<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Web Security on Raghunath Gopinath</title>
    <link>https://raghu.io/tags/web-security/</link>
    <description>Recent content in Web Security on Raghunath Gopinath</description>
    <generator>Hugo</generator>
    <language>en</language>
    <lastBuildDate>Sat, 31 Jan 2026 12:02:36 +0530</lastBuildDate>
    <atom:link href="https://raghu.io/tags/web-security/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>What is Web Application and How does it work?</title>
      <link>https://raghu.io/what-is-web-application-and-how-does-it-work/</link>
      <pubDate>Mon, 25 Jul 2022 14:15:00 +0000</pubDate>
      <guid>https://raghu.io/what-is-web-application-and-how-does-it-work/</guid>
      <description>Discover the fundamentals of what is a web application, URLs, and popular web application architectures. Gain insights into the core concepts that drive the digital world forward. Begin your journey by establishing strong security foundations.</description>
      <content:encoded><![CDATA[<p>In this section, we shall cover the web and how it works. This will act
as a foundation for identifying security vulnerabilities further down
the posts.</p>
<h2 id="what-is-a-web-application">What is a web Application?</h2>
<p>Web applications are programs designed to perform specific operations
for users or other applications.</p>
<p>Examples: Reading News, Watching Videos, Editing Photos online, etc.</p>
<p>As users, we will be using Web Browsers like Chrome, Firefox, etc., to
interact with the web applications where numerous actions are performed
by our browsers behind the scenes once we give domain information in the
URL bar.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/icons/web-application.webp"
         alt="Figure 1: Web Application Introduction"/> <figcaption>
            <p>Figure 1: Web Application Introduction</p>
        </figcaption>
</figure>

<p>Have you ever wondered how different browsers handle all these
functions, and you get similar results in all Web Browsers to the most
extent?</p>
<p>The <a href="https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force">Internet Engineering Task
Force</a> is
a standards organization body for the Internet and other technical
standards.</p>
<p>The standards body is an individual or group of engineers and computer
scientists who publish the methods, behaviors, innovations, and
standards of how the internet and internet-connected systems should
work.</p>
<p><a href="https://en.wikipedia.org/wiki/Request_for_Comments?ref=securityarray.net">Request For Comments (RFC)</a></p>
<p>RFC: After lots of peer review and evaluations are done for each
proposal, it is standardized, and each proposal is given a Request For
Comment (RFC) number. Therefore, all the applications developed to work
with the internet must adhere to RFC standards.</p>
<p>I recommend going through RFC documents whenever you want to learn
further. This might help you uncover new security bugs.</p>
<h2 id="what-is-a-url">What is a URL?</h2>
<p>URL is an acronym used for the Uniform Resource Locator. It&rsquo;s a type of
web address that specifies the location of a specific resource on the
internet.</p>
<p>URL consists of different components. Let&rsquo;s look at them in detail.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/url.webp"
         alt="Figure 2: URL Components"/> <figcaption>
            <p>Figure 2: URL Components</p>
        </figcaption>
</figure>

<ol>
<li><strong>Protocol</strong> - A standard used for processing data.</li>
<li><strong>Domain Name</strong> - A user-readable address pointing to an IP address
on the internet.</li>
<li><strong>Port</strong> - Specific port used for communication. (HTTP runs on port
80, and HTTPS runs on port 443).</li>
<li><strong>Path</strong> - It represents the file or subdirectory structure on the
server.</li>
<li><strong>Parameter</strong> - A special kind of variable defined to pass values
for processing.</li>
<li><strong>Value</strong> - The value of a parameter assigned. It can contain
characters and numerics.</li>
</ol>
<h2 id="how-does-url-work">How does URL work?</h2>
<p>When you type a URL in your browser, the first request will be sent to
the Domain Name System (DNS). In DNS, it will look out for the mapping
IP address for the given domain name and send IP information to the
browser.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/How-DNS-Works.webp"
         alt="Figure 3: How DNS Works"/> <figcaption>
            <p>Figure 3: How DNS Works</p>
        </figcaption>
</figure>

<p>Next, the browser uses the IP address information received and initiates
the TCP connection with the Server. Once the server responds with
confirmation, a valid channel is established and starts exchanging
requests and responses.</p>
<h2 id="web-applications-architectures">Web Applications Architectures</h2>
<p>Let&rsquo;s dig a bit deeper. All web applications and technologies are
logically connected for client-server communication to ensure a better
web experience.</p>
<p>From here on, we will refer to all the operations performed on the user
side as Client (Ex, Web Browsers, Terminal, etc.) and one which accepts
our request and responds as Server (Example: Nginx, Apache, etc.).</p>
<p>As of today, web application architectures have become very complex.
Let&rsquo;s start with the basics without worrying much, and you can build on
your expertise from here on.</p>
<h3 id="client---server-architecture-2-tiered">Client - Server Architecture (2-Tiered)</h3>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/Client-Server-2tiered.webp"
         alt="Figure 4: Client Server Architecture"/> <figcaption>
            <p>Figure 4: Client Server Architecture</p>
        </figcaption>
</figure>

<p>In the case of client-server architecture, A web application is hosted
on a single server that will process all the client&rsquo;s requests and
respond back.</p>
<h3 id="client---server-architecture-3---tiered">Client - Server Architecture (3 - Tiered)</h3>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/Client-Server-3-tier.webp"
         alt="Figure 5: Client Server - (3 - Tiered)"/> <figcaption>
            <p>Figure 5: Client Server - (3 - Tiered)</p>
        </figcaption>
</figure>

