Vulnerability Development mailing list archives
Re: Kill the DOG and win 100 000 DM
From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Wed, 8 Nov 2000 08:06:07 -0800
From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU] Sent: Tuesday, November 07, 2000 10:08 PM
[re: requests for HTTP commands] try rfc 2616 (HTTP/1.1)
True, but people who don't know enough to look for an RFC in the first place probably won't know where to get 2616. It's available from (among many other sources): ftp://ftp.isi.edu/in-notes/rfc2616.txt (the official repository) http://www.cis.ohio-state.edu/htbin/rfc/rfc2616.html (OSU's nice HTMLized collection) For other RFCs, the front end to ISI's repository can be found at http://www.rfc-editor.org. The front end to OSU's repository is at http://www.cis.ohio-state.edu/Services/. There are also links to pretty much everything even vaguely related to HTTP at the W3C site, http://www.w3c.org/. (Someone asked about WebDAV; that's also defined by an RFC, so see the sites listed above.) At about 175 pages RFC 2616 is a bit large for just a quick introduction to driving HTTP by hand, though. In the simplest cases, use GET to retrieve documents and HEAD to retrieve just the header. An HTTP request consists of a request-line, followed by header lines, followed by a blank line. All lines are terminated with CRLF. A well-formed HTTP/1.1 request generally contains at least one header (if you're not going through a proxy, for example, you should have a Host: header), but HTTP/1.1 servers SHOULD be tolerant of a number of protocol violations. For all but experimental servers you can probably get away with requests like: GET / HTTP/1.1 HEAD /foo/bar/baz.html HTTP/1.1 - with just a request-line, in other words. The request-line has an HTTP command (GET, HEAD, OPTIONS, PUT, etc.), a space, a URI, a space, and an HTTP-version specification in the form "HTTP/" followed by major and minor version numbers with a "." delimiter. A request URI must be an absoluteURI (ie. have the "http://x.y.z/" part) if you're talking to a proxy. HTTP/1.1 servers are required to accept absoluteURIs, but I don't know how many actually comply with this; real HTTP/1.1 clients use an abs_path URI (ie. it begins with a "/") and MUST send a Host: header (to make virtual hosting possible). So you should really be using something like: GET / HTTP/1.1 Host: whatever.I.am.connected.to assuming you're talking directly to an HTTP/1.1 server. The URI may contain a query component (eg. if you're making a request to a CGI program or some other dynamic content generator), as with: GET /cgi-bin/lookup?foo=one&bar=2 HTTP/1.1 Host: lookup.server.somewhere.com Note the query must be URL-encoded. The easiest thing to do is just convert all special characters into their hex-escape form ("%" followed by two hex digits specifying the ASCII code of the character). Spaces can just be replaced with "+" symbols. See RFC 2396, etc., for more info. A POST request looks like a GET request with a content-body, or like a combination of a GET request and response: a request-line, followed by some headers, followed by a blank line, followed by a content-body which contains the data being POSTed. The headers and the content-body format depend on the target resource, but typically POST is the action for an HTML form, and the client will be sending the data URL-encoded, with a Content-type: header specifying "application/x-www-form-urlencoded". Building POSTs by hand probably isn't worth the effort; get Perl or another scripting language with HTTP support. Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- Re: Kill the DOG and win 100 000 DM, (continued)
- Re: Kill the DOG and win 100 000 DM Ben Grubin (Nov 07)
- Re: Kill the DOG and win 100 000 DM Matthias Krawutschke (Nov 07)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 08)
- Fw: Re: Kill the DOG and win 100 000 DM Guilherme Mesquita (Nov 07)
- Re: Kill the DOG and win 100 000 DM John Herron (Nov 08)
- Re: Kill the DOG and win 100 000 DM Mark (Nov 08)
- Re: Kill the DOG and win 100 000 DM Robert Collins (Nov 08)
- Re: Kill the DOG and win 100 000 DM Scott Fagg (Nov 08)
- Re: Kill the DOG and win 100 000 DM Jon Larimer (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 09)
- Re: Kill the DOG and win 100 000 DM Michael Wojcik (Nov 09)
- Re: Kill the DOG and win 100 000 DM Sherrod, Andrew (Nov 09)
- Re: Kill the DOG and win 100 000 DM Ghory, Zeshan A (Nov 09)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 10)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jay Tribick (Nov 11)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 11)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
- Re: Kill the DOG and win 100 000 DM Mark (Nov 12)
- Re: Kill the DOG and win 100 000 DM Jeffrey W. Thompson (Nov 15)
- Re: Kill the DOG and win 100 000 DM Lincoln Yeoh (Nov 11)
