- Security Testing Tutorial
- Security Testing - Home
- Security Testing - Overview
- Security Testing - Process
- Security Testing - Malicious Software
- HTTP Protocol Basics
- HTTPS Protocol Basics
- Encoding and Decoding
- Security Testing - Cryptography
- Security Testing - Same Origin Policy
- Security Testing - Cookies
- Hacking Web Applications
- Security Testing - Injection
- Testing Broken Authentication
- Testing Cross Site Scripting
- Insecure Direct Object Reference
- Testing Security Misconfiguration
- Testing Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Components with Vulnerabilities
- Unvalidated Redirects and Forwards
- Security Testing - Ajax Security
- Testing Security - Web Service
- Security Testing - Buffer Overflows
- Security Testing - Denial of Service
- Testing Malicious File Execution
- Security Testing - Automation Tools
- Security Testing Useful Resources
- Security Testing - Quick Guide
- Security Testing - Useful Resources
- Security Testing - Discussion
Security Testing - HTTP Request
HTTP Requests
An HTTP client sends an HTTP request to a server in the form of a request message which includes following format −
A Request line
Zero or more header (General|Request|Entity) fields followed by CRLF
An empty line (a line with nothing preceding the CRLF) indicating the end of the header fields
Optionally a message-body
Following section explains each of the entities used in HTTP message.
Message Request-Line
The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and ending with CRLF. The elements are separated by space SP characters.
Request-Line = Method SP Request-URI SP HTTP-Version CRLF
Let us discuss each of the parts mentioned in Request-Line.
Request Methods
The request Method indicates the method performed on the resource identified by the given Request-URI. The method is case-sensitive and should always be mentioned in uppercase. The following methods are supported in HTTP/1.1 −
| S.No. | Method and Description |
|---|---|
| 1 | GET It is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data. |
| 2 | HEAD It is same as GET, but only transfers the status line and header section. |
| 3 | POST It is used to send data to the server. For example, customer information, file uploading, etc. using HTML forms. |
| 4 | PUT It replaces all current representations of the target resource with the uploaded content. |
| 5 | DELETE It removes all current representations of the target resource given by URI. |
| 6 | CONNECT It establishes a tunnel to the server identified by a given URI. |
| 7 | OPTIONS It describes the communication options for the target resource. |
| 8 | TRACE It performs a message loop-back test along the path to the target resource. |
Request-URI
The Request-URI is a Uniform Resource Identifier that identifies the resource upon which a request has to be applied. Following are the most commonly used forms to specify a URI −
Request-URI = "*" | absoluteURI | abs_path | authority
| S.No. | Method and Description |
|---|---|
| 1 | The asterisk * is used when HTTP request does not apply to a particular resource, but to the server itself. It is only allowed when the method does not necessarily apply to a resource. For example, OPTIONS * HTTP/1.1 |
| 2 | The absoluteURI is used when HTTP request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and return the response. For example, GET https://www.w3.org/pub/WWW/TheProject.html HTTP/1.1 |
| 3 | The most common form of Request-URI is that used to identify a resource on an origin server or gateway. For example, a client wishing to retrieve the resource above directly from the origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the lines − GET /pub/WWW/TheProject.html HTTP/1.1 Host: https://www.w3.org/ Note − The absolute path cannot be empty. If none is present in the original URI, it must be given as "/" (the server root) |
Request Header Fields
The request-header fields allow the client to pass additional information about the request, and about the client itself, to the server. These fields act as request modifiers and the following important Request-header fields are available which can be used based on requirement −
- Accept-Charset
- Accept-Encoding
- Accept-Language
- Authorization
- Expect
- From
- Host
- If-Match
- If-Modified-Since
- If-None-Match
- If-Range
- If-Unmodified-Since
- Max-Forwards
- Proxy-Authorization
- Range
- Referer
- TE
- User-Agent
You can introduce your custom fields in case you are going to write your own custom Client and Web Server.
Request Message Examples
Now let us put it all together to form an HTTP request to fetch hello.htm page from the web server running on tutorialspoint.com −
GET /hello.htm HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: www.tutorialspoint.com Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive
Here we are not sending any request data to the server because we are fetching a plan HTML page from the server. Connection is a general-header and rest all headers are request headers. Following is another example where we send form data to the server using request message body −
POST /cgi-bin/process.cgi HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: www.tutorialspoint.com Content-Type: application/x-www-form-urlencoded Content-Length: length Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive licenseID = string&content = string&/paramsXML = string
Here, the given URL /cgi-bin/process.cgi is used to process the passed data and accordingly a response is retuned. The content-type tells the server that passed data is simple web form data and length is actual length of the data put in the message body. The following example shows how you can pass plan XML to your web server −
POST /cgi-bin/process.cgi HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: www.tutorialspoint.com Content-Type: text/xml; charset = utf-8 Content-Length: length Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive <?xml version = "1.0" encoding = "utf-8"?> <string xmlns = "http://clearforest.com/">string</string>