<p>In the case of client-server architecture, A web application is hosted
on multiple servers, a Web Server and a Database Server, where the web
server takes a request from clients and fetches the necessary data from
the database, formats it and sends it back to the client requested.</p>
<h3 id="client---server-n-tier">Client - Server (n-tier)</h3>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/Client-Server-n-tier.webp"
         alt="Figure 6: Client Server - (n-tired) or Hybrid Architecture"/> <figcaption>
            <p>Figure 6: Client Server - (n-tired) or Hybrid Architecture</p>
        </figcaption>
</figure>

<p>In the case of n-tier architecture, there can be any number of Web and
Database servers, where all the traffic being received from the client
is routed to the server with less load. Most of today&rsquo;s applications are
deployed similarly to the above architecture.</p>
<h2 id="technologies">Technologies</h2>
<p>Technologies are generally classified into two types.</p>
<ol>
<li>Client Side Technologies</li>
<li>Server Side Technologies.</li>
</ol>
<p>Let&rsquo;s check out some examples. You might already be familiar with some
technologies.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/Technologies.webp"
         alt="Figure 7: Various Technologies&#39;"/> <figcaption>
            <p>Figure 7: Various Technologies&#39;</p>
        </figcaption>
</figure>

<h3 id="client-side-technologies">Client Side Technologies</h3>
<p>Our browser understands HTML, CSS, and JavaScript technologies whenever
the server sends information using them. The browser renders and
displays the content in a human-readable format by hiding all complex
code from the user&rsquo;s view.</p>
<h3 id="server-side-technologies">Server Side Technologies</h3>
<p>In the screenshot above, we highlighted a few programming languages like
Python, PHP, Golang, etc., but there are many more server-side
technologies. These high-level programming languages run on the server,
process data, and format the data into a format the client can
understand.</p>
<h2 id="conclusion">Conclusion</h2>
<p>I hope you have some idea about the web and its technologies by now.</p>
<p>Next, Refer the HTTP basics, which are helpful for security assessments
and used by developers and administrators to understand what the server
says and take action based on it.</p>
]]></content:encoded>
    </item>
    <item>
      <title>HTTP Basics Tutorial</title>
      <link>https://raghu.io/http-basics-tutorial/</link>
      <pubDate>Tue, 26 Jul 2022 08:53:00 +0000</pubDate>
      <guid>https://raghu.io/http-basics-tutorial/</guid>
      <description>Uncover the fundamentals of HTTP in this beginner-friendly way. HTTP Basics Tutorials is a guide for those new to information security or diving into web application security.</description>
      <content:encoded><![CDATA[<p>Discover the internals of HTTP with the following beginner&rsquo;s tutorial.
If you are new to information security or getting started in web
application security, this post will walk you through the HTTP basics
and foundations needed.</p>
<h2 id="introduction-to-http-and-its-importance">Introduction to HTTP and its importance</h2>
<p>HTTP, which stands for &ldquo;Hypertext Transfer Protocol&rdquo;, is the foundation
used for data communications on the World Wide Web. In simple words,
this protocol lets communication between our web browser and web
servers.</p>
<p>Understanding the HTTP is crucial for anyone who is interested in
getting into security testing. It is a basic foundation for all the data
communication on the internet. Knowing about the HTTP Requests,
Responses, and Status Codes will help us to understand more about a web
application and its behaviour during the security testing process and
even help us automate repetitive manual work.</p>
<h3 id="what-is-http">What is HTTP?</h3>
<p>HTTP is a protocol with a set of defined rules for communicating between
the client and the server. Think of it like this: we humans use a common
language to speak and communicate with each other. Similarly, the
protocol is to communicate with the client (Example: Web Browser) and
the server (Example: Apache HTTP).</p>
<p>Our modern web browsers hide this complexity by taking care of them and
loading beautiful web pages for us to be easy to read and understand.</p>
<blockquote>
<p>💡On the web, all I see is HTTPS. Yes, you are right. The working
principle is the same, with few changes. Will cover those as well.</p>
</blockquote>
<h3 id="http-is-text-based-protocol">HTTP is text based protocol</h3>
<p><a href="https://en.wikipedia.org/wiki/HTTP">HTTP</a> is a simple message-based
request/response protocol. When the user requests a web page, the
browser sends the HTTP request to the server in the background, which
then responds with the requested resources. The website responds back
with the requested resource, which is called response.</p>
<p>HTTP acts as a medium through which information is exchanged. It allows
the transfer of various types of data, including text, images,
multimedia files, etc.</p>
<h3 id="structure-of-http-requests-and-responses">Structure of HTTP Requests and Responses</h3>
<p>A sample of HTTP request-response can be seen as shown below:</p>
<p><strong>Request:</strong></p>
<figure>
    <img loading="lazy" src="/images/application-security-foundations/Sample-Request.webp"
         alt="Figure 1: : Sample HTTP Request by Client"/> <figcaption>
            <p>Figure 1: : Sample HTTP Request by Client</p>
        </figcaption>
</figure>

<p><strong>Response:</strong></p>
<figure>
    <img loading="lazy" src="/images/application-security-foundations/sample-response.webp"
         alt="Figure 2: : Sample HTTP Response form Server"/> <figcaption>
            <p>Figure 2: : Sample HTTP Response form Server</p>
        </figcaption>
</figure>

