Web Application Basics

As we covered in the video, understanding how web applications function is the foundation for finding bugs. This guide provides a detailed breakdown of the key technical concepts, from the structure of a URL to the way servers and browsers communicate.

The Internet's Address Book

Before we look at a URL, it's important to understand what it actually points to. Every server connected to the internet has a unique numerical address, like a phone number, which is its IP Address (192.0.0.1). Since numbers are hard for people to remember, we use memorable names called domains, such as example.com. The entire system that acts as the internet's phonebook, translating these human-friendly domain names into the server's actual IP address, is called the DNS, or Domain Name System.

Anatomy of a URL

Now, let's look at the structure of a URL, as every part can be a potential target for a bug hunter. We'll break down a sample URL: https://admin.example.com:8080/api/users?id=123#profile

The Protocol, https://, tells the browser to make a secure, encrypted connection.
The Subdomain, admin., often points to different, sometimes more sensitive, functionality than the main site.
The Domain, example.com, is the main site you're targeting.
The Port, :8080, specifies a non-standard network port. Web traffic usually uses ports 80 and 443, so seeing others can indicate interesting services.
The Path, /api/users, shows the specific resource being requested.
The Parameters, ?id=123, contain data being sent to the server, which is a primary area for manipulation.
And the Fragment, #profile, is a marker for your browser and is not sent to the server.

The Lifecycle of a Web Request

When you use that URL, a rapid sequence of events happens.

First, a DNS Lookup translates the domain name into an IP address.
Next, your browser sends an HTTP Request to the server at that IP address, asking for the page's content.
The server then processes the request and sends back an HTTP Response, which contains the raw data for the site.
Finally, your browser begins Rendering and Execution. It parses the HTML to build the structure, applies the CSS to style it, and then executes the JavaScript code to add interactivity and build the final, dynamic webpage that you see.

HTTP: The Language of the Web

HTTP is the language browsers and servers use to communicate. Every HTTP Request is made up of a Method, like GET or POST; Headers, which contain metadata like cookies; and sometimes a Body with the data you're sending.

Common HTTP Methods:

- GET – Retrieve data (loading a page, fetching info)

- POST – Send data to the server (login forms, creating something)

- PUT/PATCH – Update existing data

- DELETE – Remove data

- OPTIONS – Check what methods are allowed (useful for recon)

In return, every HTTP Response includes a Status Code to indicate the result, along with its own headers and body.

Key Status Codes to Remember

Code	Meaning	What to Investigate
200	Success	Did an unauthorized action succeed when it shouldn't have?
401 Unauthorized	Login Required	Can you bypass this authentication?
403 Forbidden	Access Denied	Is the server properly blocking access, or can you get around it?
404 Not Found	Doesn't Exist	Maybe there are valid path's on other endpoints within the server?
500 Server Error	Problem on Server	Do the errors expose stack traces or other internal details?

Authentication

Because HTTP is stateless and each request is independent, applications need a way to identify you. In traditional web applications, this is often done with Cookies containing a unique session ID. After you log in, the server gives your browser this cookie, and your browser sends it back with every future request. Modern applications and APIs often use an Authorization Header instead, where a long, encoded string called a JWT (JSON Web Token) is sent with every request to prove who you are.

Frontend vs Backend

It's important to understand that web applications are split into two main parts.
The Frontend is what happens in your browser, built with HTML, CSS, and JavaScript. The Backend is the hidden logic that runs on the company's server, processing requests and enforcing the actual rules.

Pro tip: Before we get to professional proxies, you can already inspect HTTP traffic in your browser. Right-click any page, select "Inspect," and open the Network tab to see every request your browser makes.

APIs and Other Services

Most modern apps are powered by APIs, which are endpoints that return raw data like JSON instead of a full webpage. They are the backbone of communication between the frontend and backend, or between a mobile app and a server. Additionally, while most web traffic uses ports 80 and 443, companies often run other services, including other HTTP services on unusual ports like 8080, as well as non-web services like MongoDB databases (port 27017).

In the next chapter, we'll take this knowledge and explore "The Vulnerabilities That Matter," so you can learn how to spot the common mistakes that lead to bug bounty payouts.

Fun Quiz

In the URL https://app.example.com:8443/dashboard?user=101, which part would a bug hunter focus on first for manipulation?

The protocol (https://)

The subdomain (app.)

The fragment (#)

The parameter (?user=101)

You send a request and receive a 403 Forbidden status code. What does this mean?

The page doesn't exist

You need to log in first

The server understood your request but is refusing access

The server crashed

What system translates a domain name like example.com into an IP address?

HTTP

DNS

JWT

API