Security Testing - HTTP Request

HTTP Request

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format:
  • A Request-line
  • Zero or more header (General|Request|Entity) fields followed by CRLF
  • An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
  • Optionally a message-body
    • Following section will explain each of the entities used in HTTP message.

    Message Request-Line

    The Request-Line begins with a method token, followed by the Request-URI and the protocol version, and ending with CRLF. The elements are separated by space SP characters.
    Request-Line   = Method SP Request-URI SP HTTP-Version CRLF
    Let's discuss each of the part mentioned in Request-Line.

    Request Method

    The request Method indicates the method to be performed on the resource identified by the given Request-URI. The method is case-sensitive ans should always be mentioned uppercase. Following are supported methods in HTTP/1.1
    S.N.Method and Description
    1GET
    The GET method is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.
    2HEAD
    Same as GET, but only transfer the status line and header section.
    3POST
    A POST request is used to send data to the server, for example customer information, file upload etc using HTML forms.
    4PUT
    Replace all current representations of the target resource with the uploaded content.
    5DELETE
    Remove all current representations of the target resource given by URI.
    6CONNECT
    Establish a tunnel to the server identified by a given URI.
    7OPTIONS
    Describe the communication options for the target resource.
    8TRACE
    Perform a message loop-back test along the path to the target resource.

    Request-URI

    The Request-URI is a Uniform Resource Identifier and identifies the resource upon which to apply the request. Following are the most commonly used forms to specify an URI:
    Request-URI = "*" | absoluteURI | abs_path | authority
    S.N.Method and Description
    1The asterisk * is used when HTTP request does not apply to a particular resource, but to the server itself, and is only allowed when the method used does not necessarily apply to a resource. For example:
    OPTIONS * HTTP/1.1
    2The absoluteURI is used when HTTP request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and return the response. For example:
    GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1
    3The most common form of Request-URI is that used to identify a resource on an origin server or gateway. For example, a client wishing to retrieve the resource above directly from the origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the lines:
    GET /pub/WWW/TheProject.html HTTP/1.1
    Host: www.w3.org
    Note that the absolute path cannot be empty; if none is present in the original URI, it MUST be given as "/" (the server root)

    Request Header Fields

    We will study General-header and Entity-header in a separate chapter when we will learn HTTP header fields. For now let's check what are Request header fields.
    The request-header fields allow the client to pass additional information about the request, and about the client itself, to the server. These fields act as request modifiers and there are following important Request-header fields available which can be used based on requirement.
    • Accept-Charset
    • Accept-Encoding
    • Accept-Language
    • Authorization
    • Expect
    • From
    • Host
    • If-Match
    • If-Modified-Since
    • If-None-Match
    • If-Range
    • If-Unmodified-Since
    • Max-Forwards
    • Proxy-Authorization
    • Range
    • Referer
    • TE
    • User-Agent
    You can introduce your custom fields in case you are going to write your own custom Client and Web Server.

    Request Message Examples

    Now let's put it all together to form an HTTP request to fetch hello.htmpage from the web server running on tutorialspoint.com
    GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
    Here we are not sending any request data to the server because we are fetching a plan HTML page from the server. Connection is a general-header used here and rest of the headers are request headers. Following is one more example where we send form data to the server using request message body:
    POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

licenseID=string&content=string&/paramsXML=string
    Here given URL /cgi-bin/process.cgi will be used to process the passed data and accordingly a response will be retuned. Here content-typetells the server that passed data is simple web form data and length will be actual length of the data put in the message body. Following example shows how you can pass plan XML to your web server:
    POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: text/xml; charset=utf-8
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive


string
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)