Menttor
Library
LibraryHTTP Methods, Headers, and Status Codes

HTTP Methods, Headers, and Status Codes

Learn about HTTP Methods, Headers, and Status Codes as part of OSCP Certification - Offensive Security Certified Professional

Table of Contents

Understanding HTTP Methods, Headers, and Status Codes for Web App Pentesting

In web application penetration testing, a deep understanding of HTTP is fundamental. HTTP (Hypertext Transfer Protocol) is the backbone of data communication on the World Wide Web. Mastering its core components – methods, headers, and status codes – is crucial for identifying vulnerabilities and successfully exploiting them. This module will break down these essential elements, providing you with the knowledge needed for your OSCP journey.

HTTP Methods: The Actions of the Web

HTTP methods, also known as request verbs, define the action to be performed on a resource. Understanding these methods helps in identifying how a web application processes requests and where potential weaknesses might lie.

MethodDescriptionCommon Use Case in Pentesting
GETRequests data from a specified resource.Retrieving web pages, API data. Can be vulnerable to parameter manipulation.
POSTSubmits data to be processed to a specified resource.Submitting forms (login, registration), uploading files. Can be vulnerable to injection attacks if data isn't sanitized.
PUTUploads a representation of the specified resource.Updating existing resources. Less common in typical web apps but can be found in APIs.
DELETEDeletes the specified resource.Removing data. Critical to test for authorization bypasses.
HEADAsks for the response headers that would be returned if a GET request was issued.Checking resource existence and metadata without downloading the body. Useful for reconnaissance.
OPTIONSDescribes the communication options for the target resource.Discovering allowed HTTP methods on a resource. Can reveal insecure configurations.
TRACEPerforms a message loop-back test along the path of the request.Debugging and security testing. Can be vulnerable to Cross-Site Tracing (XST).

HTTP Headers: The Metadata of Communication

HTTP headers provide essential metadata about the request or response. They convey information about the client, server, and the content being transferred. Manipulating headers is a common technique in penetration testing.

HTTP Status Codes: The Server's Feedback

HTTP status codes are three-digit numbers returned by the server in response to a client's request. They indicate the outcome of the request and are categorized into different classes.

HTTP Status Codes provide immediate feedback on the success or failure of a request. Understanding these codes helps in interpreting server responses and identifying potential issues. For example, a 200 OK means success, while a 404 Not Found indicates the requested resource doesn't exist. A 500 Internal Server Error often points to a server-side problem that might be exploitable. In penetration testing, observing unexpected status codes (e.g., a 200 for a sensitive action that should fail, or a 403 Forbidden when access is expected) can be a strong indicator of a vulnerability.

📚

Text-based content

Library pages focus on text content

Code RangeMeaningRelevance to Pentesting
1xx (Informational)The request was received, continuing process.Rarely seen in typical web app pentesting, but understanding them is good for completeness.
2xx (Success)The action was successfully received, understood, and accepted.A 200 OK is expected. Anomalies like 204 No Content where content is expected, or 203 Non-Authoritative Information can be interesting.
3xx (Redirection)Further action needs to be taken by the user agent to complete the request.Testing for open redirects (301, 302, 307). Can be used for phishing or bypassing filters.
4xx (Client Error)The request contains bad syntax or cannot be fulfilled.Crucial for identifying vulnerabilities: 400 Bad Request (malformed input), 401 Unauthorized (authentication required), 403 Forbidden (access denied), 404 Not Found (resource enumeration), 405 Method Not Allowed (testing allowed methods), 400 Bad Request (input validation issues).
5xx (Server Error)The server failed to fulfill an apparently valid request.Indicates server-side issues: 500 Internal Server Error (potential for information disclosure or crashes), 503 Service Unavailable (can sometimes be abused).

Putting It All Together: Practical Application

In a real-world penetration test, you'll constantly be observing and manipulating HTTP requests. Tools like Burp Suite or OWASP ZAP intercept these requests, allowing you to modify methods, headers, and payloads. For instance, you might try changing a GET request to a POST to see if the server handles it differently, or tamper with the User-Agent header to bypass basic access controls. Understanding the expected status codes for each action helps you quickly identify when something is not behaving as intended, signaling a potential vulnerability.

Think of HTTP methods as the verbs, headers as the adverbs and adjectives, and status codes as the punctuation and reactions in the conversation between your browser and the web server. Each element provides clues.

Which HTTP method is primarily used for retrieving data from a server?

GET

What is the purpose of the 'User-Agent' header?

It identifies the client (e.g., browser, tool) making the request.

A '403 Forbidden' status code typically indicates what kind of issue?

Access denied due to insufficient permissions.

Learning Resources

HTTP Methods - MDN Web Docs(documentation)

Comprehensive documentation on all standard HTTP request methods, their definitions, and common uses.

HTTP Headers - MDN Web Docs(documentation)

An extensive guide to HTTP headers, explaining their purpose, categories, and individual header fields.

HTTP Status Codes - MDN Web Docs(documentation)

A detailed reference for all HTTP status codes, including their meanings and common interpretations.

OWASP Top 10 - 2021(documentation)

The OWASP Top 10 provides a standard awareness document for developers and web application security. Many vulnerabilities are directly related to how HTTP is handled.

Web Application Penetration Testing with Burp Suite - Tutorial(tutorial)

A beginner-friendly tutorial on using Burp Suite, a powerful tool for intercepting and manipulating HTTP requests, essential for pentesting.

Understanding HTTP Request Smuggling(documentation)

Explains the concept of HTTP request smuggling, a critical vulnerability often exploited by manipulating HTTP headers like Content-Length and Transfer-Encoding.

Offensive Security Certified Professional (OSCP) Exam Guide(documentation)

The official page for the OSCP certification, outlining the exam objectives which heavily rely on understanding web application protocols like HTTP.

HTTP/1.1 Specification (RFC 7230)(paper)

The foundational RFC document detailing the message format and routing for HTTP/1.1, providing the definitive technical specifications.

HTTP Request Headers Explained(blog)

A blog post that breaks down common HTTP request headers and their significance in web security and application functionality.

Common HTTP Status Codes and Their Meanings(blog)

A practical overview of frequently encountered HTTP status codes, useful for quick reference during testing.