Lesson 4 - HTTP Basics and Web Tools
Lesson 4 - HTTP Basics and Web Tools (29/11/25)
Understanding how web communication works and essential knowledge for pentesting.
Next lesson: TBA
How Web Communication Works
HTTP Request-Response Cycle
π Simple explanation: Think of it like talking to a waiter in a restaurant.
-
Client sends HTTP Request
- Method: What you want to do (GET=order, POST=send data)
- URL: Which dish you want from the menu
- Headers: Information about you (e.g., "I'm allergic to peanuts")
- Body: Additional information (e.g., "no onions")
-
Server processes request
- Parses the request: Reads what you asked for
- Authenticates user: Checks if you're a customer
- Performs business logic: Goes to the kitchen
- Accesses database/files: Finds the ingredients
-
Server sends HTTP Response
- Status code: 200=OK, 404=Not found, 500=Kitchen problem
- Headers: Information about the food (e.g., "hot", "gluten-free")
- Body: The food you ordered
Key Components
URL Structure:
https://example.com:443/path/to/resource?param=value#section
ββProtocolββ ββHostnameββ ββPortββ βββββPathβββββ ββQueryββ ββFragmentββ
π Simple explanation:
- Protocol: How we'll talk (https=secure, http=not secure)
- Hostname: The restaurant's name
- Port: The door you'll enter (443=secure, 80=regular)
- Path: The menu section
- Query: Special options (e.g., "with fries")
- Fragment: Which part of the page to go to
Essential HTTP Status Codes for Pentesters
π― Why they matter: Status codes tell you if your action succeeded or failed. In pentesting, wrong codes reveal vulnerabilities!
2xx Success Codes
| Code | Meaning | Pentesting Relevance |
|---|---|---|
| 200 | OK | β Request succeeded - normal operation |
| 201 | Created | β New resource created (e.g., new user) |
| 204 | No Content | β Success but no response (e.g., delete) |
| 202 | Accepted | β Accepted request but still processing |
3xx Redirection Codes
| Code | Meaning | Pentesting Relevance |
|---|---|---|
| 301 | Moved Permanently | π Permanent move - SEO impact |
| 302 | Found | π Temporary redirect - can be exploited |
| 307 | Temporary Redirect | π Keeps method - important for POST |
| 308 | Permanent Redirect | π Permanent + keeps method - modern alternative |
4xx Client Error Codes
| Code | Meaning | Pentesting Relevance |
|---|---|---|
| 400 | Bad Request | β Bad request - try different inputs |
| 401 | Unauthorized | β Need login - try bypass |
| 403 | Forbidden | β Access denied - try different user |
| 404 | Not Found | β Doesn't exist - check for info leaks |
| 405 | Method Not Allowed | β HTTP method not supported |
| 408 | Request Timeout | β Timed out - try DoS attack |
| 429 | Too Many Requests | β Rate limited - find bypass |
5xx Server Error Codes
| Code | Meaning | Pentesting Relevance |
|---|---|---|
| 500 | Internal Server Error | π₯ Generic server error - look for info leaks |
| 501 | Not Implemented | π₯ Feature not supported |
| 502 | Bad Gateway | π₯ Gateway server error |
| 503 | Service Unavailable | π₯ Server down - try DoS |
| 504 | Gateway Timeout | π₯ Backend timeout - try DoS |
Common Web Ports and Their Services
πͺ What are ports: Like doors in a building - each door leads to a different room/service!
Standard Web Ports
| Port | Protocol | Service | Pentesting Notes |
|---|---|---|---|
| 80 | HTTP | Unencrypted web traffic | π Check for plaintext data |
| 443 | HTTPS | Encrypted web traffic | π SSL/TLS testing, certificate analysis |
| 8080 | HTTP | Alternative HTTP | π Often for admin panels, dev servers |
| 8443 | HTTPS | Alternative HTTPS | π Often for admin panels, dev servers |
Development/Admin Ports
| Port | Protocol | Service | Pentesting Notes |
|---|---|---|---|
| 3000 | HTTP | Node.js dev server | π Common in development environments |
| 5000 | HTTP | Flask/Django dev | π Python web applications |
| 8000 | HTTP | Django dev server | π Python applications |
| 9000 | HTTP | Various services | π Often for admin interfaces |
API/Web Services Ports
| Port | Protocol | Service | Pentesting Notes |
|---|---|---|---|
| 8081 | HTTP | Alternative web | π Potential API endpoints |
| 9090 | HTTP | Various services | π Often for monitoring tools |
| 9443 | HTTPS | Alternative HTTPS | π Secure admin interfaces |
Essential Web Pentesting Knowledge for Beginners
π― Why it matters: These are your "tools" to find weaknesses in websites!
1. Understanding HTTP Methods
- GET: Retrieve data (Idempotent - same result every time)
- POST: Send data (Creates new resources)
- PUT: Update/replace data
- DELETE: Delete resources
- PATCH: Partial updates
- OPTIONS: Available methods
- HEAD: Headers only (Like GET without body)
2. Common Vulnerability Types
Injection Vulnerabilities:
- SQL Injection:
admin' OR '1'='1'(Inject SQL code into forms) - XSS:
<script>alert(1)</script>(Inject JavaScript into pages) - Command Injection:
; ls -la(Execute system commands)
Authentication Issues:
- Weak passwords: Easy to guess passwords
- Default credentials: Default login credentials
- Session fixation: Session locking
- JWT vulnerabilities: JWT token issues
Authorization Issues:
- Horizontal privilege escalation: Access other users' data
- Vertical privilege escalation: Access admin functions
- IDOR: Direct object reference access
What Beginners Should Focus On
Priority 1: Fundamentals
-
Understanding HTTP
- Request/response cycle: How the web works
- Headers and their purpose: Communication information
- Status codes: What the numbers mean
-
Basic Web Technologies
- HTML structure: How pages are structured
- Basic JavaScript: Dynamic behavior
- CSS understanding: Styling and appearance
- JSON data format: How data is exchanged
-
Networking Fundamentals
- DNS resolution: How names become addresses
- Basic TCP/IP: How data travels
- SSL/TLS concepts: How encryption works
Priority 2: Practical Skills
-
Using Tools
- Developer tools: F12, Console, Network tab
- Proxy tools: Burp Suite, OWASP ZAP to see traffic
- Network analysis: Wireshark for deep packet analysis
-
Testing Methodology
- Information gathering: First find what exists
- Vulnerability scanning: Automated checks for known issues
- Manual techniques: Creative testing
π Learning Path for Beginners
Start here (1-2 months):
- Complete web basics - HTML, CSS, JavaScript fundamentals
- Learn HTTP in depth - How requests/responses work
- Practice with browser tools - Master F12 developer tools
- Understand common vulnerabilities - Read about OWASP Top 10
Next steps (2-4 months):
- Learn a pentesting tool - Start with Burp Suite Community Edition
- Practice on legal platforms - HackTheBox, TryHackMe, PortSwigger Academy
- Study authentication - How login systems work and fail
- Learn basic scripting - Python or Bash for automation
π― After mastering the foundations:
- Study specific vulnerability classes in depth - SSRF, XXE, Deserialization
- Learn about web application firewalls - How they work and how to bypass them
- Understand cloud security concepts - AWS, Azure, GCP security
- Explore mobile application security - iOS, Android pentesting
- Practice on real-world targets (legally!) - Bug bounty, authorized testing
π‘ Advice for Beginners: Start slow, be patient, and never stop learning. Web security is a vast field - nobody knows everything!
π¬ Join our Discord community: https://discord.gg/CVpyqCek