HTTP

From Network Security Wiki
Jump to navigation Jump to search

HTTP

Headers

   Paste.png     This section is under construction.


Introduction

  • Gopher was replaced by HTTP.
  • HTTP is used to deliver data (HTML files, image files, query results, etc.) on the World Wide Web.
  • HTTP may use UDP also


Basics

Source: Tutorialspoint.com

  • HTTP is connectionless:
- Client(browser) initiates an HTTP request; disconnects from the server; waits for a response
- Server re-establishes the connection to send a response
  • HTTP is media independent:
- Any type of data can be sent by HTTP 
- Both client and server should know how to handle the data content
- Required for client and server to specify the content type using MIME-type
  • HTTP is stateless:
- Server and client are aware of each other only during a current request
- Afterwards both forget about each other
- Neither client nor browser retain information between different requests

Parameters

HTTP Version

HTTP/1.0
HTTP/1.1

Uniform Resource Identifiers

The following three URIs are equivalent:

http://abc.com:80/~smith/home.html
http://ABC.com/%7Esmith/home.html
http://ABC.com:/%7esmith/home.html

Date/Time Formats

- All HTTP date/time stamps MUST be represented in Greenwich Mean Time (GMT), without exception. 
- HTTP applications are allowed to use any of the following three representations of date/time stamps:
Sun, 06 Nov 1994 08:49:37 GMT  ; RFC 822, updated by RFC 1123
Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036
Sun Nov  6 08:49:37 1994       ; ANSI C's asctime() format

Character Sets

- If a value is not specified, the default is the US-ASCII.
- Following are the valid character sets:
US-ASCII
ISO-8859-1
ISO-8859-7

Content Encodings

-Content encoding value indicates that an encoding algorithm has been used to encode the content before passing it over the network
-Used to allow a document to be compressed or otherwise usefully transformed without losing the identity
-All content-coding values are case-insensitive. 
-HTTP/1.1 uses content-coding values in the Accept-Encoding and Content-Encoding header fields
Accept-encoding: gzip
Accept-encoding: compress
Accept-encoding: deflate

Media Types

-HTTP uses Internet Media Types in the Content-Type and Accept header fields to provide open and extensible data typing and type negotiation. 
-All the Media-type values are registered with the Internet Assigned Number Authority (IANA). 
-The type, subtype, and parameter attribute names are case--insensitive
media-type     = type "/" subtype *( ";" parameter )
Accept: image/gif

Language Tags

-HTTP uses language tags within the Accept-Language and Content-Language fields
-White spaces are not allowed within the tag and all tags are case- insensitive
-Any two-letter primary-tag is an ISO-639 language abbreviation and any two-letter initial subtag is an ISO-3166 country code
-A language tag is composed of one or more parts: a primary language tag and a possibly empty series of subtags:
language-tag  = primary-tag *( "-" subtag )
en, en-US, en-cockney, i-cherokee, x-pig-latin

Messages

-HTTP is based on the client-server architecture model
-A stateless request/response protocol that operates by exchanging messages across a reliable TCP/IP connection
-HTTP client connects to server for sending one or more HTTP request messages
-HTTP server accepts connections to serve HTTP requests by sending HTTP response messages
-Uses URI to identify a given resource and to establish a connection. 
-HTTP messages are passed in a format similar to Internet mail and Multipurpose Internet Mail Extensions MIME
HTTP-message   = <Request> | <Response> ; HTTP/1.1 messages

The generic message format consists of the following four items.

