Web Requests

A practical guide to HTTP and HTTPS web requests, covering request structure, methods, headers, cURL usage, APIs, and browser DevTools for real-world web security testing.

1. HTTP vs HTTPS

HTTP

Application‑layer protocol
Stateless
Default port: 80
Clear‑text traffic (HTTP/1.1)

HTTPS

HTTP over TLS/SSL
Default port: 443
Encrypts data in transit
Protects against MITM
Uses certificates

2. URL Anatomy

scheme://userinfo@host:port/path?query#fragment

Component

Example

Notes

Scheme

https

Protocol

Userinfo

admin:pass@

Rare, dangerous

Host

example.com

Domain / IP

Port

:443

Optional

Path

/login.php

Resource

Query

?id=1

Server‑side

Fragment

#top

Client‑side only

3. HTTP Request Structure

POST /login.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Cookie: PHPSESSID=abc123
Content-Type: application/x-www-form-urlencoded

username=admin&password=admin

Key fields

Method
Path
Version
Headers
Optional body

4. HTTP Response Structure

HTTP/1.1 200 OK
Server: Apache/2.4.41
Content-Type: text/html

<html>...</html>

5. HTTP Methods

Method

Use

Pentest Notes

GET

Read

Params leak

POST

Submit

CSRF target

PUT

Create/replace

File upload risk

PATCH

Partial update

API abuse

DELETE

Remove

DoS risk

HEAD

Headers only

Recon

OPTIONS

Allowed methods

Discovery

6. HTTP Status Codes

Classes

Class

Meaning

1xx

Info

2xx

Success

3xx

Redirect

4xx

Client error

5xx

Server error

Common Codes

Code

Meaning

200

301

Moved Permanently

302

Found

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

7. HTTP Headers

Request Headers

Header

Purpose

Host

Virtual host routing

User-Agent

Fingerprinting

Referer

Source URL

Session

Authorization

Tokens / Basic auth

Response Headers

Header

Purpose

Server

Server fingerprint

Set-Cookie

Session

WWW-Authenticate

Auth challenge

Security Headers

Header

Protects

CSP

XSS

HSTS

HTTPS downgrade

Referrer-Policy

Info leakage

8. cURL Cheat Sheet

Basic Usage

curl -h
curl example.com
curl -v example.com
curl -I https://example.com
curl -i https://example.com

Headers & Auth

curl -A "Mozilla/5.0" http://example.com
curl -H "Authorization: Basic YWRtaW46YWRtaW4=" http://IP:PORT/
curl -u admin:admin http://IP:PORT/

Data & Params

curl "http://IP/search.php?search=test"
curl -X POST -d "username=admin&password=admin" http://IP/
curl -X POST -d '{"search":"london"}' -H "Content-Type: application/json" http://IP/search.php

Cookies & Files

curl -b "PHPSESSID=abc123" http://IP/
curl -s -O http://example.com/file.txt

HTTPS

curl -k https://example.com

9. APIs (CRUD with cURL)

Action

Command

Read

curl http://IP/api.php/city/london

Read all

curl -s http://IP/api.php/city/

Create

curl -X POST -d '{"city":"HTB"}' -H "Content-Type: application/json" http://IP/api.php/city/

Update

curl -X PUT -d '{"city":"NEW"}' -H "Content-Type: application/json" http://IP/api.php/city/london

Delete

curl -X DELETE http://IP/api.php/city/london

10. Browser DevTools

Shortcut

Action

Ctrl+Shift+I / F12

Open DevTools

Ctrl+Shift+E

Network tab

Ctrl+Shift+K

Console

Used for:

Hidden API calls
Tokens
CSRF
IDOR
XSS tracing

11. Pentesting Takeaways

GET ≠ safe
POST ≠ secure
Headers are forgeable
Status codes leak logic
APIs expand attack surface
HTTPS ≠ secure application

PreviousWeb Application NextIntroduction to Web Applications

Last updated 1 month ago

hashtag1. HTTP vs HTTPS

hashtagHTTP

hashtagHTTPS

hashtag2. URL Anatomy

hashtag3. HTTP Request Structure

hashtag4. HTTP Response Structure

hashtag5. HTTP Methods

hashtag6. HTTP Status Codes

hashtagClasses

hashtagCommon Codes

hashtag7. HTTP Headers

hashtagRequest Headers

hashtagResponse Headers

hashtagSecurity Headers

hashtag8. cURL Cheat Sheet

hashtagBasic Usage

hashtagHeaders & Auth

hashtagData & Params

hashtagCookies & Files

hashtagHTTPS

hashtag9. APIs (CRUD with cURL)

hashtag10. Browser DevTools

hashtag11. Pentesting Takeaways

1. HTTP vs HTTPS

HTTP

HTTPS

2. URL Anatomy

3. HTTP Request Structure

4. HTTP Response Structure

5. HTTP Methods

6. HTTP Status Codes

Classes

Common Codes

7. HTTP Headers

Request Headers

Response Headers

Security Headers

8. cURL Cheat Sheet

Basic Usage

Headers & Auth

Data & Params

Cookies & Files

HTTPS

9. APIs (CRUD with cURL)

10. Browser DevTools

11. Pentesting Takeaways