<p>I can see this is a lot of data to digest, don&rsquo;t worry, with the
overwhelming information you see on the response screenshot. You don&rsquo;t
need to remember everything. This is to get you acclimated to the type
of data you&rsquo;ll see from now on and focus only on what we need the most.</p>
<p>We will come back to technical in a bit. Let&rsquo;s go ahead and learn more
about HTTP.</p>
<h3 id="http-is-a-stateless-protocol">HTTP is a Stateless Protocol</h3>
<p>As the name suggests, the stateless protocol does not maintain the state
of a transaction. Stateless protocols are typically used in low-level
communication applications, where data packets can be sent without any
notifications. An example of a stateless protocol is TCP.</p>
<p>This means you get the response back once a request is sent and the
connection closes. It will not be able to link or relate to any previous
requests.</p>
<ol>
<li>
<p>Example of HTTP/1.0 and below versions</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$nc</span> demo.testfire.net <span class="m">80</span>
</span></span><span class="line"><span class="cl">GET / HTTP/1.0
</span></span><span class="line"><span class="cl">Host: www.demo.testfire.net
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK
</span></span><span class="line"><span class="cl">Server: Apache-Coyote/1.1
</span></span><span class="line"><span class="cl">Set-Cookie: <span class="nv">JSESSIONID</span><span class="o">=</span>DF622CC21A2727AC5DD745D1A5B007BF<span class="p">;</span> <span class="nv">Path</span><span class="o">=</span>/<span class="p">;</span>
</span></span><span class="line"><span class="cl">HttpOnly
</span></span><span class="line"><span class="cl">Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>ISO-8859-1
</span></span><span class="line"><span class="cl">Date: Wed, <span class="m">27</span> Jul <span class="m">2022</span> 07:48:18 GMT
</span></span><span class="line"><span class="cl">Connection: close
</span></span></code></pre></div><p>I am using a tool called net cat (nc) here to demonstrate a
stateless example by sending the custom request and waiting for the
response from the server. If you observe closely, the server sends
the last line <strong>Connection: close</strong>.</p>
<p><em><strong>Connection</strong></em>: header above tells that the TCP connection can be
closed once after sending the HTTP response.</p>
<p>But from HTTP/1.1 and above, the TCP connection will not be closed
and will wait for the next request to be received and processed.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ nc demo.testfire.net <span class="m">80</span>
</span></span><span class="line"><span class="cl">GET / HTTP/1.1
</span></span><span class="line"><span class="cl">Host: demo.testfire.net
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK
</span></span><span class="line"><span class="cl">Server: Apache-Coyote/1.1
</span></span><span class="line"><span class="cl">Set-Cookie: <span class="nv">JSESSIONID</span><span class="o">=</span>D7190756165E5E1B4986094B7A17630F<span class="p">;</span> <span class="nv">Path</span><span class="o">=</span>/<span class="p">;</span> HttpOnly
</span></span><span class="line"><span class="cl">Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>ISO-8859-1
</span></span><span class="line"><span class="cl">Transfer-Encoding: chunked
</span></span><span class="line"><span class="cl">Date: Wed, <span class="m">27</span> Jul <span class="m">2022</span> 07:54:31 GMT
</span></span></code></pre></div><p>In the above request/response, you can see the <em>Transfer-Encoding:
chunked</em>, which means the connection is not closed, and it is
waiting for the next request to process.</p>
<p><em><strong>Transfer-Encoding</strong></em>: header is used to specify the type of
encoding used on the data sent in the message body in a series of
chunks.</p>
<p>For now, remember that the above concepts will be helpful while
discussing advanced HTTP attacks.</p>
<figure>
        <img loading="lazy" src="/images/application-security-foundations/HTTP-HTTPS.webp"
             alt="Figure 3: : HTTP vs HTTPS"/> <figcaption>
                <p>Figure 3: : HTTP vs HTTPS</p>
            </figcaption>
    </figure>

</li>
</ol>
<h3 id="http-vs-https">HTTP vs HTTPS</h3>
<p>HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer
Protocol Secure) underlying working concepts are similar. HTTPS is a
secure version of HTTP that uses SSL or TLS security certificates.</p>
<p>The HTTP protocol is outdated and not secure. The HTTPS protocol is more
modern and has encryption codes to protect user information.</p>
<p>A few of the drawbacks of HTTP are detailed below:</p>
<ol>
<li>HTTP transmits messages in <strong>clear text</strong>, meaning that anyone on
the network can view all of your requests, responses, and sensitive
information like usernames, passwords, and card information.</li>
<li>Not only above, if your data goes through any of the Proxy
connections, then a <strong>copy of your request and response is also
stored now on the proxy server</strong>. How the admin uses the information
is beyond our control, and it would be hard to track the attacker.</li>
<li>In some browsers where the cache is enabled, the copy of your
request will also be in the cache. This is challenging when the
session token or sensitive information is passed in the URL.</li>
</ol>
<p>This is where HTTPS protects us with privacy and integrity from all
kinds of snooping or <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack?ref=securityarray.net">Man in the Middle
(MITM)</a>
attacks.</p>
<p>Lastly, the default port for <strong>HTTP is 80</strong>, and <strong>HTTPS is 443</strong>. It
can also be changed based on requirements.</p>
<h2 id="breakdown-of-the-http-components">Breakdown of the HTTP components</h2>
<p>Let&rsquo;s dig a bit deeper and learn more about the HTTP syntax, methods,
and headers. This section helps us in reviewing request-response
messages and confirm whether vulnerability exists or not.</p>
<p>Take some time to understand and get well acquainted.</p>
<h3 id="http-syntax">HTTP Syntax</h3>
<p>We came to understand that HTTP is a simple message-based protocol that
contains request and response messages.</p>
<p>Let&rsquo;s try to understand more about the request.</p>
<ol>
<li>
<p>A Typical Request Message:</p>
<figure class="mx-auto block text-center">
        <img loading="lazy" src="/images/application-security-foundations/http_request_syntax.webp"
             alt="Figure 4: HTTP Request Sections"/> <figcaption>
                <p>Figure 4: HTTP Request Sections</p>
            </figcaption>
    </figure>