A Start-line
Zero or more header fields followed by CRLF
An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
Optionally a message-body

Message Start-Line

GET /hello.htm HTTP/1.1     (This is Request-Line sent by the client)
HTTP/1.1 200 OK             (This is Status-Line sent by the server)

Header Fields

  • HTTP header fields provide required information about the request or response, or about the object sent in the message body
  • There are four types of HTTP message headers:
General-header:   Used for both request and response messages
Request-header:   Used only for request messages
Response-header:  Used only for response messages
Entity-header:    Define meta information about the entity-body or, if no body is present, about the resource identified by the request
  • All headers follow the same generic format.
  • Each of the header field consists of a name followed by a colon (:) and the field value as follows:
User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
Host: www.example.com
Accept-Language: en, mi
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Accept-Ranges: bytes
Content-Length: 51
Vary: Accept-Encoding
Content-Type: text/plain

Message Body

-Body part is optional for an HTTP message
-If available, used to carry the entity-body associated with the request or response
-If entity body is associated, then usually Content-Type and Content-Length headers lines specify the nature of the body associated
-Body carries the actual HTTP request data (form data and uploaded, etc) and HTTP response data from the server (files, images, etc)
<html>
   <body>
   
      <h1>Hello, World!</h1>
   
   </body>
</html>

Requests

A Request-line
Zero or more header (General|Request|Entity) fields followed by CRLF
An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
Optionally a message-body

Request-Line

The Request-Line begins with a method token, followed by the Request-URI and the protocol version, and ending with CRLF.
The elements are separated by space SP characters.

Request-Line = Method SP Request-URI SP HTTP-Version CRLF


Request Method

  • The method is case-sensitive and should always be mentioned in Uppercase
  • HTTP Server must implement GET, HEAD, OPTIONS methods
  • Safe request methods are GET, HEAD, OPTIONS, TRACE
  • The following table lists all the supported methods in HTTP/1.1
GET:     Retrieve Data
HEAD:    Header only without Response Body
POST:    Submits Data to DB, web forum, etc
PUT:     Replaces target resource with the uploaded content
DELETE:  Removes target resource given by URI
CONNECT: Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy
OPTIONS: Returns the HTTP methods that the server supports for the specified URL
TRACE:   Performs a message loop back test to see what (if any) changes or additions have been made by intermediate servers
PATCH:

Request-URI

Identifies the resource upon which to apply the request.

Request-URI = "*" | absoluteURI | abs_path | authority

1. Asterisk * is used when:

-HTTP request does not apply to a particular resource, but to the server itself
-Only allowed when the method used does not apply to a resource
OPTIONS * HTTP/1.1

2. absoluteURI is used when an HTTP request is being made to a proxy
The proxy is requested to forward the request or service from a valid cache, and return the response

GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

3. Absolute path is most common form of Request-URI is that used to identify a resource on an origin server or gateway

-Cannot be empty
-If none is present in the original URI,"/" (server root) must be used

A client retrieving a resource directly from origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the following lines:

GET /pub/WWW/TheProject.html HTTP/1.1
Host: www.w3.org

Request Header Fields

Allow the client to pass additional information about the request, and about the client itself, to the server These fields act as request modifiers.

Accept-Charset
Accept-Encoding
Accept-Language
Authorization
Expect
From
Host
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Max-Forwards
Proxy-Authorization
Range
Referer
TE
User-Agent

Examples

  • An HTTP request to fetch hello.htm
-Not sending any request data to the server because we are fetching a plain HTML page from the server
-Connection is a general-header
-Rest of the headers are request headers
 GET /hello.htm HTTP/1.1
 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
 Host: www.tutorialspoint.com
 Accept-Language: en-us
 Accept-Encoding: gzip, deflate
 Connection: Keep-Alive
  • How to send form data to the server using request message body:
-Given URL /cgi-bin/process.cgi will be used to process the passed data and accordingly, a response will be returned
-Content-type tells the server that the passed data is a simple web form data and length will be the actual length of the data put in the message body
 POST /cgi-bin/process.cgi HTTP/1.1
 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
 Host: www.tutorialspoint.com
 Content-Type: application/x-www-form-urlencoded
 Content-Length: length
 Accept-Language: en-us
 Accept-Encoding: gzip, deflate
 Connection: Keep-Alive

 licenseID=string&content=string&/paramsXML=string
  • The following example shows how you can pass plain XML to your web server:
 POST /cgi-bin/process.cgi HTTP/1.1
 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
 Host: www.tutorialspoint.com
 Content-Type: text/xml; charset=utf-8
 Content-Length: length
 Accept-Language: en-us
 Accept-Encoding: gzip, deflate
 Connection: Keep-Alive

