Training Security Testers in HTTP Protocol

Paladion
By Paladion

June 27, 2005

When we train our people for application security projects, application security is the last thing we teach. Well, literally. They need to have a strong base about HTTP protocol itself before anything else. We didn't find a good tutorial or reading material that discusses all the HTTP protocol basics except for maybe the RFC itself--which definitely is not a good idea for beginners.

After a 30-minute session on the basics like GET and POST, the trainees are given an HTTP "transcript". It is a sample HTTP session logged with the help of a http proxy tool. It typically has a complete session - from login to logout of a website. Each trainee then has to go through it and figure out the whole session including the significance of each attribute in the requests and responses.

The emphasis is on making the trainees decode the HTTP transcript on their own rather than explaining the different header fields. The trainees are given about half a day to interpret the complete session. They search the internet, Google for the different fields and figure out the meaning of each.

This exercise helps in understanding the basics of the HTTP protocol like GET and POST requests. It also lays a strong foundation for important concepts like session management, session IDs, cookies, authentication issues like password transmission, caching basics and a lot more.

This is followed by a session where they are challenged with questions that provoke their thinking and aid learning. Here is a snippet from the transcript.

Request:

GET /xyz/Logout.jsp HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, application/x-shockwave-flash, */*
Referer: http://www.example.com/xyz/logopage.jsp
Accept-Language: en-us
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.example.com
Cookie: JSESSIONID=99iarjagr8210

Response:

HTTP/1.1 200 OK
Date: Fri, 01 Aug 2003 11:15:59 GMT
Server: Jetty/4.2.6 (Linux 2.4.19-64GB-SMP i386)
Content-Type: text/html;ISO-8859-1
Set-Cookie: JSESSIONID=5ko3mmt0k46eq;Path=/xyz;

We then ask them "What is the significance of the JSESSIONID changing to a new value after the logout?"

Some of the other questions that we ask are "Can there be a case when the host field changes in a particular session?", "What does a blank referrer field mean?" etcetera.

Generally, this one round of discussions and the trainees are thorough on HTTP and ready to plunge into more complicated stuff.
Only after that we move into actual attacks like Cross Site scripting, Variable Manipulation, SQL Injection. The training also includes solutions and best practices for the most common issues.

When the trainees are actually in the field testing live applications, it is ok even if they are faced with a session that is different from the sample one because they now know how to decode any HTTP session.


Tags: Uncategorized

About

Paladion