Security testing tutorial (Part 2): HTTP & HTTPS

Tram Ho

Introduction

Capturing the protocol is important for a good understanding of security testing. When a packet data is blocked between the webserver and the client, it is time to realize the importance of the protocol.

HTTP Protocol

HTTP stands for Hypertext Transfer Protocol. HTTP is an application-layer protocol for distributed, combined or hypermedia information systems. It has been the foundation for information communication on the World Wide Web (www) since 1990. HTTP is a generic protocol and is in the form of a stateless protocol that allows users to use it for many other purposes as well as to use extensions from request method, error codes and headers by itself.

Basically, HTTP is a TCP / IP-based communication protocol, used to distribute data such as HTML files, image files, query results, etc. via the web. It provides a standardized way for computers to communicate with each other. HTTP shows how the client request data is sent to the server and how the server responds to these requests.

Stateless protocol is a design that does not save client data on the server, meaning that after the client sends data to the server, the server completes and returns the results, the server does not save any data of the client.

Basic features

There are three basic features that make HTTP a simple yet powerful protocol:

  • HTTP – Connectionless : on the HTTP client side, such as the browser will initiate an HTTP request. After initiating the request, the client disconnects from the server and waits for a response. The server will process the request and re-establish the connection with the client to send feedback.
  • HTTP – Media independent : any type of data can be sent using HTTP as long as the client and server know how to handle the content of the data. This is required by the client as well as the server to specify the content type using the appropriate MIME-type .
  • HTTP – Stateless : the server and the client can only recognize each other at the same time. After that, both sides will lose connection with each other. Due to this nature of the protocol, neither the client nor the browser can store information between different requests on web pages.

HTTP / 1.0 uses a new connection for each request / respone exchange while HTTP / 1.1 can be used for one or more request / respone exchanges.

MIME stands for "Multipurpose Internet Mail Extensions" which is an Internet standard for email format.

Architecture

The following diagram describes the basic architecture of a web application and the HTTP description The HTTP protocol is a request / respone protocol based on the client / server structure where web browsers, robots and search engines, etc. act as HTTP clients and web servers act as servers.

  • Client : HTTP clients send a request to the server as a request method, URL and protocol version, followed by a MIME-like message, containing request modifiers, client information, and possibly body content over a TCP / IP connection.
  • Server : The HTTP server responds as a status line containing the protcol version of the message and a successful or error code status, followed by a message like MIME, containing server information, entity meta information and possibly internal content. do entity-body

HTTP – Disadvantages

  • HTTP is not secure
  • HTTP uses the default port 80 to exchange data
  • HTTP works at the application layer (application layer) to transfer data, it will have to set up multiple ports, invisible and costly to operate.
  • HTTP does not require encryption certificates and digital certificates.

Details about HTTP Protocol Details will be covered in the next article, so everyone is welcome to read.

HTTPs Protocol

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) or HTTP over SSL is a web protocol developed by Netscape. It is not a protocol, it is the result of an HTTP layer over SSL / TLS (Secure Socket Layer / Transport Layer Security).

In short, HTTPS = HTTP + SSL

When is HTTPS Required?

When using the browser, the sending and receiving information will be executed by HTTP protocol. Therefore, this leads to the fact that anyone can eavesdrop on the conversation between our computer and the web server. So when it comes to exchanging sensitive and personal information, how should this case be handled? That is when HTTPS needs to be used to secure and prevent unauthorized access.

Https protocol is often used in the following scenarios:

  • Banking Websites
  • Payment Gateway
  • Shopping Websites
  • All Login Pages
  • Email Apps

Basic Working of HTTPS

  1. HTTPS Protocol requires public key and signed certificates from server.
  2. Client sends requests to https: //
  3. When using a connection using the https protocol, the server sends responds to the connection initiated by providing a list of encryption methods that the webserver supports.
  4. During the response process, the client chooses a connection method and the client and server exchange certificates (certificates) to verify the identity of the two parties.
  5. After step 4 is completed, both the webserver and the client will exchange encrypted information after making sure that the two parties are using the same key and the connection is closed.
  6. To store https connections, the server must have a public key certificate in which the key embeds key information with the key identity identity.
  7. All certificates are verified by a third party so that clients are assured that the key is always secure.

Conclusion

HTTPS is more secure than HTTP in encrypting data and protecting personal information. However, each method has advantages and disadvantages.

HTTP is a website that responds faster than HTTPS. Therefore it is often used for news sites that need quick information.

Because HTTPS is more secure, it's often used for data entry sites such as bank accounts, personal emails, and pages that need to be transacted.

Depending on the purpose, HTTP or HTTPS is used for websites. When researching security testing, we need to get an overview of these protocols to understand how packets are secure or insecure on the Internet.

References: https://www.tutorialspoint.com/security_testing/http_protocol_basics.htm

Share the news now

Source : Viblo