UNIQUESEC TASK 4: What is 3 Way Handshake, HTTP, Most Used HTTP Headers and How it Works? How to Capture a Sample HTTP Traffic with Wireshark and View Content ?

Hello everyone, hope you are well ☺️ Today we’re gonna talk about basic Web Security component. We have 4 main topics and I want to explain it to you clearly as I can. Let’ start✍🏻

1- What is TCP 3 Way Handshake? How it works?

We can start with the explain the TCP. Tcp means Transmission Control Protocol is, one of the main protocol in the Internet Protocol(IP). TCP is exist in transport layer. TCP helps us with separating packages and prevent the data loss before communicating between computers.

3 Way Handshake 🤝 is a process which used by TCP. This process used when establishing and terminating a connection.

These are the steps:

1.Client > Server :
In the first step, the client sends a connection request to the server. This request contains a TCP packet marked with the “SYN” (synchronize) flag. The client sends this packet to the server and indicates that it wants to establish a connection over a specific communication port.
2. Server > Client:
The server receives and accepts the client’s connection request. In addition, the server determines its own starting sequence number and sends a “SYN-ACK” (synchronize-acknowledge) packet to the client to establish a connection through the communication port it wants to communicate with. This packet is marked with the “SYN” flag and also contains the starting index number of the server.
3.Client > Server:
The client receives the server’s “SYN-ACK” packet. At this stage, the client also determines its starting directory number, sets the communication port as the specified communication port, and sends an “ACK” (acknowledge) packet to the server for verification purposes. This packet is marked with the “ACK” flag and completes the communication process.

Here is the basic visualization

3 Way Handshake

We can make this even simpler like this. For example, I want to communicate with my friend and I send a message and ask, are you available? If you are available, I would like to contact you. Let’s think of this as a syn package and he sends me the following message: Yes, I am available, we can contact. Let’s think of this as a syn-ack package. Then, I make sure that he is available and thank him for agreeing to communicate. We can think of this as an ack package.

This three-step process verifies that both the client and server know each other and are ready to communicate.

2. What is HTTP? How it works?

HTTP, or Hypertext Transfer Protocol, is an application layer protocol used for transmitting and receiving information on the World Wide Web. HTTP determines the rules for data exchange between the user’s computer and the server. A browser is used to use this protocol.

Here are some HTTP Methods.

1. GET: Retrieve data from the specified resource.
2. POST: Submit data to be processed to a specified resource.
3. PUT: Update a resource or create a new resource if it doesn’t exist.
4. DELETE: Delete the specified resource
5. PATCH: Apply partial modifications to a resource.
6. HEAD: Retrieve only the headers of the specified resource without the body.
7. OPTIONS: Get information about the communication options available on the specified resource.
8. TRACE: Perform a message loop-back test along the path to the target resource.

https://www.testkarts.com/blog/post/http-requests-and-methods

1. Client Requests: A client, such as a web browser, generates an HTTP request that represents a user-initiated action. This request typically targets a resource identified by a URI (Uniform Resource Identifier) or URL (Uniform Resource Locator). For example, when you want to view a web page, the browser sends an HTTP GET request targeting the URL of that page.
2. Server Responses: The request sent by the client reaches the specified server. The server understands the request, performs necessary operations, and responds with an HTTP response. The response includes whether the server’s operation was successful, necessary data, and a set of headers providing additional information.
3. Connection Establishment and Termination: Communication between the client and server often occurs over a connection, typically using the TCP (Transmission Control Protocol). Rather than establishing and terminating a connection for each request and response, multiple requests and responses can be processed over the same connection, reducing connection setup and teardown overhead.
4. Connection Opening and Closing: Communication between the client and server is often done over a connection, usually using the TCP (Transmission Control Protocol). Instead of establishing and terminating a connection for each request and response, multiple exchanges can occur over the same connection, minimizing setup and teardown overhead.
5. Request and Response Formats: HTTP requests and responses adhere to a specific format. They typically consist of header and body sections. The header section specifies various properties of the request or response (e.g., content type, length), while the body section contains the transmitted data.
6. Connection Termination: The connection between the client and server can be terminated when the operation is completed or an error occurs. In HTTP 1.1, the “Connection: keep-alive” header is often used to keep the connection open, allowing multiple requests and responses over the same connection.
7. Security (HTTPS): The secure version of HTTP, known as HTTPS (Hypertext Transfer Protocol Secure), ensures encrypted data transmission. This protects the communication between users and websites, preventing third-party interference.

3. Most Used HTTP Request and Response Headers

Request Headers:

Host: Identifies the domain name of the server.

User-Agent: Provides information about the user agent (web browser or other client) making the request.

Accept: Specifies the types of media that the client can process.

Accept-Language: Indicates the preferred natural language of the user.

Accept-Encoding: Lists the encoding methods the client can handle.

Connection: Defines whether the connection should be kept alive or closed.

Referer: Contains the address of the previous web page from which a link to the currently requested page was followed.

Cookie: Sends previously stored cookies to the server.

Authorization: Contains credentials for authenticating the client with the server.

Response Headers:

Date: Indicates the date and time when the response was generated.

Server: Specifies information about the software used by the origin server.

Content-Type: Defines the media type of the resource being sent.

Content-Length: Specifies the size of the response body in octets (8-bit bytes).

Content-Encoding: Indicates any encoding transformations that have been applied to the resource.

Cache-Control: Directives for caching mechanisms in both requests and responses.

Expires: Gives the date/time after which the response is considered stale.

Last-Modified: Indicates the date and time at which the origin server believes the resource was last modified.

Set-Cookie: Sends cookies from the server to the client.

Let’s continue with Wireshark. First of all what is Wireshark?

🦈 Wireshark is a software tool used to analyze data packets transmitted over computer networks. In simple terms, it allows you to observe network traffic and examine the content of these packets. Wireshark helps users understand the details of transmitted data, making it useful for tasks such as identifying network issues, investigating security vulnerabilities, or comprehending communication on a network.

💻 For example, Wireshark can reveal details about the data sent when a computer accesses a website on the internet, such as what data is being sent, which server is being communicated with, or how devices on a network interact with each other.

As an open-source project with a broad user base, Wireshark is supported by a diverse community. It is available on various operating systems and is utilized in different fields, including network analysis, security audits, and monitoring network performance.

I want to show you this example on this site. You can use for web app security practises.

First of all we need to know this site IP adress’s.

Ok, I know now, after this open wireshark and start capturing packages. You can choose this Wi-Fi filter. This is our wireless network area. I will work on this network.

After opening the wireshark, go to this link. You can do whatever you want. I’ll search any text and want to find this.

In the beginning, we have to do IP adress filtering to see the outputs clearly. This outputs is just for testphp.vulnweb.com address.

ip.src==IP_Address

Go back to site and search any text.

Now, I’m looking for my input. It is a text format with http protocol. This will be useful for me.

As you can see, line 36 above contains my input. Of course, wireshark is not just about this, you can make much more detailed analysis and determinations. I tried to explain and explain it in a basic way in this article.

I hope it will be useful for you🙏🏻 You can find my social media accounts below to express your opinions. Hope to see you in the next topic :)

Here is my accounts,

Linkedin: https://www.linkedin.com/in/betulsenabirinci/

Github: https://github.com/betulsenabirinci

Here is the UNIQUESEC accounts,

UNIQUESEC Student Club

Website: https://uniquesec.org/

Linkedin: https://www.linkedin.com/company/uniquesec