Security Testing - HTTP Request


Advertisements

HTTP Requests

An HTTP client sends an HTTP request to a server in the form of a request message which includes following format −

  • A Request line

  • Zero or more header (General|Request|Entity) fields followed by CRLF

  • An empty line (a line with nothing preceding the CRLF) indicating the end of the header fields

  • Optionally a message-body

Following section explains each of the entities used in HTTP message.

Message Request-Line

The Request-Line begins with a method token, followed by the Request-URI, the protocol version, and ending with CRLF. The elements are separated by space SP characters.

Request-Line = Method SP Request-URI SP HTTP-Version CRLF

Let us discuss each of the parts mentioned in Request-Line.

Request Methods

The request Method indicates the method performed on the resource identified by the given Request-URI. The method is case-sensitive and should always be mentioned in uppercase. The following methods are supported in HTTP/1.1 −

S.No. Method and Description
1

GET

It is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.

2

HEAD

It is same as GET, but only transfers the status line and header section.

3

POST

It is used to send data to the server. For example, customer information, file uploading, etc. using HTML forms.

4

PUT

It replaces all current representations of the target resource with the uploaded content.

5

DELETE

It removes all current representations of the target resource given by URI.

6

CONNECT

It establishes a tunnel to the server identified by a given URI.

7

OPTIONS

It describes the communication options for the target resource.

8

TRACE

It performs a message loop-back test along the path to the target resource.

Request-URI

The Request-URI is a Uniform Resource Identifier that identifies the resource upon which a request has to be applied. Following are the most commonly used forms to specify a URI −

Request-URI = "*" | absoluteURI | abs_path | authority
S.No. Method and Description
1

The asterisk * is used when HTTP request does not apply to a particular resource, but to the server itself. It is only allowed when the method does not necessarily apply to a resource. For example, OPTIONS * HTTP/1.1

2

The absoluteURI is used when HTTP request is being made to a proxy. The proxy is requested to forward the request or service it from a valid cache, and return the response. For example, GET https://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

3

The most common form of Request-URI is that used to identify a resource on an origin server or gateway. For example, a client wishing to retrieve the resource above directly from the origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the lines −

GET /pub/WWW/TheProject.html HTTP/1.1

Host: https://www.w3.org/

Note − The absolute path cannot be empty. If none is present in the original URI, it must be given as "/" (the server root)

Request Header Fields

The request-header fields allow the client to pass additional information about the request, and about the client itself, to the server. These fields act as request modifiers and the following important Request-header fields are available which can be used based on requirement −

  • Accept-Charset
  • Accept-Encoding
  • Accept-Language
  • Authorization
  • Expect
  • From
  • Host
  • If-Match
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • If-Unmodified-Since
  • Max-Forwards
  • Proxy-Authorization
  • Range
  • Referer
  • TE
  • User-Agent

You can introduce your custom fields in case you are going to write your own custom Client and Web Server.

Request Message Examples

Now let us put it all together to form an HTTP request to fetch hello.htm page from the web server running on tutorialspoint.com −

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Here we are not sending any request data to the server because we are fetching a plan HTML page from the server. Connection is a general-header and rest all headers are request headers. Following is another example where we send form data to the server using request message body −

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

licenseID = string&content = string&/paramsXML = string

Here, the given URL /cgi-bin/process.cgi is used to process the passed data and accordingly a response is retuned. The content-type tells the server that passed data is simple web form data and length is actual length of the data put in the message body. The following example shows how you can pass plan XML to your web server −

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Content-Type: text/xml; charset = utf-8
Content-Length: length
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

<?xml version = "1.0" encoding = "utf-8"?>
<string xmlns = "http://clearforest.com/">string</string>
http_protocol_basics.htm
Advertisements