x

HTTP Headers & Methods


In order (request headers)

HTTP request and HTTP protocol version (1.1,2.0)
Host header

  • Specifying hostname if web server is hosting more than one site in the same IP

User-Agent

  • Browser client is using, tells web server and/or application how to parse the data/request and what to send back
  • E.g. web/mobile browser, responsive capability, etc.
  • Will likely show Mozilla as this is a remnant of when the user agent header was created (back in netscape days).

Accept

  • What kind of content the client will accept, i.e. file formats)
  • I'm making a get request for these kinds of resource and the only format I can accept on Mozilla is text/html,application/xhml+html, etc, etc.

Accept-Language

  • If I set my language to french, the accept language header will modify that accordingly, web servers can be configured to do this but it's unlikely they will, the web app written in PHP, Python, Node.js, etc is more likely to be handling it)

Accept-Encoding

  • request header by default
  • What encoding does the browser accept?

Connection

  • Both HTTP request & response header, not for the HTTP session but for the TCP connection
  • Client says after I make the request I want you to stop the TCP connection between us, when I make another resource I'll make another GET request

Cookie

  • Cookie sent to the server or that the server sent for the client to use, note it's a PHPSESSID cookie but could be JWT on JS instead of being specified as a cookie
  • More influential than User-Agent or Accept-Language.

Upgrade-Insecure-Requests

  • Specifies if the server wants to upgrade from HTTP to HTTPS.

Cache-Control

  • Both request & response header that specifies the actual caching option for the client


In-order (response headers)

HTTP Protocol Version & Status Code (200, 300, 400, 500, etc)
Server Header

  • What service is processing the request?
  • Also shows WebDAV as configured in this instance (cadaver)

X-Powered-By

  • What server-side language is processing our requests?
  • Is this version vulnerable?

Content-Length

  • Length of the message body
  • Client knows how much data is being sent

Content-Type

  • Server says I am sending over HTML, you said in your Text header in your request that you are accepting HTML

Pragma Response Header

  • Tells the client not to store the response within the browser cache
  • Is important

Note the source URI, at low.php

We don't see it when accessing the absolute path in the URL, this is a security authorisation feature.

We can see in the web app's git repo that the allow_url_fopen PHP flag has been commented out. This is deliberate and prevents you from accessing the contents of a PHP script.

Left-click: follow link, Right-click: select node, Scroll: zoom
x