Vulnerability Development mailing list archives

Re: Kill the DOG and win 100 000 DM


From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Wed, 8 Nov 2000 08:06:07 -0800

From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU]
Sent: Tuesday, November 07, 2000 10:08 PM

[re: requests for HTTP commands]
try rfc 2616 (HTTP/1.1)

True, but people who don't know enough to look for an RFC in the first place
probably won't know where to get 2616.

It's available from (among many other sources):

ftp://ftp.isi.edu/in-notes/rfc2616.txt  (the official repository)
http://www.cis.ohio-state.edu/htbin/rfc/rfc2616.html    (OSU's nice HTMLized
collection)

For other RFCs, the front end to ISI's repository can be found at
http://www.rfc-editor.org.  The front end to OSU's repository is at
http://www.cis.ohio-state.edu/Services/.

There are also links to pretty much everything even vaguely related to HTTP
at the W3C site, http://www.w3c.org/.  (Someone asked about WebDAV; that's
also defined by an RFC, so see the sites listed above.)

At about 175 pages RFC 2616 is a bit large for just a quick introduction to
driving HTTP by hand, though.

In the simplest cases, use GET to retrieve documents and HEAD to retrieve
just the header.  An HTTP request consists of a request-line, followed by
header lines, followed by a blank line.  All lines are terminated with CRLF.
A well-formed HTTP/1.1 request generally contains at least one header (if
you're not going through a proxy, for example, you should have a Host:
header), but HTTP/1.1 servers SHOULD be tolerant of a number of protocol
violations.  For all but experimental servers you can probably get away with
requests like:

GET / HTTP/1.1

HEAD /foo/bar/baz.html HTTP/1.1

- with just a request-line, in other words.  The request-line has an HTTP
command (GET, HEAD, OPTIONS, PUT, etc.), a space, a URI, a space, and an
HTTP-version specification in the form "HTTP/" followed by major and minor
version numbers with a "." delimiter.

A request URI must be an absoluteURI (ie. have the "http://x.y.z/"; part) if
you're talking to a proxy.  HTTP/1.1 servers are required to accept
absoluteURIs, but I don't know how many actually comply with this; real
HTTP/1.1 clients use an abs_path URI (ie. it begins with a "/") and MUST
send a Host: header (to make virtual hosting possible).  So you should
really be using something like:

GET / HTTP/1.1
Host: whatever.I.am.connected.to

assuming you're talking directly to an HTTP/1.1 server.

The URI may contain a query component (eg. if you're making a request to a
CGI program or some other dynamic content generator), as with:

GET /cgi-bin/lookup?foo=one&bar=2 HTTP/1.1
Host: lookup.server.somewhere.com

Note the query must be URL-encoded.  The easiest thing to do is just convert
all special characters into their hex-escape form ("%" followed by two hex
digits specifying the ASCII code of the character).  Spaces can just be
replaced with "+" symbols.  See RFC 2396, etc., for more info.

A POST request looks like a GET request with a content-body, or like a
combination of a GET request and response: a request-line, followed by some
headers, followed by a blank line, followed by a content-body which contains
the data being POSTed.  The headers and the content-body format depend on
the target resource, but typically POST is the action for an HTML form, and
the client will be sending the data URL-encoded, with a Content-type: header
specifying "application/x-www-form-urlencoded".  Building POSTs by hand
probably isn't worth the effort; get Perl or another scripting language with
HTTP support.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University


Current thread: