Cyber security Workshop BCS-453

Experiment No #2

Study of Network traffic analysis of HTTP-

What is HyperText?
The protocol used to transfer hypertext between two computers is known as HyperText
Transfer Protocol. HTTP provides a standard between a web browser and a web server to
establish communication. It is a set of rules for transferring data from one computer to
another. Data such as text, images, and other multimedia files are shared on the World Wide
Web. Whenever a web user opens their web browser, the user indirectly uses HTTP. It is an
application protocol that is used for distributed, collaborative, hypermedia information
systems.
Working of HTTP [HyperText Transfer Protocol]
First of all, whenever we want to open any website we first open a web browser after that we
will type the URL of that website (e.g., www.facebook.com ). This URL is now sent to
the Domain Name Server (DNS). Then DNS first checks records for this URL in their database,
and then DNS will return the IP address to the web browser corresponding to this URL. Now
the browser is able to send requests to the actual server.
After the server sends data to the client, the connection will be closed. If we want something
else from the server we should have to re-establish the connection between the client and
the server.

Working off HTTPs

What is an HTTP Request?

HTTP request is simply termed as the information or data that is needed by Internet browsers
for loading a website. This is simply known as HTTP Request.
There is some common information that is generally present in all HTTP requests. These are
mentioned below.
 HTTP Version
 URL
 HTTP Method
 HTTP Request Headers
 HTTP Body
HTTP Request Headers
HTTP Request Headers generally store information in the form of key-value and must be
present in each HTTP Request. The use of this Request Header is to provide core information
about the client’s information, etc.
HTTP Request Body
HTTP Request Body simply contains the information that has to be transferred. HTTP Request
has the information or data to be sent to these browsers.
HTTP Method
HTTP Methods are simply HTTP Verb. In spite of being present so many HTTP Methods, the
most common HTTP Methods are HTTP GET and HTTP POST. These two are generally used in
HTTP cases. In HTTP GET, the information is received in the form of a website.
What is HTTP Response?
HTTP Response is simply the answer to what a Server gets when the request is raised. There
are various things contained in HTTP Response, some of them are listed below.
 HTTP Status Code
 HTTP Headers

 HTTP Body
HTTP Response Headers
HTTP Response headers are simply like an HTTP Request where it has that work to send some
important files and data to the HTTP Response Body.
HTTP Response Body
HTTP Responses are the responses that are received successfully upon the request. Generally,
it comes under the requests generated by the web. In most cases, the request is to transfer
the HTML data into a webpage.
What is an HTTP Status Code?
HTTP Status Codes are the 3-digit codes that tell the message or simply tell us about the HTTP
Request whether it has been completed or not. There are simply 5 types of status codes.
 Informational
 Successful
 Re-directional
 Client-Error
 Server-Error
History of HTTP
Tim Berners Lee and his team at CERN get credit for inventing original HTTP and associated
technologies.
 HTTP version 0.9: This was the first version of HTTP which was introduced in 1991.
 HTTP version 1.0: In 1996, RFC 1945 (Request For Comments) was introduced in HTTP
version 1.0.
 HTTP version 1.1: In January 1997, RFC 2068 was introduced in HTTP version 1.1.
Improvements and updates to the HTTP version 1.1 standard were released under RFC
2616 in June 1999.
 HTTP version 2.0: The HTTP version 2.0 specification was published as RFC 7540 on May
14, 2015.
 HTTP version 3.0: HTTP version 3.0 is based on the previous RFC draft. It is renamed as
Hyper-Text Transfer Protocol QUIC which is a transport layer network protocol developed
by Google.
Characteristics of HTTP
HTTP is IP based communication protocol that is used to deliver data from server to client or
vice-versa.
 The server processes a request, which is raised by the client, and also server and client
know each other only during the current bid and response period.
 Any type of content can be exchanged as long as the server and client are compatible with
it.
 Once data is exchanged, servers and clients are no longer connected.
 It is a request and response protocol based on client and server requirements.
 It is a connection-less protocol because after the connection is closed, the server does not
remember anything about the client and the client does not remember anything about
the server.
 It is a stateless protocol because both client and server do not expect anything from each
other but they are still able to communicate.
Cookies in HTTP
An HTTP cookie (web cookie, browser cookie) is a little piece of data that a server transmits to
a user’s web browser. When making subsequent queries, the browser may keep the cookie
and transmit it back to the same server. An HTTP cookie is typically used, for example, to
maintain a user’s login state, and to determine whether two requests originate from the
same browser. For the stateless HTTP protocol, it retains stateful information.
HTTP status code
Three-digit codes known as HTTP status codes are most frequently used to show if an HTTP
request has been fulfilled successfully. The five blocks below represent the breakdown of
status codes:
 1x Informative
 2xx Achievement
 3xx Reorientation
 4xx Client Mistake
 5xx Error on the Server
Different numbers between 00 and 99 are denoted by the “xx”. Status codes that begin with
“2” denote a successful outcome. For instance, the most typical answers sent after a client
requests a webpage have a status code of “200 OK,” which denotes that the request was
successfully fulfilled.
Can DDoS attacks be launched over HTTP?
Remember that because HTTP is a “stateless” protocol, every command executed over it
operates independently of every other operation. Each HTTP request opened and terminated
a TCP connection according to the original specification. Multiple HTTP requests can now flow
over a persistent TCP connection in HTTP 1.1 and later versions of the protocol, which
improves resource use. Large-scale HTTP requests are regarded as application layer or layer 7
attacks in the context of DoS or DDoS attacks, and they can be used to mount an attack on a
target device.
Advantages of HTTP
 Memory usage and CPU usage are low because of fewer simultaneous connections.
 Since there are few TCP connections hence network congestion is less.
 Since handshaking is done at the initial connection stage, then latency is reduced because
there is no further need for handshaking for subsequent requests.
 The error can be reported without closing the connection.
 HTTP allows HTTP pipe-lining of requests or responses.
Disadvantages of HTTP
 HTTP requires high power to establish communication and transfer data.
 HTTP is less secure because it does not use any encryption method like HTTPS and
uses TLS to encrypt regular HTTP requests and responses.
 HTTP is not optimized for cellular phones and it is too gabby.
 HTTP does not offer a genuine exchange of data because it is less secure.
 The client does not close the connection until it receives complete data from the server;
hence, the server needs to wait for data completion and cannot be available for other
clients during this time.

Example traffic

Request by an end-user's browser

This user wants to access the web site "www.freebsd.org", so they type
in http://www.freebsd.org into their browser and hit enter. After the usual DNS resolution to
find the IP address for www.freebsd.org, a connection is initiated via TCP to the web server
(SYN; SYN,ACK; ACK). The very next thing to be sent to the web server by the browser/client is
the following plain text request:

GET / HTTP/1.1
Host: www.freebsd.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Firefox/1.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Mon, 09 May 2005 21:01:30 GMT
If-None-Match: "26f731-8287-427fcfaa"
The server knows the browser/client is done with its traffic when it receives a blank line with a
carriage return + line feed (\r\n).

Response from the server

The response is also in plain text:

HTTP/1.1 200 OK
Date: Fri, 13 May 2005 05:51:12 GMT
Server: Apache/1.3.x LaHonda (Unix)
Last-Modified: Fri, 13 May 2005 05:25:02 GMT
ETag: "26f725-8286-42843a2e"
Accept-Ranges: bytes
Content-Length: 33414
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

The browser/client now knows that text/html is coming, and here it is:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<!-- Rest of the HTML Page Here -->
</html>

The browser/client knows the server is done sending its html (or data for non-html) when it
receives a blank line with a carriage return + line feed (\r\n).

Wireshark

Wireshark's HTTP dissector is fully functional (XXX - is that really true?). (XXX - add some words
about MIME body data encoding/enchunking here). In addition, you can get basic statistics
about HTTP requests/responses using Wireshark's menu item: Statistics/HTTP.

Preference Settings

There are some HTTP_Preferences.

Example capture file

SampleCaptures/http.cap A simple HTTP request and response.

SampleCaptures/http_gzip.cap. A simple HTTP request and a one packet gzip Content-Encoded

response. Try this capture if you are having problems decompressing Content-Encoded packets,
as this works with the default preferences.

Display Filter

A complete list of HTTP display filter fields can be found in the display filter reference
Show only the http based traffic:

http

Show only the famous "404: page not found" responses:

http.response.code == 404

Show only file data received over HTTP (the content of the responses):

http.content_type

Capture Filter

You cannot directly filter HTTP protocols while capturing. However, if you know the TCP port
used (see above), you can filter on that one.

Capture HTTP traffic over the default port (80):

tcp port 80

Capture HTTP traffic over the default SSL port (443):

tcp port 443