Case file

HTTP literacy: URLs, methods, status codes, and API lab flags

Foundations web engagement: mapped URL anatomy, HTTP request/response structure, methods and security headers, then exercised GET/POST/DELETE against a lab API to recover three engagement artifacts.

Foundations24 minHTTP · Web Fundamentals · API · Security Headers
  • Established front-end/back-end model, URL and HTTP message structure, then used curl against /api endpoints for GET users, POST country update, and DELETE user.

  • Documented URL components and inspected a sample request with Host and form content-type.

  • Exercised three API operations and captured engagement artifacts from each response.

01

Engagement summary

Established front-end/back-end model, URL and HTTP message structure, then used curl against /api endpoints for GET users, POST country update, and DELETE user.

WEB APPLICATION BASICS was a structured literacy engagement for operators who must reason about HTTP before exploiting it. Front end (HTML/CSS/JS) versus back end (server, database, optional WAF) framed the attack surface. URL anatomy covered scheme (HTTPS), host, port, path, query string, and fragment — with typosquatting called out as a phishing vector. HTTP messages: start line, headers, empty line, body. Methods reviewed included GET, POST, PUT, DELETE, OPTIONS; status classes 2xx/3xx/4xx/5xx with 404 and 5xx called specifically. Security headers (CSP script-src, HSTS includeSubDomains, X-Content-Type-Options nosniff) and cookie flags Secure/HttpOnly closed the theory block. Lab API work: GET /api/users, POST /api/user/2 updating Bob’s country UK→US, DELETE /api/user/1 — each returning a distinct engagement flag.

Business impact

Teams that cannot read raw HTTP miss authz bugs, verbose Server headers, and missing Secure/HttpOnly cookies. API methods without object-level checks become IDOR and mass-assignment incidents. Treat HTTP literacy as a prerequisite for any web assessment.

02

URL and request surface

Documented URL components and inspected a sample request with Host and form content-type.

OPERATOR · HTTP

savvy@lab:~$ curl -sI https://lab.example/

HTTP/1.1 200 OK Server: nginx Strict-Transport-Security: max-age=31536000; includeSubDomains

savvy@lab:~$ curl -s -D- -o /dev/null -X OPTIONS https://lab.example/api

Allow: GET, POST, DELETE, OPTIONS

REQUEST SHAPE

sample.request

POST /login HTTP/1.1
Host: lab.example
Content-Type: application/x-www-form-urlencoded
User-Agent: savvy-lab/1.0

username=analyst&password=********
03

API lab: GET, POST, DELETE

Exercised three API operations and captured engagement artifacts from each response.

OPERATOR · API

savvy@lab:~$ curl -s http://10.10.10.10/api/users

GET flag recovered

savvy@lab:~$ curl -s -X POST http://10.10.10.10/api/user/2 -H "Content-Type: application/json" -d '{"country":"US"}'

POST flag recovered (Bob UK→US)

savvy@lab:~$ curl -s -X DELETE http://10.10.10.10/api/user/1

DELETE flag recovered

Remediation

Enforce HTTPS and HSTS with includeSubDomains. Strip or genericize Server headers. Set Secure + HttpOnly (+ SameSite) on session cookies. Authorize every API method against the caller’s object graph — never assume method rarity equals safety.