Security Testing - HTTP Methods


Advertisements

HTTP Methods

The set of common methods for HTTP/1.1 is defined below and this set can be expanded based on requirement. These method names are case sensitive and they must be used in uppercase.

S.No. Method and Description
1

GET

It is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.

2

HEAD

It is same as GET, but only transfers the status line and header section.

3

POST

It is used to send data to the server. For example, customer information, file uploading etc. using HTML forms.

4

PUT

It replaces all current representations of the target resource with the uploaded content.

5

DELETE

It removes all current representations of the target resource given by URI.

6

CONNECT

It establishes a tunnel to the server identified by a given URI.

7

OPTIONS

It describes the communication options for the target resource.

8

TRACE

It performs a message loop-back test along the path to the target resource.

GET Method

It retrieves data from a web server by specifying parameters in the URL portion of the request. This is the main method used for document retrieval. The following example makes use of GET method to fetch hello.htm

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The following server response is issued against the above GET request −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

<html>
   <body>
      <h1>Hello, World!</h1>
   </body>
</html>

HEAD Method

It is functionally similar to GET, except that the server replies with a response line and headers, but no entity-body. The following example makes use of HEAD method to fetch header information about hello.htm

 
HEAD /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The following server response is issued against the above GET request −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

You can notice that the server does not send any data after header.

POST Method

It is used when you want to send some data to the server. For example, file update, form data etc. The following simple example makes use of POST method to send a form data to the server which is processed by a process.cgi and finally a response is returned −

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: text/xml; charset = utf-8
Content-Length: 88
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

<?xml version = "1.0" encoding = "utf-8"?>
<string xmlns = "http://clearforest.com/">string</string>

Server side script process.cgi processes the passed data and sends the following response −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

<html>
   <body>
      <h1>Request Processed Successfully</h1>
   </body>
</html>

PUT Method

The PUT method is used to request the server to store the included entity-body at a location specified by the given URL. The following example requests server to save the given entity-boy in hello.htm at the root of the server −

PUT /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Connection: Keep-Alive
Content-type: text/html
Content-Length: 182

<html>
   <body>
      <h1>Hello, World!</h1>
   </body>
</html>

The server stores the given entity-body in hello.htm file and sends the following response back to the client −

HTTP/1.1 201 Created
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed

<html>
   <body>
      <h1>The file was created.</h1>
   </body>
</html>

DELETE Method

The DELETE method is used to request the server to delete file at a location specified by the given URL. The following example requests server to delete the given file hello.htm at the root of the server −

DELETE /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Connection: Keep-Alive

The server deletes the mentioned file hello.htm and sends the following response back to the client −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed

<html>
   <body>
      <h1>URL deleted.</h1>
   </body>
</html>

CONNECT Method

It is used by the client to establish a network connection to a web server over HTTP. The following example requests a connection with a web server running on host tutorialspoint.com −

CONNECT www.tutorialspoint.com HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The connection is established with the server and the following response is sent back to the client −

HTTP/1.1 200 Connection established
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)

OPTIONS Method

It is used by the client to find out what are the HTTP methods and other options supported by a web server. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. The following example requests a list of methods supported by a web server running on tutorialspoint.com −

OPTIONS * HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server sends information based on the current configuration of the server, for example −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Type: httpd/unix-directory

TRACE Method

It is used to echo the contents of an HTTP Request back to the requester which can be used for debugging purpose at the time of development. The following example shows the usage of TRACE method −

TRACE / HTTP/1.1
Host: www.tutorialspoint.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server will send the following message in response of the above request −

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Connection: close
Content-Type: message/http
Content-Length: 39

TRACE / HTTP/1.1
Host: www.tutorialspoint.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
http_protocol_basics.htm
Advertisements