Shulou(Shulou.com)06/01 Report--

For HTTP response messages, there are two main parts of important information, one is the status code in the response line, and the other is the response header. They are described separately below.

The most important part of the response header information:

Server: The name of the Web service used by the server, e.g. Server: Apache/1.3.6(Unix). (2) Set-Cookie: Cookies set by the server to the client. (3) Last-Modified, the domain through which the server tells the client browser when the resource was last modified. (4) Location: redirect the user to another page, such as identity authentication will be transferred to another page. This field is usually used in conjunction with the 302 status code. (5) Content-Length: Length of the body part (in bytes).

Status codes are composed of three digits and are mainly divided into five categories:

 1xx: 100-101, indicating that the request has been received and will continue processing. Such status codes are rarely seen. 2xx: 200-206, the response returned after the client request is successfully received and processed by the server; 3xx: 300-305, redirect, usually redirect to a secure page after successful authentication; 4xx: 400-415, client request error; 5xx: 500-505, server-side error.

There are more than 50 status codes, among which the more common ones are:

Common Status Codes Status Description illustration 200 OK Client request successful 302 Found Redirect, the address of the jump is specified by location. 304 Not Modified Server resource not updated. 401 Unauthorized The request is unauthorized and requires authentication. 403 Forbidden Server receives request, but refuses to provide service 404 Not Found The requested resource does not exist, for example, the wrong URL 500 was entered. Internal Server Error 503 unexpected error occurred on the server Server Unavailable The server is currently unable to process client requests

Most web scanning tools basically work based on status codes. Let's learn more about status codes in conjunction with Burpsuite.

We first visit a normal page in the server called test1.php, which has a status code of 200.

Then visit a non-existent page test10.php, where the status code is 404:

We go to visit a directory admin that does not exist in a website (note that the directory name should be followed by/), and the status code is still 404:

We create the admin directory, which displays a status code of 200. If you execute the chmod 700 admin command and set the directory permissions to 700, access the directory again with status code 403.

For example, we install DVWA in the Web server, visit the login page, enter the user name and password correctly, intercept the request, send it out, the status code returned at this time is 302, and specify the page to jump to through location.

If you visit a static page repeatedly, you will receive a status code of 304. Indicates that server-side resources are not updated.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.