If we are visiting websites everyday, we do a lot of requests for example to get stylesheets, javascripts, images, icons and much more.
We are inspecting today a http request.
In our example we are using instagram for our tutorial.
If you want to login on instagram you need to enter email, username or phone-number and finally password.
To get websites we are using the GET method. For logins we use the POST method. Some websites encrypt their username or password data while posting it for login for more security but this is maybe one case of hundreds.
HTTP requests methods
GET - The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
HEAD - The HEAD method asks for a response identical to that of a GET request, but without the response body.
POST - The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
PUT - The PUT method replaces all current representations of the target resource with the request payload.
DELETE - The DELETE method deletes the specified resource.
CONNECT - The CONNECT method establishes a tunnel to the server identified by the target resource.
OPTIONS - The OPTIONS method is used to describe the communication options for the target resource.
TRACE - The TRACE method performs a message loop-back test along the path to the target resource.
PATCH - The PATCH method is used to apply partial modifications to a resource.
HTTP Headers
If you login to instagram you will have in your headers two headers, the request and response header.
The response header answer you with cookies, content-length and much more information this isn't interesting for us we want to focus us on request headers.
The instagram POST request header will look like this :
Let me explain every item:
Host - This is the website without any other file path, such as www.instagram.com.
User-Agent - User-Agents gives information about your browser, your os and which phone model (on phones) you are using. (The coolest fact is, that user-agent's can be spoofed)
Accept - Accept decide what kind of MIME types will be accepted, usually it's */*.
Accept-Language - Language will advertise which languages the client (you) is able to understand. Usually it's en-US;q=0.5.
Accept-Encoding - Encoding will decide what kind of encoding in the request will be used. Usually it's gzip, deflate and br. (Some people use them in PHP to obfuscate their php code to avoid skids change their code)
X-CSRFToken - CSRF tokens are unique tokens per request. The site can use CSRF tokens to make sure that you are not a bot or and a hacker which try to bruteforce their page. (CSRF Tokens can be found on the source page by hidden input fields for usual. If not then the website use GUID's)
X-Instagram-AJAX - AJAX is a web application which work with data for example logins. Usually they are unique for each website.
X-IG-App-ID - This is also an header which is defined by Instagram itself, in Openbullet you can use the value which are used on your POST request.
X-IG-WWW-Claim - I actually don't know what this is but the "IG" means it's also from Instagram.
Content-Type - Content-Type decides the media type of the resource. There are different content-types such as multipart, json and urlencoded. (usually it's json or urlencoded).
X-Requested-With - Is used to identify Ajax requests. The default value is XMLHttpRequest
Content-Length - The content-length is the length of the POST raw data which is used for example login=test%40gmail.com&pass=3i23kl has the content-length 34.
Origin - Origin defines where the fetch comes from (fetch - API request)
DNT - Do not track, value 1 is yes, value 0 or null is no.
Connection - The connection controls if the connection to the networks stays open after the request. Usually it's keep-alive.
Referer - Referer is the value where you come from for example instagram.com. Websites use it for analystics.
Cookie - Cookies will store the cookies which will be set from the website. For example on instagram "csrftoken, mid, ig_cb, ig_did"
TE - Stands for Transfer-Encoding. You can set for example one of the encoding (compress, deflate, gzip or trailers).
Requests With CURL
As you know CURL is a simple tool to make requests, it's pre-installed on linux and windows. You can do a right click on a request > copy > copy as curl:
It could happen that the curl command is very big because the more request headers, the more parameters the command have. If you paste the command you can edit sigle header values and the post raw data aswell.
Example :
Well you can learn bash or python to make account checker but most people copy the headers as curl and convert them to python code ( https://curl.trillworks.com/ )
As you can see there is aswell a "Request"-tab where you can see the request values (username, enc_password, queryParams, optIntoOneTap).
Instagram is a good example for encrypting passwords because they encrypt their password on each POST request.
I recognize that this post is very big maybe i will do a second part with openbullet i am not sure about that.
