Pular para o conteúdo principal

TryHackMe — Web Application Basics Writeup

```html

 

TryHackMe Web Application Basics Writeup

The Web Application Basics room on TryHackMe is an excellent introduction to how web applications work behind the scenes. In this walkthrough, we will cover HTTP requests, responses, URLs, headers, security headers, and practical API interaction examples.

Task 1 — Introduction

Learning Objectives

  • Understand what a web application is;
  • Learn how browsers communicate with servers;
  • Understand HTTP requests and responses;
  • Explore HTTP methods and status codes;
  • Learn why security headers matter.

Task 2 — Web Application Overview

Modern web applications are composed of multiple technologies working together.

Front-End Components

Front-end technologies are responsible for everything users see and interact with directly in the browser.

  • HTML
  • CSS
  • JavaScript

Back-End Components

The back-end handles server-side logic, databases, authentication, and infrastructure.

  • Web Server
  • Database
  • APIs
  • Web Application Firewall (WAF)

Questions & Answers

Q: Which component on a computer is responsible for hosting and delivering content for web applications?

A: Web Server

Q: Which tool is used to access and interact with web applications?

A: Web Browser

Q: Which component acts as a protective layer filtering malicious traffic?

A: Web Application Firewall

Task 3 — Uniform Resource Locator (URL)

A URL (Uniform Resource Locator) is the address used to access resources on the internet. 

https://example.com/search?q=tryhackme

A URL is composed of:

  • Protocol
  • Domain Name
  • Path
  • Query String

Questions & Answers

Q: Which protocol provides encrypted communication between browser and server?

A: HTTPS

Q: What is the practice of registering misspelled domain names called?

A: Typosquatting

Q: Which part of a URL passes additional information to the server?

A: Query String

Task 4 — HTTP Messages

HTTP communication works through requests and responses exchanged between clients and servers.

HTTP Message Structure

  • Start Line
  • Headers
  • Empty Line
  • Body

Questions & Answers

Q: Which HTTP message is returned after processing a request?

A: HTTP Response

Q: What follows the headers in an HTTP message?

A: Empty Line

Task 5 — HTTP Request: Request Line and Methods

HTTP methods define actions performed on resources.

Common HTTP Methods

  • GET
  • POST
  • PUT
  • DELETE
  • OPTIONS

Questions & Answers

Q: Which HTTP version became the most widely used?

A: HTTP/1.1

Q: Which method discovers supported communication options?

A: OPTIONS

Q: Which component specifies the requested endpoint?

A: URL Path

Task 6 — HTTP Request: Headers and Body

HTTP headers provide metadata about the request.

Examples of HTTP Headers

  • Host
  • User-Agent
  • Authorization
  • Content-Type

Questions & Answers

Q: Which header specifies the target domain?

A: Host

Q: What is the default form submission content type?

A: application/x-www-form-urlencoded

Q: Which part contains metadata guiding server processing?

A: Request Headers

Task 7 — HTTP Response: Status Codes

HTTP status codes indicate whether requests succeeded or failed.

Status Code Categories

  • 1xx — Informational
  • 2xx — Success
  • 3xx — Redirection
  • 4xx — Client Errors
  • 5xx — Server Errors

Questions & Answers

Q: Which part contains version, status code, and description?

A: Status Line

Q: Which category represents server-side issues?

A: Server Error Responses

Q: Which status code indicates a missing resource?

A: 404

Task 8 — HTTP Response Headers and Body

HTTP response headers provide important information about the server and transmitted content.

Questions & Answers

Q: Which response header may expose server software details?

A: Server

Q: Which cookie flag restricts cookies to HTTPS only?

A: Secure

Q: Which cookie flag prevents JavaScript access?

A: HttpOnly

Task 9 — Security Headers

Security headers help mitigate common attacks like XSS, MIME sniffing, and protocol downgrade attacks.

Important Security Headers

  • Content-Security-Policy (CSP)
  • Strict-Transport-Security (HSTS)
  • X-Content-Type-Options

Questions & Answers

Q: Which CSP directive controls script loading sources?

A: script-src

Q: Which HSTS directive applies HTTPS rules to subdomains?

A: includeSubDomains

Q: Which directive prevents MIME type sniffing?

A: nosniff

Task 10 — Practical Task: Making HTTP Requests

GET Request

Q: Make a GET request to /api/users. What is the flag?

A: THM{YOU_HAVE_JUST_FOUND_THE_USER_LIST}

POST Request

Q: Make a POST request to /api/user/2 and update Bob's country from UK to US. What is the flag?

A: THM{YOU_HAVE_MODIFIED_THE_USER_DATA}

DELETE Request

Q: Make a DELETE request to /api/user/1. What is the flag?

A: THM{YOU_HAVE_JUST_DELETED_A_USER}

Final Thoughts

This TryHackMe room provides a strong foundation for understanding how web applications operate and how HTTP communication works.

Learning these fundamentals is essential for:

  • Cybersecurity
  • Ethical Hacking
  • Bug Bounty Hunting
  • Web Development
  • Penetration Testing

SEO Tags

TryHackMe, Web Application Basics, HTTP, HTTPS, Web Security, Ethical Hacking, Cybersecurity, Bug Bounty, Penetration Testing, API Security, OWASP, Security Headers, HTTP Requests, HTTP Responses, TryHackMe Writeup

```
Marcadores:

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Tryhackme  -  Moniker Link (CVE-2024–21413)

```html id="n5x2qw" TryHackMe — Moniker Link (CVE-2024-21413) Writeup CVE-2024-21413, also known as Moniker Link , is a critical Microsoft Outlook vulnerability disclosed in February 2024. This flaw allows attackers to bypass Outlook security protections and leak NTLM credentials through specially crafted hyperlinks. This TryHackMe room demonstrates how the vulnerability works, how attackers abuse Moniker Links, and how NTLM hashes can be captured using SMB authentication. Warning: For educational purposes only. Task 1 — Introduction On February 13th, 2024, Microsoft announced a critical Outlook vulnerability identified as CVE-2024-21413 . The vulnerability was discovered by Haifei Li from Check Point Research and affects how Outlook handles specific hyperlink types known as Moniker Links . Attackers can send malicious emails containing specially crafted links that force Outlook to leak the victim's NTLM credentials when interacted with. Question...
Postar um comentário
Leia mais