Tuesday, August 9, 2016

Format of an HTTP Request

                                       Crimson Security Group
                                                                  we yearn security......

Format of an HTTP Request

It has three main components, which are:-

     1) HTTP Request Method, URI, and Protocol Version

    2) HTTP Request Headers

    3) HTTP Request Body  


HTTP Request :

A request message from a client to a server includes, within the first line of that message, the method to be applied to the resource, the identifier of the resource, and the protocol version in use.  


Request    =    Request-Line
                *(( general-header| request-header | entity-header ) CRLF) 
 
                  CRLF 
 
                 [ message-body ] 
 

Request-Line :

           Request-Line   = Method SP Request-URI SP HTTP-Version CRLF
  
                      The Request-Line begins with a method token, followed by the
                      Request-URI and the protocol version, and ending with CRLF. The
                      elements are separated by SP characters. No CR or LF is allowed
                      except in the final CRLF sequence.
 
 
Consider the following HTTP request example to understand easily... 
 

HTTP Methods:

The Method token indicates the method to be performed on the resource identified by the Request-URI. The method is case-sensitive.



GET :  Retrieve a Document

The GET method is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.This is the main method used for retrieving html, images, JavaScript, CSS, etc. Most data that loads in your browser was requested using this method.  



POST: Send Data to the server

A POST request is used to send data to the server, for example, customer information, file upload, etc. using HTML forms. Even though you can send data to the server using GET and the query string, in many cases POST will be preferable. Sending large amounts of data using GET is not practical and has limitations.


Difference between GET and POST methods ....


HEAD: Retrieve Header Information

Same as GET, but it transfers the status line and the header section only.HEAD is identical to GET, except the server does not return the content in the HTTP response. When you send a HEAD request, it means that you are only interested in the response code and the HTTP headers, not the document itself.

With this method the browser can check if a document has been modified, for caching purposes. It can also check if the document exists at all.For example, if you have a lot of links on your website, you can periodically send HEAD requests to all of them to check for broken links. This will work much faster than using GET.

        EXAMPLE :   
                         Request :    HEAD /index.html HTTP/1.0
                                       ( blank line)
 
                         Response:    
                                      HTTP/1.1 200 OK
                                      Date: Sun, 18 Oct 2009 14:09:16 GMT
                                      Server: Apache/2.2.14 (Win32)
                                      Last-Modified: Sat, 20 Nov 2004 07:16:26 GMT
                                      ETag: "10000000565a5-2c-3e94b66c2e680"
                                      Accept-Ranges: bytes
                                      Content-Length: 44
                                      Connection: close
                                      Content-Type: text/html
                                      X-Pad: avoid browser bug
  
Notice that the response consists of the header only without the body, which contains 
the actual document.

PUT  :

A POST request is used to send data to the server, for example, customer information, file upload, etc. using HTML forms.

consider the difference between POST and PUT...



PATCH :

The HTTP methods PATCH can be used to update partial resources

Difference between PUT and PATCH ....

PUT = replace the ENTIRE RESOURCE with the new representation provided 

PATCH = replace parts of the source resource with the values provided  


Example 1: 

you have a profile settings page and in the form you want to change only your name but not your twitter account and git hub account. You'll only update part of the data. For that, you will use a PATCH request.

Example 2: 

You have a form with location settings where you have to change all of the fields: City, Country, Zip Code, Address etc. For that, you'll use a PUT request. 





DELETE :



 Removes all the current representations of the target resource given by URI.







CONNECT :





 



Establishes a tunnel to the server identified by a given URI







HTTP CONNECT can be used to establish a network connection to a web server over
HTTP. It’s primarily used in cases where a secure/encrypted HTTP connection
(tunnel) needs to be established between a client and a web server such as an
SSL connection.



The HTTP CONNECT request is used to ask a proxy to make a connection to 
anther host and simply relay the content, rather than attempting to 
parse or cache the message.  This is often used to make a connection 
through a proxy.   







Simple HTTP tunnels are an unencrypted connection through an HTTP proxy to an
arbitrary destination. The tunnel takes advantage of the HTTP CONNECT method
normally used for HTTPS (secure web traffic) to connect to the destination
server. 





OPTIONS :





Options is useful for finding out which HTTP methods are accessible by a
client. Depending on how the web server you are trying to connect to is
configured, the administrator may only have the POST and GET HTTP methods
accessible. While other HTTP methods such as DELETE, TRACE, etc are disabled.



A client can use an OPTIONS request method to query the server which request methods are supported



  EXAMPLE:



                     


OPTIONS http://www.example.com/ HTTP/1.1           ***  REQUEST LINE ***
Host: www.example.com
Connection: Close
(blank line)


 


 


HTTP/1.1 200 OK                                    *** RESPONSE LINE ***
Date: Fri, 27 Feb 2004 09:42:46 GMT
Content-Length: 0
Connection: close
Server:Apache/1.3.6 
Allow: GET, HEAD, POST, OPTIONS, TRACE           (Allowed Methods) 
Connection: close
(blank line) 

  



TRACE:



Performs a message loop back test along with the path to the target resource. 







HTTP TRACE is used to echo the contents of an HTTP Request back
to the   requester (which can be useful for debugging). This however may pose a
security threat because malicious code can abuse HTTP TRACE functionality to
gain access to information in HTTP headers such as cookies and authentication
data, if an HTTP TRACE request is sent the original request data will be
returned in addition to any user specific data. 



A client can send a TRACE request to ask the server to return a diagnostic trace.



REQUEST 




TRACE http://www.example.com/ HTTP/1.1
Host: www.example.com
Connection: Close
(blank line)


 



RESPONSE




HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Fri, 27 Feb 2004 09:44:21 GMT
Content-Type: message/http
Connection: close
Server:  Apache/1.3.6
Connection: close

   
9d
TRACE / HTTP/1.1
Connection: keep-alive
Host: www.example.com
Via: 1.1 xproxy (NetCache NetApp/5.3.1R4D5)

   





 
 



HTTP  HEADERS:

HTTP headers allow the client and the server to pass additional information with the request or the response. A request header consists of its case-insensitive name followed by a colon ':', then by its value (without line breaks). Leading white space before the value is ignored.Custom proprietary headers can be added using the 'X-' prefix.







Headers can be grouped according to their contexts: 







a) General Headers:





Headers applying to both requests and responses but with no relation to the data eventually transmitted in the body.



             "https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.5" 







b) Request Headers:







Headers containing more information about the resource to be fetched or about the client itself

    

            " https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5 " 



 



 
c) Response Headers:





Headers with additional information about the response, like its location or about the server itself (name and version etc.)



            "https://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html#sec6" 







d) Entity  Headers:







Headers containing more information about the body of the entity, like its content length or its MIME-type  



              " https://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7 "





Reference links : 



https://www.cs.tut.fi/~jkorpela/http.html 



https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

http://geekexplains.blogspot.in/2008/06/whats-http-explain-http-request-and.html 



https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
 

https://www.ntu.edu.sg/home/ehchua/programming/webprogramming/HTTP_Basics.html



 



 



 



 



 



 



 



 












Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)