Web Application Basics
Web Application BasicsURLScheme:often httpsUser(rare)Host/Domain:website addresstyposquatting:mimic a website to trick people into giving up sensitive info.Port:usually 80-http,443-httpsPath:file pathQuery String:have ?—Modify-ableFragment—Modify-ableHTTP Request:start line(methods/url path/http version)request headers(host,user-agent,- - - web browserreferer,- - -such as www.google.com,the web where the request comefromcookies,content-type,content-length…)Request Body- - 4kinds:Url encoded(application/x-www-form-urlencoded) ;keyvalueform-data表格数据(multipart/form-data) ;boundary----WebKitFormBoundary7MA4YWxkTrZu0gW- - - 之后为生成的分割头部)json(application/json); { “username”“” }xml(application/xml) ;just like htmlHTTP ResponseThe first linein every HTTP response is called the Status Line. It gives you three key pieces of info:HTTP Version: This tells you which version of HTTP is being used.Status Code: A three-digit number showing the outcome of your request.Reason Phrase: A short message explaining the status code in human-readable terms.Since we already covered HTTP Versions in Task 5, let’s focus on the Status Codes and Reason Phrases here.Status Codes and Reason PhrasesThe Status Code is the number that tells you if the request succeeded or failed, while the Reason Phrase explains what happened. These codes fall into five main categories:Informational Responses (100-199)These codes mean the server has received part of the request and is waiting for the rest. It’s a “keep going” signal.Successful Responses (200-299)These codes mean everything worked as expected. The server processed the request and sent back the requested data.Redirection Messages (300-399)These codes tell you that the resource you requested has moved to a different location, usually providing the new URL.Client Error Responses (400-499)These codes indicate a problem with the request. Maybe the URL is wrong, or you’re missing some required info, like authentication.Server Error Responses (500-599)These codes mean the server encountered an error while trying to fulfil the request. These are usually server-side issues and not the client’s fault.Common Status CodesHere are some of the most frequently seen status codes:100 (Continue)The server got the first part of the request and is ready for the rest.200 (OK)The request was successful, and the server is sending back the requested resource.301 (Moved Permanently)The resource you’re requesting has been permanently moved to a new URL. Use the new URL from now on.404 (Not Found)The server couldn’t find the resource at the given URL. Double-check that you’ve got the right address.500 (Internal Server Error)Something went wrong on the server’s end, and it couldn’t process your request.Response Headerjust headersSecurity Headers1.CSPContent-Security-Policy: default-src ‘self’; script-src ‘self’ https://cdn.tryhackme.com; style-src ‘self’2.HSTSStrict-Transport-Security: max-age63072000; includeSubDomains; preload3.X-Content-Type-OptionsX-Content-Type-Options: nosniff4.Referrer-PolicyThis header controls the amount of information sent to the destination web server when a user is redirected from the source web server, such as when they click a hyperlink. The header is available to allow a web administrator to control what information is shared. Here are some examples of Referrer-Policy:Referrer-Policy: no-referrerReferrer-Policy: same-originReferrer-Policy: strict-originReferrer-Policy: strict-origin-when-cross-originHere’s a breakdown of the Referrer-Policy header by directives:no-referrerThis completely disables any information being sent about the referrersame-originThis policy will only send referrer information when the destination is part of the same origin. This is helpful when you want referrer information passed when hyperlinks are within the same website but not outside to external websites.strict-originThis policy only sends the referrer as the origin when the protocol stays the same. So, a referrer is sent when an HTTPS connection goes to another HTTPS connection.strict-origin-when-cross-originThis is similar to strict-origin except for same-origin requests, where it sends the full URL path in the origin header.THANKS FOR VIEWING!