Web requests
Web Headers
Finally, we have Security Headers. With the increase in the variety of browsers and web-based attacks, defining certain headers that enhanced security was necessary. HTTP Security headers are a class of response headers used to specify certain rules and policies to be followed by the browser while accessing the website.
| Header | Example | Description |
|---|---|---|
| Content-Security-Policy | Content-Security-Policy: script-src | 'self' Dictates the website's policy towards externally injected resources. This could be JavaScript code as well as script resources. This header instructs the browser to accept resources only from certain trusted domains, hence preventing attacks such as Cross-site scripting (XSS). |
| Strict-Transport-Security | Strict-Transport-Security: max-age=31536000 | Prevents the browser from accessing the website over the plaintext HTTP protocol, and forces all communication to be carried over the secure HTTPS protocol. This prevents attackers from sniffing web traffic and accessing protected information such as passwords or other sensitive data. |
| Referrer-Policy | Referrer-Policy: origin | Dictates whether the browser should include the value specified via the Referer header or not. It can help in avoiding disclosing sensitive URLs and information while browsing the website. |
Note: This section only mentions a small subset of commonly seen HTTP headers. There are many other contextual headers that can be used in HTTP communications. It's also possible for applications to define custom headers based on their requirements. A complete list of standard HTTP headers can be found here.
We can use the -I flag to send a HEAD request and only display the response headers. Furthermore, we can use the -i flag to display both the headers and the response body (e.g. HTML code). The difference between the two is that -I sends a HEAD request (as will see in the next section), while -i sends any request we specify and prints the headers as well.
$ curl -I https://www.google.com
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-q3sJboMIyGhJRKaFH3MhXQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Thu, 18 Jul 2024 07:29:01 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Thu, 18 Jul 2024 07:29:01 GMT
cache-control: private
set-cookie: AEC=AVYB7cpAjUsbflOYRcOARfReZUlktP8S1W-BgCEuCYPxhvCbIlmEwzJJjeE; expires=Tue, 14-Jan-2025 07:29:01 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: NID=516=a6JGyRZjGM9E_rum7mHTYrel-feQOvhKIB_ZssgOQhMINRaHMw2plhKoWhUZv-OT6R3l-ds86jB5bvS3z05Dg9s3tFgbG9Bj5VL-GQxoEqiGvxkkjdCp8XOqzJgiJrks9xJrlEE1xmnFEjaUW1__HLL6ODsaPMUnoQIhK8uYy_s; expires=Fri, 17-Jan-2025 07:29:01 GMT; path=/; domain=.google.com; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
-b: cookie
$ curl -X POST -b "PHPSESSID=nvsaks20231jqgmmp5mnj40m4u" -d '{"search":"flag"}' -H "Content-Type: application/json" http://94.237.59.199:30999/search.php -v
CRUD API
CRUD stands for create, read, update, and delete. These functions are the four pillars of a complete CRUD API (and full-stack application, for that matter).
CRUD operations are stateful and can be resource-intensive, whereas REST services are stateless, promoting scalability and simplicity. RESTful services use specific HTTP methods like GET, POST, PUT, and DELETE and require data to be in formats like JSON or XML.
| Operation | HTTP Method | Description |
|---|---|---|
| Create | POST | Adds the specified data to the database table |
| Read | GET | Reads the specified entity from the database table |
| Update | PUT | Updates the data of the specified database table |
| Delete | DELETE | Removes the specified row from the database table |
These four operations are mainly linked to the commonly known CRUD APIs, but the same principle is also used in REST APIs and several other types of APIs. Of course, not all APIs work in the same way, and the user access control will limit what actions we can perform and what results we can see.
Note: The HTTP PATCH method may also be used to update API entries instead of PUT. To be precise, PATCH is used to partially update an entry (only modify some of its data "e.g. only city_name"), while PUT is used to update the entire entry. We may also use the HTTP OPTIONS method to see which of the two is accepted by the server, and then use the appropriate method accordingly. In this section, we will be focusing on the PUT method, though their usage is quite similar.
$ curl -X PUT http://83.136.252.57:50844/api.php/city/Birmingham -d '{"city_name":"flag","country_name":"(UK)"}' -H "Content-Type: application/json"
$ curl -X DELETE http://83.136.252.57:50844/api.php/city/Bradford