 <?xml version="1.0" encoding="utf-8"?>
 <string xmlns="http://clearforest.com/">string</string>

Responses

A Status-line
Zero or more header (General|Response|Entity) fields followed by CRLF
An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
Optionally a message-body

Message Status-Line

Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF

HTTP Version

HTTP-Version = HTTP/1.1

Status Code

  • A 3-digit integer
  • First digit of the Status-Code defines the class of response
  • Last two digits do not have any categorization role

There are 5 values for the first digit:


Category Type Code
1XX Informational 100 = Continue
2XX Successful 200 = OK
201 = Created (URL)
202 = Accepted (request accepted but not acted upon immediately)
203 = Non-authoritative Information(info in header is from local or third-party copy, not from original server)
204 = No Content (in body)
3XX Re-directional 301 = Moved Permanently
302 = Found (temporary redirect)[1]
304 = Not Modified
305 = Use Proxy (URL must be accessed through the proxy mentioned in the Location header)
307 = Temporary Redirect (requested page has moved temporarily to a new url)
4XX Client Error 400 = Bad Request
401 = Unauthorized[1]
402 = Payment Required
403 = Forbidden[1]
404 = Not Found
405 = Method Not Allowed
5XX Server Error 500 = Internal Server Error
501 = Not Implememted
502 = Bad Gateway or Proxy
503 = Service Unavailable
504 = Gateway or Proxy Timeout
505 = HTTP Version Not Supported
  • 301 vs 302 Redirect?
Status 301 means that the resource (page) is moved permanently to a new location. The client/browser should not attempt to request the original location but use the new location from now on.
Status 302 means that the resource is temporarily located somewhere else, and the client/browser should continue requesting the original url.
   Paste.png     This section is under construction.
  • 401 vs 403 Error?
   Paste.png     This section is under construction.

Response Header Fields

Allow the server to pass additional information about the response which cannot be placed in the Status- Line

Accept-Ranges
Age
ETag
Location
Proxy-Authenticate
Retry-After
Server
Vary
WWW-Authenticate

Examples

  • An HTTP response for a request to fetch the hello.htm
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Hello, World!</h1>
</body>
</html>
  • The following example shows an HTTP response message when the web server could not find the requested page:
HTTP/1.1 404 Not Found
Date: Sun, 18 Oct 2012 10:36:20 GMT
Server: Apache/2.2.14 (Win32)
Content-Length: 230
Connection: Closed
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
   <title>404 Not Found</title>
</head>
<body>
   <h1>Not Found</h1>
   <p>The requested URL /t.html was not found on this server.</p>
</body>
</html>
  • Following is an example of HTTP response message showing error condition when the web server encountered a wrong HTTP version in the given HTTP request:
HTTP/1.1 400 Bad Request
Date: Sun, 18 Oct 2012 10:36:20 GMT
Server: Apache/2.2.14 (Win32)
Content-Length: 230
Content-Type: text/html; charset=iso-8859-1
Connection: Closed
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
   <title>400 Bad Request</title>
</head>
<body>
   <h1>Bad Request</h1>
   <p>Your browser sent a request that this server could not understand.</p>
   <p>The request line contained invalid characters following the protocol string.</p>
</body>
</html>

Header Fields

General-header:  have general applicability for both request and response messages
Client Request-header:  have applicability only for request messages
Server Response-header:  have applicability only for response messages
Entity-header:  define meta information about the entity-body or, if no body is present, about the resource identified by the request

General Headers

Cache-Control

Used to specify directives that MUST be obeyed by all the caching system

Cache-Control : cache-request-directive | cache-response-directive
Cache-control: no-cache

Connection

  • Allows the sender to specify options that are desired for that particular connection and must not be communicated by proxies over further connections
Connection : "Connection"
  • HTTP/1.1 defines the "close" connection option for the sender to signal that the connection will be closed after completion of the response
Connection: close
  • By default, HTTP 1.1 uses persistent connections, where the connection does not automatically close after a transaction.
  • HTTP 1.0 does not have persistent connections by default.
  • If a 1.0 client wishes to use persistent connections, it uses the keep-alive parameter:
Connection: keep-alive

