requests

Download Report

Transcript requests 

Internet Technologies - 4
Dr. Mohammed Al-Abdulkareem
© 2006
Internet Technologies - 4
HTTP
• Hypertext Transfer Protocol.
• Works over TCP/IP.
• Used to transfer almost everything on the
world wide web.
– HTML files
– Image
– Query results
• The information transferred are also called
resources.
Internet Technologies - 4
HTTP
• A resource is any chunk of information.
• A resource is identified by URL.
• Static Resources are files that contain
information.
• Dynamic Resources are information
generated dynamically as result of query
or CGI script.
Internet Technologies - 4
HTTP
• HTTP uses the client server model.
• The browser is the HTTP client, it sends
the request to the HTTP server.
• The Web server is the HTTP server it
replies to the request.
• The standard port for an HTTP server is
port 80, but it may use any other port.
Internet Technologies - 4
HTTP Transaction
• HTTP client opens the connection and sends the
request.
• The HTTP server replies with a response
message that contain the requested resources.
• After sending the response the server closes the
connection.
• The server keeps no connection information
between transactions.
• This makes the HTTP stateless protocol.
Internet Technologies - 4
HTTP Transaction
• The format of the request and response
messages are similar.
• The request and response are English oriented
text.
• The messages contains:
–
–
–
–
an initial line,
zero or more header lines,
a blank line (i.e. a CRLF by itself), and
an optional message body (e.g. a file, or query data,
or query output).
Internet Technologies - 4
HTTP Transaction
<initial line, different for
request vs. response>
Header1: value1
Header2: value2
Header3: value3
<optional message body goes here,
like file contents or query data;
it can be many lines long, or even
binary data $&*%@!^$@>
Internet Technologies - 4
HTTP Request
A request initial line has three parts separated
by spaces:
– a method name,
– the local path of the requested resource,
– and the version of HTTP being used.
GET /path/to/file/index.html HTTP/1.0
Internet Technologies - 4
HTTP Request
GET
GET is the most common HTTP method; it
says “get me this resource". Method names
are always uppercase.
Internet Technologies - 4
HTTP Request
HEAD
A HEAD request is just like a GET request,
except it asks the server to return the
response headers only, and not the actual
resource (i.e. no message body). This is
useful to check characteristics of a resource
without actually downloading it, thus saving
bandwidth. Use HEAD when you don't
actually need a file's contents.
Internet Technologies - 4
HTTP Request
POST
A POST request is used to send data to the
server to be processed in some way, like by a
CGI script.
There's a block of data sent with the request, in
the message body.
There are usually extra headers to describe this
message body, like Content-Type: and
Content-Length:.
Internet Technologies - 4
Message Header
– Header lines provide information about the
request or response, or about the object sent
in the message body.
– The header lines are in the usual text header
format, which is: one line per header, of the
form "Header-Name: value", ending with
CRLF.
Internet Technologies - 4
Message Header
Example of request header
From: [email protected]
User-Agent: Mozilla/3.0Gold
Example of response header
Date: Fri, 31 Dec 1999 23:59:59 GMT
Last-Modified: Fri, 31 Dec 1999 23:59:59 GMT
Content-Type: text/html
Content-Length: 1024
Internet Technologies - 4
HTTP Response
A response initial line called status line has
three parts separated by spaces:
– the HTTP version,
– a response status code that gives the result of
the request,
– and an English reason phrase describing the
status code.
HTTP/1.0 200 OK
HTTP/1.1 404 Not Found
Internet Technologies - 4
HTTP Response
– 200 OK
• The request succeeded, and the resulting resource (e.g. file
or script output) is returned in the message body.
– 404 Not Found
• The requested resource doesn't exist.
– 301 Moved Permanently
302 Moved Temporarily
303 See Other (HTTP 1.1 only)
• The resource has moved to another URL (given by the
Location: response header), and should be automatically
retrieved by the client. This is often used by a CGI script to
redirect the browser to an existing file.
– 500 Server Error
Internet Technologies - 4
HTTP Request Example
GET /path/file.html HTTP/1.0
From: [email protected]
User-Agent: Mozilla/3.0Gold
[blank line here]
Internet Technologies - 4
HTTP Response Example
HTTP/1.0 200 OK
Date: Fri, 31 Dec 1999 23:59:59 GMT
Content-Type: text/html
Content-Length: 1024
<html>
<body>
<h1>Welcome to my page</h1>
...
</body>
</html>
Internet Technologies - 4
URL-Encoding
How to URL-encode the name-value pairs of
