Deloitte Interview Preparation

General Headers

  • Connection: Keep Alive
  • Content-Encoding: gzip
  • Content-Length
  • Content-type
  • Transfer-Encoding

Request Headers

  • Accept: image types
  • Accept-encoding
  • Authorization
  • Cookie
  • Host
  • If-Modified-Since
  • If-None-Match
  • Origin
  • Referer
  • User-Agent

Response Headers

  • Access-Control-Allow-Origin
  • Cache-Control: no-cache
  • ETag
  • Expires
  • Location
  • Pragma: no-cache
  • Server
  • Set-Cookie
  • WWW-Authentication
  • X-Frame-Options

Cookies

A server issues a cookie using the Set-Cookie response header
Set-Cookie: tracking=xxxxxx

The user's browser will add this to subsequent requests
Cookie: tracking=xxxxxx

  • expire
  • domain
  • secure
  • path
  • HttpOnly

Status Code

  • 1xx - Informational
  • 2xx - The request is successful
  • 3xx - The client is redirected to a different resource
  • 4xx - The request contains an error of some kind
  • 5xx - The server encounters an error fulfilling the request

HTTP Authentication

  • Basic
  • NLTM - a challenge-response machanism and uses a version of the windows NLTM protocol
  • Digest - a challenge-response machnism and uses MD5 checksums of a nonce with the user's credentials

Form

POST /secure/login.php?app=quotations HTTP/1.1  
Host: wahh-app.com  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 39  
Cookie: token=secret

username=nino&password=password&redir=/secure/home.php&submit=login

x-www-form-urlencoded - This means the parameters are represented in the message body as name/value pairs in the same way as they are in the URL query string. (Like GET????)

POST /secure/login.php?app=quotations HTTP /1.1  
Host: wahh-app.com  
Content-Type: multipart/form-data; boundary=----------xxxxx  
Content-Length: 369  
Cookie: token=secret

------xxxxx
Content-Disposition: form-data; name="username"

nino  
------xxxxx
Content-Disposition: form-data; name="password"

password  
------xxxxx
Content-Disposition: form-data; name="redir"

/secure/home.php
------xxxxx
Content-Disposition: form-data; name="submit"

login

------xxxxx

multipart/form-data

Same-origin Policy

Content received from one website is allowed to read and modify other content received from the same site but is not allowed to access content received from other sites.

URL Encoding

  • %3d - =
  • %25 - %
  • %20 - Space
  • %0a - New line
  • %00 - Null byte
  • + - space (与%20一样)

Unicode Encoding

%u2215 - /

HTML Encoding

  • Normal HTML encoding: & - &
  • Using ASCII code: " - "
  • Using ASCII code in hex form: " - "

Hex Encoding

Discovering Hidden Parameters

include debug=false in the request

HTTP Headers

  • User-Agent
  • Referer
  • X-Forwarded-For

Session Tokens

  • JSESSIONID - The Java Platform
  • ASPSESSIONID - Microsoft IIS Server
  • ASP.NET_SessionId - Microsoft ASP.NET
  • CFID/CFTOKEN - Cold Fusion
  • PHPSESSID - PHP

Fingerpriting