Transfer-Encoding

  • Indicates what type of transformation has been applied to the message body in order to safely transfer it between the sender and the recipient
  • This is not the same as content-encoding because transfer-encodings are a property of the message, not of the entity-body
  • All transfer-coding values are case-insensitive
Transfer-Encoding: chunked

Upgrade

  • Allows the client to specify what additional communication protocols it supports and would like to use if the server finds it appropriate to switch protocols
Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
  • The Upgrade header field is intended to provide a simple mechanism for transition from HTTP/1.1 to some other, incompatible protocol.

Via

  • Used by gateways and proxies to indicate the intermediate protocols and recipients
  • Intended to provide a simple mechanism for transition from HTTP/1.1 to some other, incompatible protocol
  • A request message could be sent from an HTTP/1.0 user agent to an internal proxy code-named "test", which uses HTTP/1.1 to forward the request to a public proxy at alex.com, which completes the request by forwarding it to the origin server at www.bob.in
  • The request received by www.bob.in would then have the following Via header field:
Via: 1.0 test, 1.1 alex.com (Apache/1.1)


Client Request Headers

Accept

  • Used to specify certain media types which are acceptable for the response
  • Multiple media types can be listed separated by commas and the optional qvalue represents an acceptable quality level for accept types on a scale of 0 to 1
Accept: text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c
  • Here text/html and text/x-c and are the preferred media types, but if they do not exist, then send the text/x-dvi entity, and if that does not exist, send the text/plain entity.

Cookie

  • Contains a name/value pair of information stored for that URL
Cookie: name=value
  • Multiple cookies can be specified separated by semicolons as follows:

Cookie: name1=value1;name2=value2;name3=value3

If-Match

  • Used with a method to make it conditional
  • This header requests the server to perform the requested method only if the given value in this tag matches the given entity tags represented by ETag
If-Match : entity-tag
  • An asterisk (*) matches any entity, and the transaction continues only if the entity exists
If-Match: "xyzzy"
If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz"
If-Match: *
  • If none of the entity tags match, or if "*" is given and no current entity exists, the server must not perform the requested method, and must return a 412 (Precondition Failed) response.

If-Modified-Since

  • Used with a method to make it conditional
  • If the requested URL has not been modified since the time specified in this field, an entity will not be returned from the server; instead, a 304 (not modified) response will be returned without any message-body.
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
  • If none of the entity tags match, or if "*" is given and no current entity exists, the server must not perform the requested method, and must return a 412 (Precondition Failed) response.

If-None-Match

  • Used with a method to make it conditional
  • This header requests the server to perform the requested method only if one of the given value in this tag matches the given entity tags represented by ETag
If-None-Match : entity-tag
  • An asterisk (*) matches any entity, and the transaction continues only if the entity does not exist
If-None-Match: "xyzzy"
If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz"
If-None-Match: *

If-Range

  • Used with a conditional GET to request only the portion of the entity that is missing, if it has not been changed, and the entire entity if it has been changed
  • Either an entity tag or a date can be used to identify the partial entity already received
If-Range: Sat, 29 Oct 1994 19:43:31 GMT
  • Here if the document has not been modified since the given date, the server returns the byte range given by the Range header, otherwise it returns all of the new document.

If-Unmodified-Since

  • If the requested resource has not been modified since the time specified in this field, the server should perform the requested operation as if the If-Unmodified-Since header were not present.
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
  • If the request results in anything other than a 2xx or 412 status, the If-Unmodified-Since header should be ignored.

Referer

  • Allows the client to specify the address (URI) of the resource from which the URL has been requested.
Referer : absoluteURI | relativeURI
Referer: http://www.tutorialspoint.org/http/index.htm
  • If the field value is a relative URI, it should be interpreted relative to the Request-URI.