List Of HTTP Headers:
en.wikipedia.org
We are inspecting today a http request.
In our example we are using instagram for our tutorial.
If you want to login on instagram you need to enter email, username or phone-number and finally password.
To get websites we are using the GET method. For logins we use the POST method. Some websites encrypt their username or password data while posting it for login for more security but this is maybe one case of hundreds.
HTTP requests methods
GET - The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
HEAD - The HEAD method asks for a response identical to that of a GET request, but without the response body.
POST - The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
PUT - The PUT method replaces all current representations of the target resource with the request payload.
DELETE - The DELETE method deletes the specified resource.
CONNECT - The CONNECT method establishes a tunnel to the server identified by the target resource.
OPTIONS - The OPTIONS method is used to describe the communication options for the target resource.
TRACE - The TRACE method performs a message loop-back test along the path to the target resource.
PATCH - The PATCH method is used to apply partial modifications to a resource.
HTTP Headers
If you login to instagram you will have in your headers two headers, the request and response header.
The response header answer you with cookies, content-length and much more information this isn't interesting for us we want to focus us on request headers.
The instagram POST request header will look like this :
Let me explain every item:
Host - This is the website without any other file path, such as www.instagram.com.
User-Agent - User-Agents gives information about your browser, your os and which phone model (on phones) you are using. (The coolest fact is, that user-agent's can be spoofed)
Accept - Accept decide what kind of MIME types will be accepted, usually it's */*.
Accept-Language - Language will advertise which languages the client (you) is able to understand. Usually it's en-US;q=0.5.
Accept-Encoding - Encoding will decide what kind of encoding in the request will be used. Usually it's gzip, deflate and br. (Some people use them in PHP to obfuscate their php code to avoid skids change their code)
X-CSRFToken - CSRF tokens are unique tokens per request. The site can use CSRF tokens to make sure that you are not a bot or and a hacker which try to bruteforce their page. (CSRF Tokens can be found on the source page by hidden input fields for usual. If not then the website use GUID's)
X-Instagram-AJAX - AJAX is a web application which work with data for example logins. Usually they are unique for each website.
X-IG-App-ID - This is also an header which is defined by Instagram itself, in Openbullet you can use the value which are used on your POST request.
X-IG-WWW-Claim - I actually don't know what this is but the "IG" means it's also from Instagram.
Content-Type - Content-Type decides the media type of the resource. There are different content-types such as multipart, json and urlencoded. (usually it's json or urlencoded).
X-Requested-With - Is used to identify Ajax requests. The default value is XMLHttpRequest
Content-Length - The content-length is the length of the POST raw data which is used for example login=test%40gmail.com&pass=3i23kl has the content-length 34.
Origin - Origin defines where the fetch comes from (fetch - API request)
DNT - Do not track, value 1 is yes, value 0 or null is no.
Connection - The connection controls if the connection to the networks stays open after the request. Usually it's keep-alive.
Referer - Referer is the value where you come from for example instagram.com. Websites use it for analystics.
Cookie - Cookies will store the cookies which will be set from the website. For example on instagram "csrftoken, mid, ig_cb, ig_did"
TE - Stands for Transfer-Encoding. You can set for example one of the encoding (compress, deflate, gzip or trailers).
Requests With CURL
As you know CURL is a simple tool to make requests, it's pre-installed on linux and windows. You can do a right click on a request > copy > copy as curl:
It could happen that the curl command is very big because the more request headers, the more parameters the command have. If you paste the command you can edit sigle header values and the post raw data aswell.
Example :
Well you can learn bash or python to make account checker but most people copy the headers as curl and convert them to python code ( https://curl.trillworks.com/ )
As you can see there is aswell a "Request"-tab where you can see the request values (username, enc_password, queryParams, optIntoOneTap).
Instagram is a good example for encrypting passwords because they encrypt their password on each POST request.
I recognize that this post is very big maybe i will do a second part with openbullet i am not sure about that.
List Of HTTP Headers:
