give the web server more information about your request. Importantly, cookies are sent in the request headers.

Finally, the body of the request. For POST requests, this is the content that is sent to the server. For GET requests, a body is allowed but will mostly be ignored by the server.

An example of a full GET request for a JavaScript file is as follows:

GET /main.js HTTP/1.1
Host: 192.168.170.129:8081
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: */*
Referer: http://192.168.170.129:8081/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

From the headers, you can tell the request was sent from Google Chrome version 80 from Windows 10

Responses

The server should reply with a response. The response follows a similiar structure to the request but the first line describes the status rather than a verb and a path.

The status will normally be a code. A basic breakdown of the status codes is:

  • 100-199: Information

  • 200-299: Successes (200 OK is the normal response)

  • 300-399: Redirects (information is elsewhere)

  • 400-499: Client errors (you did something wrong)

  • 500-599: Server errors (The server tried but something went wrong)

For omre information on HTTP Status codes, click here

Response headers are important. They often tell you something about the web server sending them or give you cookies that may prove useful later.

The response will also have a body. For GET requests, this is normally web content or information such as JSON. For POST requests, it may be a status message or similiar.

Here is the response to the GET request above:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 28
Content-Type: application/javascript; charset=utf-8
Last-Modified: Wed, 12 Feb 2020 12:51:44 GMT
Date: Thu, 27 Feb 2020 21:47:30 GMT

console.log("Hello, World!")

Questions

Q1: What verb would be used for a login? A: POST

Q2: What verb would be used to see your bank balance once you are logged in? A: GET

Q3: Does the body of a GET request matter? Yea/Nay A: Nay

Q4: What is the status code for "I'm a teapot"? A: Doing a quick Google search for "I'm a teapot HTTP status code" reveals that it is 418

Q5: What status code will you get if you need to authenticate to access some content, and you are unauthenticated? A: 401

task5.jpg

Task 4 - Cookies

Cookies are small bits of data that are stored in your browser. Each browser stores them separately. They have a huge number of uses but the most common are either session management or advertising (tracking cookies). Cookies are normally sent with every HTTP request made to a server

Why Cookies?

Because HTTP is stateless, cookies are used to keep track of this. They allow sites to keep track of data like what items you have in your shopping cart, who you are, what you have done on the website and more.

Cookies can be broken down into several parts. Cookies have a name, a value, an expiry date and a path typically.

  • The name identifies the cookie

  • The value is where data is stored

  • The expiry date is when the browser will delete it

  • The path determines what requests the cookie will be sent with

The server is normally what sets cookies and these come in the response headers under “Set-Cookie”. Alternatively, they can be set from JavaScript inside your browser.

Using Cookies

When you log in to a web app, normally you are given a Session Token. This allows the web server to identify your requests from someone else’s.

To find out more about coockies, check here


task6.jpg

Task 5 - Mini CTF

Making HTTP Requests

You can make HTTP requests in many ways. For CTFs, you will sometimes need to use cURL or a programming language as this allows automation.

Intro to cURL

By default, cURL will perform GET requests on the provided URL. Using command line flags however, allows you to do a lot more than just GET requests.

The -X flag allows us to specify the request type (-x POST). You can specify the data to POSt with —data, which will default to plain text data.

Worth mentioning that cURL does NOT store cookies and you have to manually specify any cookies and values you would like to send with your request.

Tasks

  1. GET request - make a GET request to the web server with path /ctf/get

  2. POST request - make a POST request with the body “flag_please” to /ctf/post

  3. Get a Cookie - make a GET request to /ctf/getcookie and check the cookie the server gives you

  4. Set a cookie - set a cookie with name “flagpls” and value “flagpls” in your devtools and make a GET request to /ctf/sendcookie

Questions

Q1: What is the GET flag? A: To make the required GET request, we simply use the "curl [URL]" command as it defaults to get. We have to specify the path however by appending "/ctf/get" to the end of the URL - curl http://[IP]:8081/ctf/get

Using curl for a GET request

Q2: What is the POST flag? A: To make a POST request with cURL, we need to specify we want to use POST as the method. To do this, we use the "-X POST" parameter. However, we also need to add a body of "flag_please". To do this we use the "--data" parameter with the body we want to submit - curl -X POST --data "flag_please" http://[IP]:8081/ctf/post

Using curl for a POST request

Q3: What is the "Get a cookie" flag? A: To get a cookie from a specific path, we use the "-c -" flag followed by the URL we want to specify - curl -c - http://[IP]:8081/ctf/getcookie

Using curl to get a cookie

Q4: What is the "Set a cookie" flag? A: To set a cookie using cURL, we use the "--cookie" option followed by the "name=value" (flagpls=flagpls) - curl --cookie 'flagpls=flagpls' http[://[IP]:8081/ctf/sendcookie

Using curl to set a cookie

Previous
Previous

Burp Suite Basics Room

Next
Next

Network Services 2 - More Services