Security Testing - HTTP Response

HTTP Response

After receiving and interpreting a request message, a server responds with an HTTP response message:
  • A Status-line
  • Zero or more header (General|Response|Entity) fields followed by CRLF
  • An empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields
  • Optionally a message-body
Following section will explain each of the entities used in HTTP message.

Message Status-Line

The Status-Line consisting of the protocol version followed by a numeric status code and its associated textual phrase. The elements are separated by space SP characters.
Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
Let's discuss each of the part mentioned in Status-Line.

HTTP Version

A server supporting HTTP version 1.1 will return following version information:
HTTP-Version = HTTP/1.1

Status Code

The Status-Code element is a 3-digit integer where first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. There are 5 values for the first digit:
S.N.Code and Description
11xx: Informational
This means request received and continuing process.
22xx: Success
This means the action was successfully received, understood, and accepted.
33xx: Redirection
This means further action must be taken in order to complete the request.
44xx: Client Error
This means the request contains bad syntax or cannot be fulfilled
55xx: Server Error
The server failed to fulfill an apparently valid request
HTTP status codes are extensible and HTTP applications are not required to understand the meaning of all registered status codes. A list of all the status code has been given in a separate chapter for you reference.

Response Header Fields

We will study General-header and Entity-header in a separate chapter when we will learn HTTP header fields. For now let's check what are Response header fields.
The response-header fields allow the server to pass additional information about the response which cannot be placed in the Status- Line. These header fields give information about the server and about further access to the resource identified by the Request-URI.
  • Accept-Ranges
  • Age
  • ETag
  • Location
  • Proxy-Authenticate
  • Retry-After
  • Server
  • Vary
  • WWW-Authenticate
You can introduce your custom fields in case you are going to write your own custom Web Client and Server.

Response Message Examples

Now let's put it all together to form an HTTP response for a request to fetchhello.htm page from the web server running on tutorialspoint.com
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
Content-Length: 88
Content-Type: text/html
Connection: Closed



Hello, World!

Following is an example of HTTP response message showing error condition when web server could not find requested page:
HTTP/1.1 404 Not Found
Date: Sun, 18 Oct 2012 10:36:20 GMT
Server: Apache/2.2.14 (Win32)
Content-Length: 230
Connection: Closed
Content-Type: text/html; charset=iso-8859-1
   



   404 Not Found


   

Not Found

The requested URL /t.html was not found on this server.
Following is an example of HTTP response message showing error condition when web server encountered a wrong HTTP version in given HTTP request:
HTTP/1.1 400 Bad Request
Date: Sun, 18 Oct 2012 10:36:20 GMT
Server: Apache/2.2.14 (Win32)
Content-Length: 230
Content-Type: text/html; charset=iso-8859-1
Connection: Closed
   



   400 Bad Request


   

Bad Request

Your browser sent a request that this server could not understand. The request line contained invalid characters following the protocol string.

No comments:

Post a Comment