<p>HTTP request contains two sections, Headers, and Body. The header
and body are separated by an empty line.</p>
<p>The body section can vary based on the type of HTTP method. For
example, the GET HTTP method doesn&rsquo;t contain any body information,
but the POST method does contain.</p>
<!--list-separator-->
<ul>
<li>
<p><strong>1. Headers</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/members/api/send-magic-link/</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">2</span>
</span></span></code></pre></div><p>In the above line, the first one POST is called a verb. It&rsquo;s one
of the HTTP methods commonly used for posting data onto the
server.</p>
<p>Followed by the URL path <em><strong>members/api/send-magic-link</strong></em>, the
page which the client is trying to access/post.</p>
<p>Lastly, <strong>HTTP/2</strong> is the protocol and its version used for
communication.</p>
<p>Each header in the message body is placed on a separate line. The
next header is Host.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Host: securityarray.io
</span></span></code></pre></div><p><strong>Host</strong> header contains the domain name of the server to whom the
request must be sent.</p>
<p>Next, followed by other headers.</p>
</li>
</ul>
<!--list-separator-->
<ul>
<li>
<p><strong>2. Body</strong>:</p>
<p>HTTP Body section contains the additional supporting information
for the above-specified POST header information. Below is an
example of the <a href="https://www.json.org/?ref=securityarray.net">JavaScript Object Notation
(JSON)</a> type of data
passed to the server in the message body.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">{&#34;name&#34;:&#34;Raghu&#34;,&#34;email&#34;:&#34;example@securityarray.io&#34;,&#34;requestSrc&#34;:&#34;portal&#34;}
</span></span></code></pre></div><p>The message body can also be plain text or HTML or XML data based
on the type of content being transmitted.</p>
<p><strong>A Typical Response Message</strong></p>
<figure class="mx-auto block text-center">
          <img loading="lazy" src="/images/application-security-foundations/http_response_syntax.webp"
               alt="Figure 5: HTTP Response"/> <figcaption>
                  <p>Figure 5: HTTP Response</p>
              </figcaption>
      </figure>

<p>HTTP Response message will look similar to the above, containing
the Headers and Body separated by an empty line.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="kr">HTTP</span><span class="o">/</span><span class="m">2</span> <span class="m">201</span> <span class="ne">Created</span>
</span></span></code></pre></div><p>The first line specifies the server acknowledgement back to the
client using HTTP/2 protocol, and the next <strong>201</strong> is a status
code specifying the type of action taken by the web server for the
request sent.</p>
<p>Here, it has created the content on the server. Therefore, we
received <strong>201 Created</strong>.</p>
<p>By this, I can confirm the content I have posted is created on the
server, and it acknowledges back, followed by other HTTP headers
and message body, and next if any.</p>
<p>The HTTP message body is later beautified and displayed back to
the user on a web browser in a human-readable way.</p>
<figure class="mx-auto block text-center">
          <img loading="lazy" src="/icons/policies-procedures.webp"
               alt="Figure 6: : HTTP Methods"/> <figcaption>
                  <p>Figure 6: : HTTP Methods</p>
              </figcaption>
      </figure>

</li>
</ul>
</li>
</ol>
<h2 id="http-methods-and-its-purpose">HTTP Methods and Its Purpose</h2>
<p>The methods indicate the purpose for which the client has initiated the
request and what is expected by the client to consider it a successful
result.</p>
<p>Let&rsquo;s walk through the different HTTP methods available.</p>
<ol>
<li><strong>GET</strong> is used to retrieve the resource from the web server, and it
doesn&rsquo;t contain a message body. The URLs that you observe in the
browser URL bar are all GET requests.</li>
<li><strong>HEAD</strong> is very similar to the GET, but it only sends the header
section.</li>
<li><strong>POST</strong> method performs a specific operation with the provided
message body. Like creating or updating. It is recommended to use
POST for sending sensitive information like username, password, card
info, etc. As the message body cannot be seen by intermediate
resources like proxies.</li>
<li><strong>PUT</strong> is most commonly used for updating the data and also for
uploading the content to the server.</li>
<li><strong>DELETE</strong> is used to remove a resource on the server, which is
allowed only for users with authorized privileges.</li>
<li><strong>CONNECT</strong> is used to establish a tunnel to the server</li>
<li><strong>OPTIONS</strong> is used to request a list of HTTP methods enabled on the
server.</li>
<li><strong>TRACE</strong> is used for diagnostic purposes. Whenever you send a
request using TRACE, you should be able to see the same contents in
response as were sent in the request.</li>
</ol>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/icons/Information.webp"
         alt="Figure 7: HTTP Headers"/> <figcaption>
            <p>Figure 7: HTTP Headers</p>
        </figcaption>
</figure>

<h2 id="understanding-http-headers">Understanding HTTP Headers</h2>
<p>In HTTP, there are many headers, each intended for a specific purpose.
We will be covering some headers, and if you would like to learn about
the complete list of headers, the best source is RFCs
(<a href="https://datatracker.ietf.org/doc/html/rfc2616?ref=securityarray.net">HTTP/1.1</a>,
<a href="https://datatracker.ietf.org/doc/html/rfc7540?ref=securityarray.net">HTTP/2</a>)</p>
<p>Some headers you can observe in both Request and Response are given
below.</p>
<p><strong>Content-Length</strong> specifies the length of the message body in bytes.</p>
<p><strong>Content-Type</strong> specifies the type of content present in the message
body.</p>
<h3 id="request-headers">Request headers</h3>
<p><strong>User-Agent</strong> specifies the information about your browser or from
other clients from which you are trying to access the web server.</p>
<p><strong>Origin</strong> is used to specify from where the request originated.</p>
<p><strong>Referer</strong> is used to specify the request from which the current URL
originated.</p>
<p><strong>Authorization</strong> is a token used to pass to the server for accessing
privileged resources.</p>
<p><strong>Accept</strong> headers inform the server about content types accepted by the
client.</p>
<p><strong>Accept-Encoding</strong> informs the server about encoding types understood
by the client.</p>
<h3 id="response-headers">Response Headers</h3>
<p><strong>Set-Cookie</strong> is used to set the session cookies on the client side to
identify the sessions and user accounts used for accessing server
resources.</p>
<p><strong>Access-Control-Allow-Origin</strong> indicates whether the resource can be
retrieved via cross-domain Ajax requests.</p>
<p><strong>Cache-Control</strong> passes the instructions to the browser about how the
cache must be handled.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/icons/checks_300x300.webp"
         alt="Figure 8: Status Codes"/> <figcaption>
            <p>Figure 8: Status Codes</p>
        </figcaption>
</figure>