TE

  • Indicates what extension transfer-coding it is willing to accept in the response and whether or not it is willing to accept trailer fields in a chunked transfer-coding.
TE   : t-codings
  • The presence of the keyword "trailers" indicates that the client is willing to accept trailer fields in a chunked transfer-coding and it is specified either of the ways:
TE: deflate
TE:
TE: trailers, deflate;q=0.5
  • If the TE field-value is empty or if no TE field is present, then only transfer-coding is chunked. A message with no transfer-coding is always acceptable.


Server Response Headers

Age

  • The Age response-header field conveys the sender's estimate of the amount of time since the response (or its revalidation) was generated at the origin server; representing time in seconds
Age: 1030
  • An HTTP/1.1 server that includes a cache must include an Age header field in every response generated from its own cache.

ETag

  • Provides the current value of the entity tag for the requested variant
ETag :  entity-tag
ETag: "xyzzy"
ETag: W/"xyzzy"
ETag: ""

Proxy-Authenticate

  • The Proxy-Authenticate response-header field must be included as a part of a 407 (Proxy Authentication Required) response
Proxy-Authenticate  : challenge

Set-Cookie

  • Contains a name/value pair of information to retain for this URL.
Set-Cookie: NAME=VALUE; OPTIONS
  • Set-Cookie response header comprises the token Set-Cookie, followed by a comma-separated list of one or more cookies.
  1. Comment=comment: Can be used to specify any comment associated with the cookie.
  2. Domain=domain: Specifies the domain for which the cookie is valid.
  3. Expires=Date-time: The date the cookie will expire. If it is blank, the cookie will expire when the visitor quits the browser.
  4. Path=path: Specifies the subset of URLs to which this cookie applies.
  5. Secure: Instructs the user agent to return the cookie only under a secure connection.
  • Example of a simple cookie header generated by the server:
Set-Cookie: name1=value1,name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT


Entity Headers

Allow

  • Lists the set of methods supported by the resource identified by the Request-URI
Allow: GET, HEAD, PUT
  • This field cannot prevent a client from trying other methods

Content-Type

  • Indicates the media type of the entity-body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent, had the request been a GET.
Content-Type: text/html; charset=ISO-8859-4

Expires

  • Gives the date/time after which the response is considered stale
Expires: Thu, 01 Dec 1994 16:00:00 GMT

Last-Modified

  • Indicates the date and time at which the origin server believes the variant was last modified
Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT

Caching

  • HTTP is typically used for distributed information systems, where performance can be improved by the use of response caches.
  • The HTTP/1.1 protocol includes a number of elements intended to make caching work.
  • The goal of caching is to eliminate the need to send requests in many cases, and to eliminate the need to send full responses in many other cases.
  • The basic cache mechanisms in HTTP/1.1 are implicit directives to caches where server-specifies expiration times and validators.
  • We use the Cache-Control header for this purpose.
  • The Cache-Control header allows a client or server to transmit a variety of directives in either requests or responses.
  • These directives typically override the default caching algorithms.
  • The caching directives are specified in a comma-separated list.
Cache-control: no-cache

Request Directives

  1. no-cache: A cache must not use the response to satisfy a subsequent request without successful revalidation with the origin server.
  2. no-store: The cache should not store anything about the client request or server response.
  3. max-age = seconds: Indicates that the client is willing to accept a response whose age is not greater than the specified time in seconds.
  4. max-stale [ = seconds ]: Indicates that the client is willing to accept a response that has exceeded its expiration time. If seconds are given, it must not be expired by more than that time.
  5. min-fresh = seconds: Indicates that the client is willing to accept a response whose freshness lifetime is not less than its current age plus the specified time in seconds.
  6. no-transform: Does not convert the entity-body.
  7. only-if-cached: Does not retrieve new data. The cache can send a document only if it is in the cache, and should not contact the origin-server to see if a newer copy exists.

