HTTP literacy: URLs, methods, status codes, and API lab flags
Foundations web engagement: mapped URL anatomy, HTTP request/response structure, methods and security headers, then exercised GET/POST/DELETE against a lab API to recover three engagement artifacts.
- Case files
- HTTP literacy: URLs, methods, status codes, and API lab flags
Established front-end/back-end model, URL and HTTP message structure, then used curl against /api endpoints for GET users, POST country update, and DELETE user.
Documented URL components and inspected a sample request with Host and form content-type.
Exercised three API operations and captured engagement artifacts from each response.
Engagement summary
Established front-end/back-end model, URL and HTTP message structure, then used curl against /api endpoints for GET users, POST country update, and DELETE user.
WEB APPLICATION BASICS was a structured literacy engagement for operators who must reason about HTTP before exploiting it. Front end (HTML/CSS/JS) versus back end (server, database, optional WAF) framed the attack surface. URL anatomy covered scheme (HTTPS), host, port, path, query string, and fragment — with typosquatting called out as a phishing vector. HTTP messages: start line, headers, empty line, body. Methods reviewed included GET, POST, PUT, DELETE, OPTIONS; status classes 2xx/3xx/4xx/5xx with 404 and 5xx called specifically. Security headers (CSP script-src, HSTS includeSubDomains, X-Content-Type-Options nosniff) and cookie flags Secure/HttpOnly closed the theory block. Lab API work: GET /api/users, POST /api/user/2 updating Bob’s country UK→US, DELETE /api/user/1 — each returning a distinct engagement flag.
Business impact
Teams that cannot read raw HTTP miss authz bugs, verbose Server headers, and missing Secure/HttpOnly cookies. API methods without object-level checks become IDOR and mass-assignment incidents. Treat HTTP literacy as a prerequisite for any web assessment.
URL and request surface
Documented URL components and inspected a sample request with Host and form content-type.
OPERATOR · HTTP
savvy@lab:~$ curl -sI https://lab.example/
HTTP/1.1 200 OK Server: nginx Strict-Transport-Security: max-age=31536000; includeSubDomains
savvy@lab:~$ curl -s -D- -o /dev/null -X OPTIONS https://lab.example/api
Allow: GET, POST, DELETE, OPTIONS
REQUEST SHAPE
sample.request
POST /login HTTP/1.1
Host: lab.example
Content-Type: application/x-www-form-urlencoded
User-Agent: savvy-lab/1.0
username=analyst&password=********API lab: GET, POST, DELETE
Exercised three API operations and captured engagement artifacts from each response.
OPERATOR · API
savvy@lab:~$ curl -s http://10.10.10.10/api/users
GET flag recovered
savvy@lab:~$ curl -s -X POST http://10.10.10.10/api/user/2 -H "Content-Type: application/json" -d '{"country":"US"}'
POST flag recovered (Bob UK→US)
savvy@lab:~$ curl -s -X DELETE http://10.10.10.10/api/user/1
DELETE flag recovered
Remediation
Enforce HTTPS and HSTS with includeSubDomains. Strip or genericize Server headers. Set Secure + HttpOnly (+ SameSite) on session cookies. Authorize every API method against the caller’s object graph — never assume method rarity equals safety.