Web Fundamentals

Web Fundamentals

HTTP, cookies, sessions, same-origin policy — the foundation for every web attack

12 min readUpdated 2026-04-18
#http#https#cookies#cors#sop#headers
TL;DR
  • HTTP is stateless and plaintext — HTTPS adds TLS encryption on top
  • Every web request has headers — they carry authentication tokens, cookies, CORS policy, and security controls
  • Cookies control sessions; misconfigurations (HttpOnly, Secure, SameSite) lead to direct exploits
  • Same-Origin Policy is the browser's core security boundary — CORS is the controlled way to relax it
  • Understanding the request/response cycle lets you manipulate everything Burp Suite intercepts

HTTP — The Protocol Under Everything

HTTP (HyperText Transfer Protocol) is a request/response protocol. Client sends a request, server returns a response. Stateless — each request is independent.

HTTP Request Structure

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json
Authorization: Bearer eyJhbGc...
Cookie: session=abc123
User-Agent: Mozilla/5.0 ...
Content-Length: 42

{"username": "admin", "password": "hunter2"}

The blank line separates headers from the body. The body is only present on POST, PUT, and PATCH requests.

HTTP Response Structure

HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: session=new_token; HttpOnly; Secure
X-Content-Type-Options: nosniff
Content-Length: 28

{"status": "authenticated"}

HTTP Methods

MethodPurposeSecurity notes
GETRetrieve resourceParameters in URL — logged, cached, leaked via Referer
POSTSubmit dataBody not in URL — but still interceptable
PUTReplace resourceCan overwrite files if misconfigured
PATCHPartial updateSame attack surface as PUT
DELETERemove resourceMissing auth check > unauthorised deletion
HEADGET without bodyUseful for checking if resource exists
OPTIONSWhat methods allowed?Reveals CORS policy and allowed methods
TRACEEcho requestCross-Site Tracing (XST) — usually disabled
TIP

Always check OPTIONS on interesting endpoints. Seeing PUT or DELETE allowed tells you something to test. An overly permissive CORS Access-Control-Allow-Origin: * on an API with sensitive data is a direct finding.

HTTP Status Codes

CodeMeaningPentest relevance
200OKSuccess
201CreatedObject was created
301/302RedirectOpen redirect opportunities
400Bad RequestInput validation error — probe further
401UnauthorisedAuth required — missing/invalid token
403ForbiddenAuth present but insufficient — try to bypass
404Not FoundResource missing
405Method Not AllowedTry different methods
429Too Many RequestsRate limiting — bypass with IP rotation
500Server ErrorApplication crash — look for stack traces
502/503Gateway ErrorProxy/upstream issues
NOTE

403 and 401 behave differently. 401 means your credentials are wrong or missing. 403 means you're authenticated but not authorised. These require different bypass strategies.

HTTPS and TLS

HTTPS = HTTP + TLS (Transport Layer Security). TLS provides:

  • Encryption — data is unreadable to network observers
  • Authentication — server certificate proves identity
  • Integrity — data cannot be modified in transit

Certificate Chain

TLS Handshake
BrowserServer
BrowserServerClientHello (supported ciphers + TLS version)
ServerBrowserServerHello + certificate
Browser verifies cert against trusted CA
BrowserServerkey exchange
ServerBrowsersymmetric key agreed
Encrypted channel established

TLS Attack Surface:

  • Expired/self-signed certificates > user trust issues
  • Weak cipher suites (RC4, DES, export ciphers)
  • TLS 1.0/1.1 > BEAST, POODLE attacks
  • Certificate pinning bypass in mobile apps
bash
# Check TLS certificate details
openssl s_client -connect target.com:443 </dev/null
openssl s_client -connect target.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text

# testssl.sh — comprehensive TLS audit
testssl.sh target.com

HTTP Headers — The Security Controls Layer

Headers control browser behaviour, caching, authentication, and security policies.

Security Headers (What Good Looks Like)

HeaderPurposeMissing = vulnerable to
Content-Security-PolicyControls resource loadingXSS, data injection
X-Frame-OptionsPrevents framingClickjacking
X-Content-Type-Options: nosniffPrevents MIME sniffingContent-type confusion
Strict-Transport-SecurityForces HTTPSSSL stripping
Referrer-PolicyControls Referer headerInformation leakage

Request Headers That Matter

HeaderPurposeAttack relevance
AuthorizationBearer tokens, Basic authToken theft, brute force
CookieSession managementSession hijacking
HostWhich virtual hostHost header injection
X-Forwarded-ForClient IP behind proxyIP spoofing auth bypasses
User-AgentBrowser identificationWAF fingerprinting bypass
Content-TypeBody formatType confusion attacks
X-Forwarded-For Trust

If an application trusts X-Forwarded-For for IP-based access control (only allow 10.0.0.0/8), adding the header X-Forwarded-For: 10.0.0.1 in your request may bypass it. This is a common misconfiguration.

