Post

Web Requests Notes

Notes for the 'Web Requests' module from HTB Academy

Posted
By 6cloudguy
1 min read
Web Requests Notes

📌 Module Overview:

The Web Requests module introduced me to how web clients and servers communicate through HTTP. It focused on analyzing and crafting requests to understand and manipulate web app behavior — a core skill in web penetration testing.

🧠 Key Concepts Learned:

📁 1. HTTP Methods:

I learned the primary HTTP request methods used in web communication:

  • GET: Retrieve information from the server.
  • POST: Send data to the server (e.g., form submissions).
  • PUT: Update existing resources.
  • DELETE: Remove resources.
  • OPTIONS: Discover supported methods.
  • HEAD: Same as GET, but returns only headers.

🔎 2. Request Structure:

Every HTTP request contains:

  • Method: Action type (GET, POST, etc.)
  • URL: Target location on the server
  • Headers: Meta-information like content type, cookies, etc.
  • Body (Optional): Data sent to the server (in POST/PUT requests)

📬 3. Important Headers:

I became familiar with common and useful headers like:

  • User-Agent: Identifies the client (can be faked!)
  • Host: Specifies domain for virtual hosting
  • Referer: Page from which request originated (often used in CSRF validation)
  • Cookie: Session tracking and authentication
  • Content-Type: Defines format of request body (e.g., application/json)
  • Authorization: Contains credentials for authentication (e.g., Basic, Bearer)

🧪 Practical Tools & Skills:

🐚 Using curl:

I practiced making manual requests using curl in the terminal. Some key commands:

  • curl http://target.com – Basic GET request
  • curl -X POST -d "user=admin&pass=123" http://target.com/login – POST data
  • curl -X DELETE http://target.com/resource/5 – DELETE request
  • curl -H "Authorization: Basic base64stuff==" http://target.com – Add headers
  • curl -i http://target.com – Show response headers

These helped me interact directly with the server and observe responses.

🛠️ Crafting Requests for Testing:

  • Sending invalid or edge-case headers
  • Testing different content types (application/json, multipart/form-data)
  • Manipulating cookies and tokens
  • Observing how different servers handle unexpected input

🧩 Security Relevance:

  • Testing input validation using different methods (e.g., sending DELETE instead of POST)
  • Bypassing security filters using custom headers or changing User-Agent
  • Detecting auth misconfigurations via header manipulation
  • Cookie tampering for privilege escalation or session hijacking
Notes, HTB Academy
HTB Notes
This post is licensed under CC BY 4.0 by the author.

Trending Tags

HTB Easy Notes VM VulnHub Medium