Response Directives

  1. public: Indicates that the response may be cached by any cache.
  2. private: Indicates that all or part of the response message is intended for a single user and must not be cached by a shared cache.
  3. no-cache: A cache must not use the response to satisfy a subsequent request without successful re-validation with the origin server.
  4. no-store: The cache should not store anything about the client request or server response.
  5. no-transform: Does not convert the entity-body.
  6. must-revalidate: The cache must verify the status of stale documents before using it and expired ones should not be used.
  7. proxy-revalidate: The proxy-revalidate directive has the same meaning as the must- revalidate directive, except that it does not apply to non-shared user agent caches.
  8. max-age = seconds: Indicates that the client is willing to accept a response whose age is not greater than the specified time in seconds.
  9. s-maxage = seconds: The maximum age specified by this directive overrides the maximum age specified by either the max-age directive or the Expires header. The s-maxage directive is always ignored by a private cache.


URL Encoding

  • HTTP URLs can only be sent over the Internet using the ASCII character-set
  • URLs often contain characters outside the ASCII set
  • These unsafe characters must be replaced with a % followed by two hexadecimal digits.

Security

DNS Spoofing

  • Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the deliberate mis-association of IP addresses and DNS names.
  • So clients need to be cautious in assuming the continuing validity of an IP number/DNS name association.
  • If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they must observe the TTL information reported by the DNS.
  • If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes.

Proxies and Caching

  • HTTP proxies are men-in-the-middle, and represent an opportunity for man-in-the-middle attacks.
  • Proxies have access to security-related information, personal information about individual users and organizations, and proprietary information belonging to users and content providers.
  • Proxy operators should protect the systems on which proxies run, as they would protect any system that contains or transports sensitive information.
  • Caching proxies provide additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.
  • Therefore, cache contents should be protected as sensitive information.


HTTP1.0 vs HTTP1.1

HTTP/1.0
  • HTTP/1.0 uses a new connection for each request/response exchange
  • HTTP/0.9 or 1.0 closed connections after every request.
  • HTTP 1.0 supports GET, POST, HEAD request methods
HTTP/1.1
  • HTTP/1.1 connection may be used for one or more request/response exchanges
  • HTTP/1.1 uses persistent connections hence save bandwidth & reduces latency as it does not require to do TCP Handshake again for every file download (like images, css, etc.)
  • HTTP Pipeline is a feature in v1.1 in which client sends multiple requests before waiting for each response.
  • HTTP 1.1 supports OPTIONS, PUT, DELETE, TRACE, CONNECT request methods


Pipelining

  • HTTP pipelining is a technique in which multiple HTTP requests are sent on a single TCP connection without waiting for the corresponding responses.
  • The pipelining of requests results in a dramatic improvement in the loading times of HTML pages, especially over high latency connections


Persistent Connections

  • HTTP persistent connection is the idea of using a single TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every single request/response pair.
  • Under HTTP 1.0, if the client supports keep-alive, it adds an additional header to the request:
Connection: keep-alive
  • Following this, the connection is not dropped, but is instead kept open.
  • When the client sends another request, it uses the same connection.
  • This will continue until either the client or the server decides that the conversation is over, and one of them drops the connection.
  • In HTTP 1.1, all connections are considered persistent unless declared otherwise.


Cookie

  • HTTP cookie is also called Web cookie, Internet cookie, Browser cookie, or Simply cookie.
  • Small piece of data sent from a website and stored on the user's computer while the user is browsing.
  • Helps websites to remember stateful information - items in shopping cart, click of buttons, logging in, pages visited.
  • Or previously entered form fields such as names, addresses, passwords, and credit card numbers.