<h2 id="decoding-http-status-codes">Decoding HTTP Status Codes</h2>
<p>The status codes are used to inform the client about how the request was
handled. The server acknowledges back with the three-digit numerical
codes of how it was processed.</p>
<p>Getting familiar with status codes helps you to review and take action
while performing security assessments.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="/images/application-security-foundations/HTTP-Status-Codes.webp"
         alt="Figure 9: HTTP Status Codes"/> <figcaption>
            <p>Figure 9: HTTP Status Codes</p>
        </figcaption>
</figure>

<p>Let&rsquo;s look at common status codes which we will be encountering
day-to-day.</p>
<p><strong>100 Continue</strong> message sent by the server to continue and keep sending
the message body. Once completed, the server will respond with another
status message.</p>
<p><strong>200 OK</strong> means that the request was successful and that the response
body contains the result of the request.</p>
<p><strong>201 Created</strong> is returned in response to a PUT/POST request to
indicate that the request was successful and created.</p>
<p><strong>301 Moved Permanently</strong> redirects the browser permanently to a
different URL. So the client should use the new URL going ahead in the
future.</p>
<p><strong>302 Found</strong> redirects the browser temporarily to a different URL</p>
<p><strong>304 Not Modified</strong> specifies the browser to use the cached copy as the
client has the latest data of the server.</p>
<p><strong>400 Bad Request</strong> is a client error that indicates that the client
submitted an invalid HTTP request.</p>
<p><strong>401 Unauthorized</strong> indicates that you need to be authenticated to
access the server resource.</p>
<p><strong>403 Forbidden</strong> indicates that you do not have privileges to access
the resource on the server.</p>
<p><strong>404 Not Found</strong> means the requested resource is not present on the
server.</p>
<p><strong>405 Method Not Allowed</strong> means the specified HTTP method in the
request is not supported for the given URL.</p>
<p><strong>500 Internal Server Error</strong> indicates that the server is unable to
process your request, which might be because of some unhandled error
within the server application.</p>
<p><strong>503 Service Unavailable</strong> is displayed when the server is handling a
heavy load and is not able to function. Also, during maintenance hours,
or during migration, or even in case the server crashes.</p>
<h2 id="conclusion">Conclusion</h2>
<p>I hope this short tutorial has provided the foundations for
understanding HTTP protocol and its significance in terms of application
security. It&rsquo;s a lot of information to digest and remember. You could
use this as a reference to get started, and surely, this is going to
help us make better decisions while carrying out security assessments.</p>
<p>I encourage you to continue exploring the HTTP RFCs
(<a href="https://datatracker.ietf.org/doc/html/rfc2616?ref=securityarray.net">HTTP/1.1</a>,
<a href="https://datatracker.ietf.org/doc/html/rfc7540?ref=securityarray.net">HTTP/2</a>,
<a href="https://datatracker.ietf.org/doc/html/rfc9114">HTTP/3</a>)
for in-depth understanding.</p>
<p>Remember, learning web application security is an ongoing journey, and
each step you take brings you closer to mastering this valuable skill.</p>
<p>Keep exploring!</p>
]]></content:encoded>
    </item>
    <item>
      <title>Bug Bounty vs Pentest: Making an Informed Decision on Security Testing</title>
      <link>https://raghu.io/bug-bounty-vs-pentest-making-an-informed-decision-on-security-testing/</link>
      <pubDate>Sun, 14 Jan 2024 03:29:08 +0000</pubDate>
      <guid>https://raghu.io/bug-bounty-vs-pentest-making-an-informed-decision-on-security-testing/</guid>
      <description>Both bug bounty and pentest play crucial roles in identifying and addressing security vulnerabilities, but they differ in their approaches. Understanding these differences helps you choose which type of security testing best suits for organizations or hackers who want to get into security testing.</description>
      <content:encoded><![CDATA[<p>It looks like you want to know better about what bug bounty is and how
it differs from pentest for your security needs. This article will break
down the differences, benefits, and drawbacks of each to help you make
an informed decision. Whether you&rsquo;re a beginner in security, a project
manager, or a security professional, this article will help you choose
the right approach for your specific security needs.</p>
<h2 id="introduction-to-bug-bounty-and-pentest">Introduction to Bug Bounty and Pentest</h2>
<p>In today&rsquo;s digital landscape, where cyber threats constantly evolve,
organizations increasingly turn to security testing, and we keep on
hearing about the words bug bounty programs and pentests to enhance
security measures.</p>
<p>Both bug bounty and pentest play crucial roles in identifying and
addressing security vulnerabilities, but they differ in their
approaches. Understanding these differences helps you choose which type
of security testing best suits for organizations or hackers who want to
get into security testing.</p>
<figure>
<img src="BugBounty-vs-Pentest-Definetion.png" />
<figcaption>Bug Bounty vs Pentest</figcaption>
</figure>
<h2 id="bug-bounty-explained">Bug Bounty Explained</h2>
<h3 id="what-is-bug-bounty">What is Bug Bounty?</h3>
<p>Individual organizations implement a program to reward external security
researchers for identifying and reporting security bugs in their
applications and systems.</p>
<p>This program helps organizations uncover the security gaps that haven&rsquo;t
been considered or missed in their security assessments. Addressing the
reported security findings in the early stages helps to strengthen the
organization&rsquo;s critical applications and systems before malicious actors
exploit them.</p>
<p>Depending on the organization&rsquo;s policies, they even acknowledge and
reward the researchers for responsibly disclosing the security flaws in
