HTTP traffic is also used for attacking legitimate webpages. This functionality is built into intrusion detection and prevention systems, but analysis of malicious content in Wireshark can be useful for extracting signatures or indicators of compromise (IoCs) for identifying and preventing future attacks. Since HTTP is designed as a plaintext protocol, it is straightforward to scan web pages for malicious content before they reach the user if they are using HTTP or the organization uses a web proxy or other solution for HTTPS decryption. This includes phishing pages, websites containing drive-by downloads and so on. Since HTTP is the backbone of the web, any type of malicious website uses HTTP for delivery. As a result, it can be abused in a variety of different ways by a hacker.
Since HTTP is used for requesting and serving webpages, it is the most common type of traffic present on most networks and is not blocked at the network perimeter. The actual data being carried by the HTTP protocol (the requested web page) is encapsulated within the data section of the HTTP packet. It is very similar to that of an HTTP request, except that it substitutes an HTTP response message for the URL and uses a different collection of headers. The image above shows the structure of an HTTP response in Wireshark. These headers are under the control of the user and are intended for use by the server, so they can be modified by an attacker who controls both ends of the connection, making them ideal for passing data during an attack. This includes the requested URL and a variety of different HTTP headers, including the host, user-agent and several others. The image above shows the structure of an HTTP request in Wireshark. Wireshark reassembles all of the actual data packets containing a particular webpage and displays it within the packet labeled as the HTTP response.
However, since HTTP runs over TCP and http only shows packets using the HTTP protocol, this can miss many of the packets associated with the session because they are TCP packets (SYN, ACK and so on).
HTTP traffic shows up as a light green in Wireshark and can be filtered using http.
0 kommentar(er)
