The Invisible Conversation
Every time you visit a website, your browser has a conversation with a server. This conversation happens in milliseconds, completely invisible to you.
Understanding this conversation is the foundation of web hacking. Every vulnerability we'll exploit in this series happens somewhere in this exchange.
Let's make the invisible visible.
What Happens When You Visit a Website?
Type https://example.com in your browser and press Enter. Here's what actually happens:
1. DNS Lookup
Your browser asks: "What's the IP address for example.com?"
DNS servers respond: "It's 93.184.216.34"
(Think of DNS as the internet's phone book — turning names into addresses.)
2. TCP Connection
Your browser connects to that IP address on port 443 (for HTTPS) or port 80 (for HTTP).
3. The HTTP Request
Your browser sends a message asking for the page. This is called an HTTP Request.
4. The HTTP Response
The server sends back the page content. This is called an HTTP Response.
5. Rendering
Your browser takes the response and turns it into the visual page you see.
Steps 3 and 4 are where hackers live. Let's dig deeper.
HTTP Requests: What Your Browser Sends
Here's what an actual HTTP request looks like:
GET /search?q=hacking HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/120.0
Accept: text/html,application/xhtml+xml
Cookie: session=abc123xyzLet's break this down:
The Request Line
GET /search?q=hacking HTTP/1.1- GET — The HTTP method (what action to take)
- /search?q=hacking — The path and query parameters
- HTTP/1.1 — The protocol version
Common HTTP Methods
| Method | Purpose | Example |
|---|---|---|
| GET | Retrieve data | Loading a page |
| POST | Send data | Submitting a form |
| PUT | Update data | Editing a profile |
| DELETE | Remove data | Deleting a post |
| PATCH | Partial update | Changing one field |
Headers
Everything after the first line is a header — metadata about the request.
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Firefox/120.0
Accept: text/html,application/xhtml+xml
Cookie: session=abc123xyz- Host — Which website you're talking to
- User-Agent — What browser/device you're using
- Accept — What content types you can handle
- Cookie — Your session data (often your identity)
HTTP Responses: What the Server Sends Back
Here's what comes back:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: session=abc123xyz; HttpOnly; Secure
Content-Length: 1234
<!DOCTYPE html>
<html>
<head><title>Search Results</title></head>
<body>
<h1>Results for: hacking</h1>
...
</body>
</html>The Status Line
HTTP/1.1 200 OKThe status code tells you what happened:
| Code | Meaning | Hacker Interest |
|---|---|---|
| 200 | OK — Success | Normal response |
| 301/302 | Redirect | Where does it go? |
| 400 | Bad Request | What input broke it? |
| 401 | Unauthorized | Need credentials |
| 403 | Forbidden | Access denied (or is it?) |
| 404 | Not Found | Does the resource exist elsewhere? |
| 500 | Server Error | Might leak info in errors |
See It Yourself: Browser Developer Tools
Let's watch this conversation happen in real-time.
Step 1: Open Developer Tools
- Chrome/Edge: Press
F12orCtrl+Shift+I(Cmd+Option+I on Mac) - Firefox: Press
F12orCtrl+Shift+I
Step 2: Go to the Network Tab
Click the Network tab at the top.
Step 3: Visit a Website
Go to any website. Watch requests appear in the list.
Step 4: Click on a Request
Click any request to see:
- Headers — The request and response headers
- Response — The actual content returned
- Cookies — Cookies sent and received
- Timing — How long each step took
Hands-On: Your First HTTP Request
Let's send HTTP requests manually using curl — a command-line tool that comes with Mac and Linux.
Basic GET Request
curl -v https://example.comThe -v flag shows verbose output — all the headers.
You'll see something like:
> GET / HTTP/2
> Host: example.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 200
< content-type: text/html; charset=UTF-8
< content-length: 1256
<
<!doctype html>
<html>
...Lines starting with > are what you sent. Lines starting with < are what came back.
Send Custom Headers
curl -H "User-Agent: HackerBrowser/1.0" https://example.comYou just changed your User-Agent. Some sites show different content based on this header.
Send a POST Request
curl -X POST -d "username=admin&password=test" https://httpbin.org/postThis sends form data via POST. The -d flag specifies the data.
See Only Headers
curl -I https://example.comThe -I flag fetches only headers — useful for quick reconnaissance.
Why This Matters for Hacking
Every web vulnerability involves manipulating this request-response cycle:
| Vulnerability | How It Exploits HTTP |
|---|---|
| XSS | Malicious input reflected in responses |
| SQL Injection | Malicious input in query parameters |
| IDOR | Manipulating IDs in URLs/parameters |
| Session Hijacking | Stealing/manipulating cookies |
| CSRF | Tricking users into sending requests |
| Header Injection | Inserting malicious headers |
When you understand HTTP, you understand where to look and what to manipulate.
Key Concepts to Remember
- Everything is a request-response — Browser sends request, server sends response
- Requests have methods — GET, POST, PUT, DELETE, etc.
- Headers carry metadata — Cookies, user agents, content types
- Status codes tell the story — 200 is success, 4xx is client error, 5xx is server error
- You can see everything — Browser dev tools show the full conversation
- Everything can be manipulated — With the right tools, nothing is off-limits
Challenge: Explore a Real Site
- Open Developer Tools on any website you use regularly
- Log in and watch the Network tab
- Find the login request — what method does it use?
- What cookies are set after login?
- What headers does the site send back?
Don't change anything — just observe. Understanding normal behavior is the first step to finding abnormal opportunities.
What's Next?
Now you understand the language websites speak. In Lesson 3: Setting Up Your Hacking Lab, we'll install the tools professionals use to intercept, modify, and replay these conversations.
That's when things get really interesting.