their systems. The rewards might vary, like incentives, hall-of-fame
credits, points, s, etc.</p>
<p>This process is also known as <strong>crowdsource security testing</strong> or
<strong>Vulnerability Reward Programs</strong> (VRPs), which invites all independent
security researchers around the world to participate in the program.
This approach also enables organizations to tap into a global talent
pool of cybersecurity experts and leverage their diverse skill sets to
uncover potential security flaws.</p>
<h3 id="how-bug-bounty-programs-work">How Bug Bounty Programs Work?</h3>
<ol>
<li>
<p>Organizations define the scope of their bug bounty program, which
includes the systems, applications, guidelines, rewards structure,
and types of vulnerabilities eligible for rewards.</p>
</li>
<li>
<p>Independent Security Researchers (aka Bug bounty hunters) then
conduct security testing within the specified scope and report any
discovered vulnerabilities to the organization&rsquo;s security team.</p>
</li>
<li>
<p>Upon successful validation, the security bug is triaged.
Post-triaging, the organization rewards the bug bounty hunter
according to a predetermined bounty structure.</p>
</li>
</ol>
<p><em>Remember, if everyone reports the same bug, only the first person to
report will receive the bounty.</em></p>
<h3 id="what-are-bug-bounty-platforms">What are Bug Bounty Platforms?</h3>
<p>A central hub that manages multiple organizations&rsquo; Bug Bounty programs
and a pool of bug bounty hunters.</p>
<p>Bug bounty platforms bridge organizations and bug bounty hunters by
establishing clear guidelines and policies for researchers, streamlining
the vulnerability management process, facilitating efficient
communication, timely resolution of reported security issues, and
rewarding researchers.</p>
<p>They oversee the entire bug bounty program life cycle, making each party
understand their roles and responsibilities in a well-organized and
efficient way.</p>
<p>It&rsquo;s a less hindering process for organizations and Security Enthusiasts
who are getting started.</p>
<p>Examples: <a href="https://www.hackerone.com/">HackerOne</a>,
<a href="https://www.bugcrowd.com/">BugCrowd</a>,
<a href="https://www.intigriti.com/">Intigrity</a>,
<a href="https://bounty.github.com/">Github</a></p>
<p>Refer
<a href="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/bugbountyplatforms.md">here</a>
for information about more platforms.</p>
<h3 id="who-can-start-a-bug-bounty-program">Who can start a Bug Bounty program?</h3>
<p>Any organization that decides to minimize security risks and secure its
digital data from attackers can start a bug bounty program.</p>
<p>Currently, reputed organizations ranging from government entities,
e-commerce platforms, software solutions, logistics companies, finance
organizations, open-source programs, etc, all run bug bounty programs.</p>
<p>If you ever feel that managing security vulnerabilities is daunting,
don&rsquo;t hesitate to utilize Bug Bounty platforms. They are readily
available to provide assistance and support.</p>
<p>Bug Bounty programs are instrumental in reducing unknown threats.</p>
<p>Examples: <a href="https://bughunters.google.com/">Google Bug Hunters</a>, <a href="https://www.facebook.com/whitehat">Meta
(aka Facebook)</a>,
<a href="https://www.microsoft.com/en-us/msrc/bounty">Microsoft</a></p>
<h3 id="who-can-participate-in-a-bug-bounty-program">Who can participate in a Bug Bounty program?</h3>
<p>Well, there are no hard rules. Anyone with internet access having
experience/interest in learning security testing can jump into the
program and try it.<br>
<br>
The Bug Bounty program is available for different security streams, web
applications, mobile applications, binary applications, source code
review, IOT, etc. Feel free to choose the one that is of most interest
to you.</p>
<h3 id="key-features-of-bug-bounty">Key Features of Bug Bounty</h3>
<ul>
<li><strong>Global Talent Pool</strong>: Bug bounty programs allow organizations to
access a diverse community of security researchers with varying
expertise and perspectives.</li>
<li><strong>Continuous Testing</strong>: Bug bounty programs enable ongoing security
testing, as researchers can continuously search for vulnerabilities,
providing a proactive approach to security. </li>
<li><strong>Cost-Effective</strong>: Organizations only pay for valid vulnerabilities
identified, making bug bounty programs a cost-effective security
testing solution.</li>
</ul>
<figure>
<img src="hacker--1-.png" />
<figcaption>Penetration Testing</figcaption>
</figure>
<h2 id="pentest-explained">Pentest Explained </h2>
<h3 id="heading">\</h3>
<p>What is Pentest?</p>
<p>Penetration testing, often abbreviated as pentest or pentesting, is a
simulated cyber-attack on a computer system, network, or web application
to identify security weaknesses. This assessment thoroughly evaluates an
organization&rsquo;s IT infrastructure by deliberately attempting to exploit
weaknesses in a controlled environment.</p>
<p>Penetration testing is conducted by the organization&rsquo;s internal staff or
in collaboration with reputable service providers in the market.</p>
<p>It aims to identify security gaps and provides actionable insights to
improve the organization&rsquo;s overall security.</p>
<h3 id="types-of-pentesting">Types of Pentesting</h3>
<p>There are various types of penetration testing, including network
penetration testing, web application penetration testing, mobile
application penetration testing, etc. Each type focuses on specific
areas of an organization&rsquo;s IT infrastructure and applications, providing
a comprehensive assessment of security vulnerabilities.</p>
<h3 id="key-features-of-pentest">Key Features of Pentest</h3>
<ul>
<li><strong>Comprehensive Testing</strong>: Pentesting offers a holistic evaluation of
an organization&rsquo;s security posture by simulating real-world attack
scenarios across different systems and applications.</li>
<li><strong>Controlled Environment</strong>: Pentests are conducted in a controlled
environment, allowing organizations to manage the testing process and