Cookies — Session Management

Cookies are key-value pairs the server sets in the browser. Every subsequent request includes them automatically.

Set-Cookie: session=abc123; Path=/; Domain=target.com; HttpOnly; Secure; SameSite=Strict; Max-Age=3600
session=abc123
cookie name and value
Path=/
which URL paths receive the cookie
Domain=target.com
which hosts receive the cookie
HttpOnly
no JS access — blocks XSS theft
Secure
HTTPS only — blocks sniffing
SameSite=Strict
not sent on cross-site requests — blocks CSRF
Max-Age=3600
expires in 1 hour

Cookie Flags

FlagWhat it doesMissing =
HttpOnlyJS cannot read document.cookieXSS can steal session
SecureOnly sent over HTTPSCookie sent over HTTP, sniffable
SameSite=StrictNot sent in cross-site requestsCSRF attacks possible
SameSite=LaxSent on top-level navigationPartial CSRF protection
SameSite=None; SecureAlways sent cross-siteFull CSRF exposure
bash
# Check cookies with curl
curl -c cookies.txt -b cookies.txt -L https://target.com/login \
  -d "user=admin&pass=admin" -v 2>&1 | grep -i "set-cookie"

Same-Origin Policy (SOP)

SOP is the browser's core security boundary. A page from https://attacker.com cannot read responses from https://bank.com — even if the victim's browser is authenticated to the bank.

Origin = scheme + hostname + port

Request fromTargetSOP allows?
https://a.comhttps://a.com/apiYes — same origin
https://a.comhttp://a.com/apiNo — different scheme
https://a.comhttps://b.com/apiNo — different hostname
https://a.com:443https://a.com:8443No — different port

SOP blocks JavaScript from reading cross-origin responses. It does not block cross-origin requests from being sent (which is why CSRF is possible).

CORS — Controlled SOP Relaxation

CORS (Cross-Origin Resource Sharing) lets a server explicitly permit cross-origin requests.

CORS Preflight Request
Browser (https://app.com)API (https://api.target.com)
BrowserAPIOPTIONS preflight — Origin: https://app.com
APIBrowser200 OK — Allow-Origin: https://app.com, Allow-Methods: GET, POST
BrowserAPIactual request
APIBrowserresponse

CORS Misconfigurations:

# Dangerous — reflects Origin header back:
Access-Control-Allow-Origin: https://attacker.com
Access-Control-Allow-Credentials: true

# Wildcard + credentials (browsers block this, but it reveals intent):
Access-Control-Allow-Origin: *
CORS + Credentials

If Access-Control-Allow-Credentials: true is combined with a reflected or overly permissive origin, an attacker's page can make authenticated requests to the API on behalf of the victim and read the response. This bypasses SOP entirely for API calls.

URL Structure — Every Component Matters

https://admin:secret@target.com:8443/api/v1/user?id=1&debug=true#section
https
scheme (protocol)
admin:secret
credentials — never put these in URLs (logged everywhere)
target.com
hostname
8443
port
/api/v1/user
path — injection point for directory traversal
id=1&debug=true
query params — prime injection surface (SQLi, XSS, SSRF)
#section
fragment — client-side only, never sent to server
  • Credentials in URL — logged in server logs, browser history, Referer headers. Never.
  • Path traversal../../../etc/passwd in path parameters
  • Query parameters — prime injection point (SQLi, XSS, SSRF)
  • Fragment — never sent to server, only in browser

HTTP/2 and HTTP/3

VersionTransportKey difference
HTTP/1.1TCPOne request per connection (with pipelining)
HTTP/2TCP + TLSMultiplexed — multiple requests over one connection
HTTP/3QUIC (UDP)Faster, no TCP head-of-line blocking

HTTP/2 introduces new attack surface: request smuggling (H2.CL, H2.TE) where a front-end proxy and back-end server disagree on request boundaries.

Operational Notes

  • Burp Suite Proxy sits between your browser and the target. Every HTTP/HTTPS request passes through it. This is your primary tool for web testing.
  • `curl -v` shows full request and response headers. Use it to replicate Burp requests from the terminal.
  • HTTP/2 downgrade — some servers accept HTTP/1.1 and HTTP/2. Try both. Some protections only apply to one.
  • Parameter pollution — send the same parameter twice (?id=1&id=2). Different frameworks pick different values — can bypass input validation.

What to Read Next

  • Web Application Analysis — put these fundamentals to work attacking OWASP Top 10 vulnerabilities
  • How Authentication Works — sessions, cookies, and tokens as attack targets
  • Reconnaissance — HTTP response headers and JavaScript files leak infrastructure details
← PreviousHow Authentication WorksNext →How Memory Works
← back to knowledge base