the form data?
– Convert all "unsafe" characters in the names
and values to "%xx", where "xx" is the ascii
value of the character, in hex. "Unsafe"
characters include =, &, %, +, non-printable
characters, and any others you want to
encode-- there's no danger in encoding too
many characters. For simplicity, you might
encode all non-alphanumeric characters.
Internet Technologies - 4
URL-Encoding
– Change all spaces to plusses.
– String the names and values together with =
and &, like
name1=value1&name2=value2&name3=v
alue3
– This string is your message body for POST
submissions, or the query string for GET
submissions.
Internet Technologies - 4
URL-Encoding
• For example, if a form has a field called
"name" that's set to “Ahmed", and a field
called "neighbors" that's set to “saad &
Saleh", the URL-encoded form data would
be
name=Ahmed&neighbors=saad+%26+Saleh
Internet Technologies - 4
Try this
• From a Unix prompt (cmd.exe on windows), open a
connection to an HTTP server with something like
telnet www.it.ccis.ksu.edu.sa 80
or
telnet 10.99.94.10 80
• Then enter your request line by line, like
GET /kareem/index.html HTTP/1.0
[headers here, if any]
[blank line here]
After you finish your request with the blank line, you'll see
the raw response from the server, including the status
line, headers, and message body.
Internet Technologies - 4
Bad Request
Internet Technologies - 4
HTTP
rfc 2616
Internet Technologies - 4
HTTPS
• https indicate a secure HTTP connection.
• Using the URL https://x.y.z is the same as
http but with connection to port 443.
• A web server must have a public key
created to accept https connections.
• Only the connection is secured!
Internet Technologies - 4
FTP
• An FTP conversation consists of requests
sent by the client and responses sent by
the server.
• After the client connects, the server sends
a response to the client, either accepting
or rejecting the connection.
• This initial response is called the greeting.
Internet Technologies - 4
FTP
• If the server accepts the connection, the
client sends zero or more requests to the
server. Each request is handled as follows:
• The client sends the request to the server.
• The server sends one or more responses to the
client.
Internet Technologies - 4
FTP
• A request is a string of bytes. It contains
• a verb consisting of alphabetic ASCII characters;
• optionally, a space followed by a parameter; and
• CRLF
Internet Technologies - 4
FTP
• For Example:
RETR file.txt
STOR file2.txt
Internet Technologies - 4
FTP
• Return Codes:
•
•
•
•
•
•
•
200 Command okay.
220 Service ready for new user.
221 Service closing control connection.
425 Can't open data connection.
426 Connection closed; transfer aborted.
501 Syntax error in parameters or arguments.
532 Need account for storing files.
Internet Technologies - 4
SFTP
• The SFTP protocol allows for a range of
operations on remote files.
• It is more like a remote file system
protocol.
• The protocol itself does not provide
authentication and security.
• It is used with SSH for secure connection.
Internet Technologies - 4
TELNET
• TELNET (TELetype NETwork).
• Network protocol used on the Internet or local
area network (LAN) connections.
• Developed in 1969.
• Standardized as IETF STD 8.
• Uses port 23.
• All TELNET commands consist of at least a two
byte sequence: the "Interpret as Command"
(IAC) escape character followed by the code for
the command.
Internet Technologies - 4
TELNET
• Interrupt Process (IP) 244: Suspend, interrupt, abort or
terminate the process to which the NVT is connected.
• Abort Output (AO) 245: Allow the current process to
(appear to) run to completion, but do not send its output
to the user.
• Erase Character (EC) 247: The recipient should delete
the last preceding undeleted character or "print position"
from the data stream.
• Erase Line (EL) 248 : The recipient should delete
characters from the data stream back to, but not
including, the last "CR LF" sequence sent over the
TELNET connection.
Internet Technologies - 4
SSH
• Secure Shell or SSH is a set of standards
and an associated network protocol that
allows establishing a secure channel
between a local and a remote computer.
• SSH provides confidentiality and integrity
of data exchanged between the two
computers using encryption and message
authentication codes (MACs).
Internet Technologies - 4
SSH
• SSH use port 22.
• The SSH architecture was enhanced from SSH1 to SSH-2 with more security.
• In all versions of SSH, it is important to verify
unknown public keys before accepting them as
valid.
• Accepting an attacker's public key as a valid
public key has the effect of disclosing the
transmitted password and allowing man in the
middle attacks.
Internet Technologies - 4