minimize potential disruptions to their operations.</li>
<li><strong>Detailed Reporting</strong>: Pentest reports provide in-depth insights into
identified vulnerabilities and actionable recommendations to mitigate
security risks.</li>
</ul>
<h3 id="importance-of-security-testing">Importance of Security Testing</h3>
<p>Both bug bounty programs and penetration testing are crucial components
of a comprehensive security strategy. They help organizations
proactively identify and address vulnerabilities before malicious actors
can exploit them, thereby reducing the risk of a data breach. By
conducting security testing, organizations can enhance their overall
security posture and build trust with their customers and stakeholders.</p>
<figure>
<img src="arrows--1-.png" />
<figcaption>Understanding the Differences</figcaption>
</figure>
<h2 id="understanding-the-differences">Understanding the Differences</h2>
<h3 id="heading-1">\</h3>
<p>Approach and Methodology</p>
<p>Bug bounty programs rely on the collective expertise of a global
community of researchers, leveraging their diverse approaches and
methodologies to uncover vulnerabilities. In contrast, penetration
testing follows a structured methodology and best practices, often
tailored to the specific needs and requirements of the organization.</p>
<h3 id="scope-and-coverage">Scope and Coverage</h3>
<p>Bug bounty programs offer a broader scope, allowing researchers to test
various systems and applications using a wide range of techniques.
However, the scope of a penetration test can be customized to focus on
specific areas of concern within an organization&rsquo;s IT infrastructure.
(Say like test only network devices, mobile applications, biometric
devices, etc.)</p>
<h3 id="cost-and-resource-allocation">Cost and Resource Allocation</h3>
<p>Bug bounty programs operate on a pay-for-results model, where
organizations only pay for valid vulnerabilities identified. On the
other hand, penetration testing typically involves upfront costs,
time-bound, and resource allocation for engaging a specialized security
testing team or service provider. </p>
<h3 id="scalability">Scalability</h3>
<p>The vulnerability reward program (VRPs) enables organizations to quickly
initiate large-scale security testing for their internet-facing
applications with limited resources. In contrast, penetration testing
requires a substantial team, time, and knowledgeable resources to
establish a trusted platform at scale.</p>
<figure>
<img src="BugBounty-vs-Pentest-Benefits-1.png" />
<figcaption>Benefits of Bug Bounty vs Pentest</figcaption>
</figure>
<h2 id="benefits-of-bug-bounty">Benefits of Bug Bounty</h2>
<h3 id="heading-2">\</h3>
<p>Diverse Skill Set</p>
<p>Bug bounty programs enable organizations to harness the diverse skill
sets and perspectives of a global community of security researchers,
providing a wide range of expertise in identifying vulnerabilities.</p>
<h3 id="continuous-testing">Continuous Testing</h3>
<p>Bug bounty programs facilitate ongoing security testing, allowing
organizations to identify and address vulnerabilities as new threats
emerge continuously.</p>
<p>The moment when a
<a href="https://en.wikipedia.org/wiki/Zero-day_%28computing%29">zero-day</a>
vulnerability is first known to the community, the bounty hunters would
be the first to try it out on organization systems or applications they
were working on and raise the security flaw immediately within a few
hours. This trend can generally spotted where their incentives are
generally high.</p>
<h3 id="cost-effective">Cost-Effective</h3>
<p>Bug bounty programs offer a cost-effective approach to security testing,
as organizations only pay for valid and unique vulnerabilities
identified by researchers.</p>
<h3 id="researchers-verification">Researchers Verification</h3>
<p>Some organizations that host bounty programs under the managed Bug
Bounty platforms even request to verify the details of the security
researchers before allowing them into the bug bounty program. This is an
additional measure taken care of by the platforms themselves and helps
to build trust.</p>
<h2 id="benefits-of-pentest">Benefits of Pentest</h2>
<h3 id="heading-3">\</h3>
<p>Comprehensive Testing</p>
<p>Penetration testing provides a comprehensive evaluation of an
organization&rsquo;s security posture, identifying vulnerabilities across
different systems and applications.</p>
<p>Generally, penetration testing is carried out either by the
organization&rsquo;s internal security team or by the external service
provider to secure the business&rsquo;s critical assets from external
attackers.</p>
<p>When an internal team performs pen-testing, they might have access to
the application architecture diagrams, documentation, development team
support, and source code to provide extensive coverage.</p>
<p>Every possibility of security risk identified is documented, from low
severity to high-severity issues in the applications or in
network-connected devices. Based on risk assessment, impactful security
vulnerabilities are addressed as a priority.</p>
<h3 id="controlled-environment">Controlled Environment</h3>
<p>Pentests are conducted in a controlled environment, allowing
organizations to manage the testing process and minimize potential
disruptions to their operations.</p>
<p>In some cases, penetration testing is performed on non-production
environments to minimize the impact on customers, which would be an
exact replica of what would be going into production.</p>
<p>All the security assessments are carried out in stages and segregated
into specific groups like network security, web security, mobile
security, etc.</p>
<h3 id="detailed-reporting">Detailed Reporting</h3>
<p>Pentest reports offer detailed insights into identified vulnerabilities,
along with actionable recommendations to strengthen the organization&rsquo;s
security defenses.</p>
<p>Business stakeholders review and direct the teams to take action to
minimize the security risks, ranging from high-impact to low-impact
business risks. Also, monitor the security health of their organization.</p>
<p>Overall, the organization&rsquo;s security posture will be known with this