Types

Authentication cookies  used by web servers to know whether the user is logged in or not
                        which account they are logged in with. 
                        Tells the site whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in.
Session cookie          In-memory cookie, Transient cookie or Non-persistent cookie
                        Exists only in temporary memory while the user navigates the website.
                        Web browsers normally delete session cookies when the user closes the browser.
                        These do not have an expiration date, which is how the browser knows to treat them as session cookies. 
Persistent cookie       These expires at a specific date or after a specific length of time. 
                        Its info is sent to server every time the user visits the website.
                        Referred to as tracking cookies, used by advertisers to record information about a user's web browsing habits. 
                        Also used for "legitimate" reasons - keeping users logged into their accounts, avoid re-entering login credentials. 
Secure cookie           Can only be transmitted over an encrypted connection i.e. HTTPS; not on HTTP. 
                        Makes the cookie less likely to be exposed to cookie theft via eavesdropping. 
                        A cookie is made secure by adding the Secure flag to the cookie. 
Http-only cookie        An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. 
                        This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). 
                        However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks. 
                        A cookie is given this characteristic by adding the HttpOnly flag to the cookie. 
Same-site cookie        Google Chrome introduced this.
                        Can only be sent in requests originating from the same origin as the target domain. 
                        This restriction mitigates attacks such as cross-site request forgery (XSRF).
                        A cookie is given this characteristic by setting the SameSite flag to Strict or Lax.
Third-party cookie      Normally, a cookie's domain will match the domain that is shown in the web browser's address bar, called a first-party cookie. 
                        A third-party cookie belongs to a domain different from the one shown in the address bar. 
                        These appear when web pages feature content from external websites, such as banner advertisements. 
                        This opens up the potential for tracking the user's browsing history.
Supercookie             Cookie with an origin of a top-level domain (such as .com) or a public suffix (such as .co.uk). 
                        Ordinary cookies have an origin of a specific domain name, such as example.com.
                        Can be a potential security concern and are therefore often blocked by web browsers. 
                        If unblocked by the browser, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate 
                                      user requests to another website that shares the same top-level domain or public suffix as the malicious website. 
                        A supercookie with an origin of .com, could maliciously affect a request made to example.com, even if the cookie did not originate from example.com. 
                        This can be used to fake logins or change user information.
                        The Public Suffix List is a cross-vendor initiative that aims to provide an accurate and up-to-date list of domain name suffixes. 
                        Older versions of browsers may not have an up-to-date list, and will therefore be vulnerable to supercookies from certain domains.
Zombie cookie           A zombie cookie is a cookie that is automatically recreated after being deleted. 
                        This is accomplished by storing the cookie's content in multiple locations - Flash Local shared object, HTML5 Web storage, client-side or server-side locations.               


Structure

Name
Value
Zero or more attributes: These are name/value pairs, store information such as the cookie's expiration, domain, and flags (such as Secure and HttpOnly).

Setting Cookie

  • Cookies are set using the Set-Cookie HTTP header, sent in an HTTP response from the web server.
  • This header instructs the web browser to store the cookie and send it back in future requests to the server.
  • E.g: browser sends its first request to server:
GET /index.html HTTP/1.1
Host: www.example.org
  • The server responds with two Set-Cookie headers:
HTTP/1.0 200 OK
Content-type: text/html
Set-Cookie: theme=light
Set-Cookie: sessionToken=abc123; Expires=Wed, 09 Jun 2021 10:18:14 GMT
  • The server's HTTP response instructs the browser to set two cookies.
  • The first, "theme", is a session cookie since it does not have an Expires or Max-Age attribute.
  • They are deleted by the browser when the browser closes.
  • The second, "sessionToken", is a persistent cookie since it contains an Expires attribute, which instructs the browser to delete the cookie at a specific date and time.
  • Next, the browser sends another request to visit the spec.html page on the website.
  • This request contains a Cookie HTTP header, which contains the two cookies that the server instructed the browser to set:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: theme=light; sessionToken=abc123

Cookie attributes

Domain and path

Set-Cookie: LSID=DQAAAK…Eaem_vYg; Path=/accounts; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn…DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P…GTEq; Domain=foo.com; Path=/; Expires=Wed, 13 Jan 2021 22:23:01 GMT; Secure; HttpOnly

Expires and Max-Age

Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15 Jan 2013 21:47:38 GMT; Path=/; Domain=.example.com; HttpOnly
Set-Cookie: made_write_conn=1295214458; Path=/; Domain=.example.com
Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.example.com; HttpOnly

Secure and HttpOnly




References
  1. 1.0 1.1 1.2 www.zscaler.com



blog comments powered by Disqus