To identify an anomaly, we should first understand how the technology works. Applications use specific protocols to communicate with each other. In this case, web applications communicate using the Hyper-Text Transfer Protocol (HTTP). Let's take a look at how the HTTP protocol works.

First of all, it's important to know that the HTTP protocol is on layer 7 of the OSI model. This means that protocols such as Ethernet, IP, TCP, and SSL are used before the HTTP protocol.

HTTP communication is between the server and the client. First, the client requests a specific resource from the server. The server receives the HTTP request and sends an (HTTP response) back to the client after passing the request through certain controls and processes. The client's device receives the response and displays the requested resource in an appropriate format.

Let's take a closer look at HTTP requests and HTTP responses.

HTTP Requests

An HTTP request is used to retrieve a specific resource from a web server. This resource can be an HTML file, a video, JSON data, etc. The web server's job is to process the response received and present it to the user.

All requests must conform to a standard HTTP format so that web servers can understand the request. If the request is sent in a different format, the web server will not recognize it and will return an error to the user, or the web server may not be able to provide service (which is another type of attack).

An HTTP request consists of a request line, request headers, and a request message body. The request line consists of the HTTP method and the resource requested from the web server. The request headers contain certain headers that the server will process. The request message body contains the data to be sent to the server.

The image above shows an example of an HTTP request. Let's examine this HTTP request line by line.

1. The GET method indicates that the resource "/" is being requested from the server. Because there is no name, a symbol like "/" means that the main page of the web server is being requested.
2. Nowadays there are web applications that belong to more than one domain found on a single web server, so browsers use the "Host" header to identify which domain the requested resource belongs to.
3. When a web application wants to store information on the client's device, it stores it in a "cookie" header. Cookies are typically used to store session information. This saves you from having to re-enter your username and password when you visit a web application that requires you to log in.
4. The “Upgrade-Insecure-Requests” header indicates that the client wants to communicate using encryption (SSL).
5. The “User-Agent” header contains information about the client's browser and operating system. Web servers use this information to send specific HTTP responses to the client. You can find some automated vulnerability scanners by looking under this header.
6. The type of data requested is in the “Accept” header.
7. The type of encoding accepted by the client is found in the “Accept-Encoding” header. You can usually find the names of compression algorithms under this header.
8. The “Accept-Language” header contains the client's language information. The web server uses this information to display the prepared content in the client's language.