approach.</p>
<h3 id="compliances-and-best-practices">Compliances and Best Practices</h3>
<p>Penetration testing is also essential for meeting industry regulations,
best practices, and standards. Based on the data criticality, it must be
carried out at regular intervals.</p>
<hr>
<figure>
<img src="BugBounty-vs-Pentest-Drawbacks.png" />
<figcaption>Drawbacks of Bug Bounty vs Pentest</figcaption>
</figure>
<h2 id="drawbacks-of-bug-bounty">Drawbacks of Bug Bounty</h2>
<h3 id="heading-4">\</h3>
<p>Limited Control</p>
<p>Organizations have limited control over the testing process in bug
bounty programs, as researchers operate independently and may or may not
adhere to specific testing guidelines.</p>
<p>In Bug bounty programs, even though organizations define a detailed
scope of requirements of what is allowed and what is not, like using
automated tools or looking out for specific categories of
vulnerabilities as part of security testing, it depends on individual
security researchers.</p>
<p>Bug bounty hunters are even banned or removed from the program in case
of deviations from the given scope.</p>
<h3 id="public-disclosure-of-vulnerabilities">Public Disclosure of Vulnerabilities</h3>
<p>Poorly managed Bug bounty programs may lead to public disclosure of
vulnerabilities, potentially impacting an organization&rsquo;s reputation.</p>
<p>In bug bounty hunting, a researcher must report a vulnerability and has
to wait for a duration, say 60-90 days, for acknowledgment. Upon not
receiving any communication from the organization for the given time
frame, a researcher might disclose the bug publicly. This generally
happens only in the case of an ineffective program.</p>
<h3 id="variable-results">Variable Results</h3>
<p>The effectiveness of bug bounty programs can vary, as the identification
of vulnerabilities depends on the skills and motivations of
participating researchers.</p>
<p>The participating researchers are from a wide pool of knowledge
backgrounds. It can be a security researcher, a software developer
interested in security, a passionate system administrator, a college
student interested in bug bounties, etc.</p>
<p>Bug bounty hunters, in some cases, focus only on a single target, which
gives them higher chances of finding a bug by carefully monitoring the
changes and immediately reporting the misconfigured ones.</p>
<p>On the other hand, some bounty hunters only take one category of
vulnerability and keep reporting it in each application whenever they
find it.</p>
<p>All the approach varies based on the perspective of the bug bounty
hunter.</p>
<h2 id="drawbacks-of-pentest">Drawbacks of Pentest</h2>
<h3 id="heading-5">\</h3>
<p>Time-Consuming</p>
<p>Penetration testing can be time-consuming, especially for comprehensive
assessments that cover multiple systems and applications within an
organization&rsquo;s IT infrastructure.</p>
<p>It requires multiple parties to be involved, allocating resources, and
shorter time intervals might be provided when in a hurry for production
releases.</p>
<h3 id="limited-scope">Limited Scope</h3>
<p>The scope of a penetration test may be limited based on the specific
areas of concern identified by the organization, potentially overlooking
vulnerabilities in other areas.</p>
<h3 id="higher-cost">Higher Cost</h3>
<p>Engaging in penetration testing typically involves higher upfront costs
and resource allocation compared to bug bounty programs.</p>
<figure>
<img src="decision-making.png" />
<figcaption>Making an Informed Decision</figcaption>
</figure>
<h2 id="making-an-informed-decision">Making an Informed Decision</h2>
<h3 id="heading-6">\</h3>
<p>Assess Your Security Needs</p>
<p>Organizations should assess their specific security needs by considering
factors such as the complexity of their IT infrastructure, the
sensitivity of their data being maintained, and the potential impact of
security vulnerabilities.</p>
<h3 id="considering-budget-and-resources">Considering Budget and Resources</h3>
<p>Budgetary constraints and the availability of a security skillset play a
significant role in determining whether bug bounty programs or
penetration testing is a more viable security testing solution for an
organization.</p>
<h3 id="evaluating-long-term-goals">Evaluating Long-Term Goals</h3>
<p>Organizations should consider their long-term security goals and the
level of control they require over the security testing process when
choosing between bug bounty programs and penetration testing.</p>
<h3 id="for-bug-bounty-hunters">For Bug Bounty Hunters</h3>
<p>Whether you want to learn Bug Bounty or Penetration testing, penetration
testing is much rewarded for building a professional career. If you
would like to do some side hustle and earn some extra bucks, Bug Bounty
might be the best choice. Rarely, a few hackers built a career from Bug
Bounty, but it requires patience and time and has a very steep learning
curve.</p>
<figure>
<img src="idea.png" />
<figcaption>Conclusion</figcaption>
</figure>
<h2 id="conclusion">Conclusion</h2>
<p>In summary, bug bounty programs and penetration tests each offer unique
benefits and drawbacks, catering to different security needs.</p>
<p>Organizations, by carefully evaluating the differences and considering
specific requirements like the scope of testing, the level of control
required, and the budgetary constraints, determine the most suitable
approach for addressing security vulnerabilities, which can help to
enhance your security posture effectively.</p>
<p>For Bug Bounty hunters, consider your skill set and the time available
to choose the one that suits you best. Both required similar skill sets,
but the approaches and efforts vary.</p>
<p>In the ever-evolving cybersecurity landscape, one must adapt to changing
security testing strategies to mitigate risks and protect digital assets
effectively. Whether through bug bounty programs, penetration testing,
or a combination of both, proactive security testing is essential for
safeguarding against potential threats and maintaining a robust security
posture.</p>
]]></content:encoded>
    </item>
  </channel>
</rss>
