👒
Web Basics
A personal page for notes from various reading materials

Basics

GET Retrieve data from server POST Submits data to server OPTIONS Used to request permitted HTTP methods for a given rule PUT Used to update a resource DELETE Delete a resource
Example of a GET request from Burp
Request line: 1st line: Specifies request method/URL/version of HTTP used Request headers: Used to pass additional info to server: Allows customization to client
Host: Hostname of request User-Agent: OS/Software version of requesting user (web browser) Accept | Accept-Language | Accept-Encoding: Tells server which format responses should be Connection: Whether network connection should stay open/closed Referrer: Specifies address of previous web page that linked to current one Authorization: Credentials to authorize a user to a server
HTTP Responses 200 OK 300 Redirect 400 Client errored 500 Server errored
Encoding Types: base64, base64urlencoding, hex, URL encoding, octal, dword
Session management: A process that allows the server to handle multiple requests from the same user without asking them to login again
  • Server stores your information/uses a corresponding session ID
  • Session ID: Usually long/unpredictable sequence
Token-based authentication: System stores info directly in some sort of token
  • Instead of storing information server-side/querying it w/session ID it decodes token
JWT: JSON Web Tokens:
  • Header: ID's the alg used to generate signature: base64url-encoded
  • Payload: Contains info about usr identity
  • Signature: Validates usr hasn't tampered w/token: Concatenates header + payload then signs it with alg specified in header + secret key
Open Redirects:
  • Sites often use URL parameters to redirect users without any user action
    • Can cause open redirects: When an attacker can manipulate the value of the redirect parameter offsite
  • Common open redirect: Referer-based redirection
    • Referer: An HTTP request header that browsers automatically include: Tells server where the request originally came from and are common in determining original locations of users.
Prevention: URL validators: Ensures the user-provided redirect URL points to legitimate locations
Examples:
1
https://www.moo.com/login?redirect=
2
https://www.moo.com/login?redir=
3
https://www.moo.com/login?next=
4
https://www.moo.com/login?next=/
Copied!
Absolute URL: Complete/contains all components necessary to locate resources pointed to They contain at least: 1. Scheme 2. Hostname 3. Path of resource
Relative URL: Concatenated with another URL by the server in order to be used. They typically contain: 1. The path component of an URL like /login
Looking for open redirects:
1
site: moo.com
2
inurl:%Dhttp site:moo.com
3
inurl:%D%2F site:moo.com
4
inurl:redir site:moo.com
5
inurl:redirect site:moo.com
6
inurl:redirecturi site:moo.com
7
inurl:redirect_uri site:moo.com
8
inurl:redirecturl site:moo.com
9
inurl:return site:moo.com
10
inurl:returnurl site:moo.com
11
12
relaystate site:moo.com
13
forward:site:moo.com
14
forwardurl site:moo.com
15
forward_url site:moo.com
16
17
inurl:url site:moo.com
18
inurl:uri site:moo.com
19
20
inurl:dest site:moo.com
21
inurl:destination site:moo.com
22
inurl:next site:moo.com
23
24
https://www.moo.com/login?next=
25
https://www.moo.com/login?u=
26
https://www.moo.com/login?n=/
27
https://www.moo.com/logout?dest=/
28
https://www.moo.com/login?RelayState=
29
https://www.moo.com/logout?forward=
30
https://www.moo.com/login?return=home/settings
Copied!
Browsers treat \ and / the same You can use subdomains for bypasses occasionally Data URL examples to fool validators:
1
data:MEDIA_TYPE[;base64],DATA
2
data:text/plain,hello!
3
data:text/plain;base64,AGVsbG8h
4
<script>location="https://www.moo.com"</script>
Copied!
Copy link