Hypertext for Hyper Techs An Introduction to HTTP for SecPros
Bio Josh Little, GSEC ~14 years in IT. Support, Server/Storage Admin, Webmaster, Web App Dev, Networking, VoIP, Projects, Security. Currently a Security Engineer for a major global business intelligence firm.
HTTP - What the heck is it... Hypertext Transfer Protocol (HTTP) is an applicationlevel protocol for distributed, collaborative, hypermedia information systems. HTTP exists in two modern forms - HTTP/1.0 and HTTP/1.1. Defined in RFC 1945 and 2068/2616 respectively. Request/response, client/server model
What it ain t... HTTP!= HTML - HTTP is a protocol that delivers content and not the content itself HTTP!= tcp/80 - HTTP servers can run on any port and are often found on random high ports.
Where You ll Find It Web Servers (obviously - IIS, Apache, etc.) Application Servers (Tomcat, Oracle, JBOSS, etc.) Content distribution servers (e.g. Flash Media server) System, service, & device management consoles
HTTP Request/Response Model HTTP Request HTTP Response GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/4.0 Cookie: JSESSIONID=AFKFF9384FFJG HTTP/1.1 200 OK Date: Mon, 10 Jul 2011 18:00:00 GMT Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 06 Jul 2011 23:11:55 GMT Accept-Ranges: bytes Content-Length: 66 Connection: close Content-Type: text/html; charset=utf-8 <HTML><head><title>Test</title></head><body> Content</body></html>
Just Asking For It... HTTP Request Format <VERB> <URI> <PROTOCOL><crlf> <HEADER NAME>: <HEADER VALUE><crlf> <crlf>
What s your address? URI = Uniform Resource Identifier Refers to a resource, either by location or namespace URL = Uniform Resource Location scheme:// username:password@domain:port/path? query_string#fragment_id URLs are URIs. HTTP uses absolute or relative URLs for accessing content resources.
Standard HTTP Methods GET URI string contains all parameters passed. Retrieves specified resource GET /index.php?cat=toys&sort=byprice&ret=25 POST Delivers specified data to server resource Data contained in message body
More Standard Methods HEAD Returns only the expected headers for given resource
One Last Method... OPTIONS Returns the valid methods for a given URI, as well as any other optional server features. Fingerprint a URI
Specialized Methods CONNECT - Used by HTTP Proxies for TCP Tunneling TRACE/TRACK - Used for debugging/loopback PUT/DELETE - Used by WebDAV servers (file system over HTTP)
Protocol Versions Two major versions still supported - HTTP/1.0 & HTTP/ 1.1 Most servers respond to both protocols Limited features & efficiencies in HTTP/1.0
HTTP/1.0 Only requires the basic HTTP resource request for connections. Limited support for caching and compression. One connection, one request. HTTP/1.1 Requires Host Header Multiple cache control options. HTTP Pipelining - multiple requests per connection. OPTIONS method. Digest and Proxy authentication
Headers Headers are Name:Value pairs used to adjust client/ server behavior and relate information. HTTP RFC defines a standard set of headers, but custom headers can also be set, if both client and server understand them.
Request Headers Host Defines virtual host alias Host: www.cnn.com Cookie User-Agent Referer Attaches relevant cookie values to requests Defines the client creating the request Defines the URL the client is coming from Cookie: CG=US:WI:Milwaukee User-Agent: Mozilla/5.0 Referer: http:// www.cnn.com/ Content-Length Length of message body, in decimal octets Content-Length: 365
Response Headers Server Set-Cookie Content-Type Via Relates the reported version of the HTTP Server Defines a new cookie for the client Defines the MIME type of the content being served Defines any proxies the response was sent through Server: Apache/2.2.17 (Debian) Set-Cookie: arrowspc=1; domain=.cnet.com; path=/; expires=fri, 19-Aug-2011 01:30:04 GMT Content-Type: text/html Via: HTTP/1.0 phx1-rb-revapp2.cnet.com:80 (cnwk.proxy.servlet.pathproxy Servlet $Revision: 218012 $)
Response Codes Each Response begins with the responding protocol version and the server s response code. Code is a numeric value and a short description. Content returned is dependent on the request, application, and server platform.
