HTTP & Web Requests

Why: every web attack is just a crafted HTTP request. Knowing the methods, headers and status codes lets you read what an app is doing and bend it. When: the baseline for all web testing — pair it with Web Proxies to edit live traffic.

Methods

Method	Purpose
`GET`	fetch a resource (params in the URL)
`POST`	submit data (body)
`PUT` / `DELETE`	create/replace, remove — often left enabled (verb tampering)
`PATCH`	partial update
`HEAD`	headers only
`OPTIONS`	which methods are allowed (recon)

Check allowed methods (look for risky PUT/DELETE):

curl -s -X OPTIONS http://TARGET/ -i | grep -i allow

Status-code families

Range	Meaning
`2xx`	success (200 OK, 201 Created)
`3xx`	redirect (301/302 — auth bypass clues)
`4xx`	client error (401 auth, 403 forbidden, 404 not found, 429 rate-limited)
`5xx`	server error (500 — often leaks stack traces)

Headers that matter

Cookie / Authorization   → session + auth (steal/forge these)
Host                     → vhost routing (Host-header attacks)
X-Forwarded-For          → spoof source IP / bypass IP allowlists
Referer / Origin         → CSRF + CORS checks
Content-Type             → JSON vs form — changing it can bypass filters
Set-Cookie               → flags: HttpOnly, Secure, SameSite

cURL — hand-craft requests

Show response headers + body:

curl -i http://TARGET/

POST JSON:

curl -s http://TARGET/api/login -H "Content-Type: application/json" -d '{"user":"admin","pass":"admin"}'

Send a cookie / bearer token:

curl -s http://TARGET/dashboard -H "Cookie: session=ABC123" -H "Authorization: Bearer TOKEN"

Follow redirects and keep a cookie jar:

curl -sL -c jar.txt -b jar.txt http://TARGET/

HTTP authentication

Basic auth (base64 user:pass in the header):

curl -s -u admin:admin http://TARGET/secure/

Decode a captured Basic header:

echo 'YWRtaW46YWRtaW4=' | base64 -d

From here, every other note is just a more specialised request: fuzzing the path, injecting the param, tampering the verb, or forging the token.