Common Response Codes 200 OK Request successful 302 Found Resource temporarily found elsewhere 400 Bad Request Request contains syntax errors 403 Forbidden Server refused to fulfill the request 404 Not Found 500 Internal Error The resource requested does not exist on the server An error occurred on the server that prevented the request.
Example HTTP Request/Responses GET / HTTP/1.1 Host: www.zombietango.com User-Agent: Mozilla/5.0 HTTP/1.1 200 OK Date: Wed, 20 Jul 2011 02:11:15 GMT Server: Apache Last-Modified: Tue, 10 Feb 2009 18:39:52 GMT ETag: "8154273-230-46294d00c6e00" Accept-Ranges: bytes Content-Length: 560 Vary: Accept-Encoding Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http:// www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>zombie Tango</title> <link href="/css/styles.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="container"> <div id="logo"><a href="/blog" alt="click to enter site"><img src="/img/ ztlogo_lg.jpg" alt="do the Zombie Tango..." title="do the Zombie Tango..." /></a></div> </div> </body> </html>
Example HTTP Request/Responses GET /w/api.php?action=opensearch&search=h&namespace=0&suggest= HTTP/1.1 Host: en.wikipedia.org Connection: keep-alive Referer: http://en.wikipedia.org/wiki/main_page X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/ 12.0.742.112 Safari/534.30 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-us,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: clicktracking-session=fe6cd33goczlwhsm6dg6ejvmvo3khihaz; mediawiki.user.bucket %3Aext.articleFeedback-tracking=8%3Atrack; hidesnmessage=1; mediawiki.user.bucket %3Aext.articleFeedback-options=8%3Ashow HTTP/1.0 200 OK Date: Wed, 20 Jul 2011 02:01:09 GMT Server: Apache Cache-Control: max-age=86400, s-maxage=86400, public Expires: Thu, 21 Jul 2011 02:01:09 GMT Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 134 Content-Type: application/json; charset=utf-8 Age: 857 X-Cache: HIT from sq35.wikimedia.org X-Cache-Lookup: HIT from sq35.wikimedia.org:3128 X-Cache: MISS from sq73.wikimedia.org X-Cache-Lookup: MISS from sq73.wikimedia.org:80 Connection: keep-alive
State Management HTTP Stateless by nature Up to the application to determine how it associates traffic with discrete users E.g. Cookie values, Basic/Digest Authentication
HTTP & Security
General Security Concerns HTTP Servers are everywhere Misconfigured HTTP Servers leak information about your architecture HTTP Servers are typically the most exposed public service Two areas for attack - the HTTP server/protocol itself and the content that it serves.
Attacks against HTTP HTTP Response Splitting - Using unsanitized input to trick the client into seeing two different responses by adding a <crlf> string and additional content. Headers and content can be controlled. Man-in-the-middle attacks - HTTP is very susceptible to MitM attacks due to ASCII nature of protocol. DoS Attacks/Slowloris - Consuming or overloading server processes
In Strict Confidence... Unencrypted HTTP very easy to intercept and read Secure HTTP (HTTP/S) attempts to mitigate this Uses SSL/TLS to encrypt complete HTTP payload No part of HTTP packet, including headers, available outside the SSL session. Increased use of HTTP/S means decreased visibility into traffic by traditional security tools (IDS, DLP, content filters, etc.)
Cookie Monster Many HTTP-based applications use cookies for authentication/statetracking Cookie = Username/password Cross-domain restrictions prevent cookie disclosure outside originating domain. XSS flaws can disclose cookies to bad guys. Cookie security mechanisms - Secure & HTTPOnly
Tools of the Trade Doing it by hand - Telnet and ncat curl & wget Web browsers Local proxies - BURP, WebScarab, Zed Attack Proxy, Fiddler Firefox plugins - TamperData, Groundspeed
?