study of http

11

Click here to load reader

Upload: dhairya-joshi

Post on 15-May-2015

315 views

Category:

Education


0 download

TRANSCRIPT

Page 1: Study of http

Assignment 1

(1)Study of HTTP.

HTTP means HyperText Transfer Protocol. The Hypertext Transfer Protocol (HTTP) is the foundation

protocol of the World Wide Web (WWW). HTTP (Hypertext Transfer Protocol) is perhaps the most

popular application protocol used in the Internet (or The WEB). HTTP is designed to permit intermediate network elements to

improve communications between clients and servers. HTTP is a transaction-oriented client/server protocol. The most

typical use of HTTP is between a web browser and a web server.

HTTP is an asymmetric request-response client-server protocol as illustrated. An HTTP client sends a request message to an HTTP server. The server, in turn, returns a response message.

In other words, HTTP is a pull protocol, the client pulls information from the server (instead of server pushes information down to the client).

HTTP is a stateless protocol. In other words, the current request does not know what has been done in the previous requests.

Page 2: Study of http

The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems.

A typical implementation creates a new TCP (Transmission Control

Protocol) connection between client and server for each transaction and then terminates the connection as soon as the transaction completes, although the specification doesn't dictate this one-to-one relationship between transaction and connection lifetimes.

HOW HTTP WORKS?

Web sites generally have an http:// at the beginning of the uniform resource locator (URL) address.

When you enter a URL into your Web browser, the browser sends out a data request for the information stored under that address, which is then transferred back to you.

Your browser then interprets the data and displays it for you in the appropriate manner.

Today, many sites instead have https:// listed as their URL prefixes.

This stands for HTTP secure and means that the Web page will be transmitted with encryption.

Banks, e-commerce sites and any company concerned about Internet security may use the HTTPS protocol instead of simple HTTP to ensure that sensitive data (such as your credit card number) is sent to and from a server with encryption.

If there is no "s" after the HTTP prefix, you can assume that there is no encryption. That's an important point to remember when conducting business of any kind.

Users should check for the https:// prefix before entering sensitive, private data into a site's forms. That's especially true if accessing the site through a wireless connection.

Page 3: Study of http

Even services such as Google Mail, Twitter and Facebook have begun using forms of HTTPS.

Here shown the difference between HTTP and HTTPS.

But in HTTPS has secure and means that the Web page will be transmitted with encryption.

In the near future, Internet browsers may not see the HTTP at all, because address bars may become a thing of the past. Google Chrome and Mozilla Firefox are redesigning their systems to be more like mobile applications than like traditional Web browsing -- they're making the browser bar smaller and less prominent. It's possible that the bar may one day disappear altogether and all Internet access will be through links and apps.

Page 4: Study of http

(2) Explain methods of HTTP.

HTTP mainly divided in seven methods.

i. Getii. Head

iii. Putiv. Postv. Delete

vi. Tracevii. Option

(i) Get :-

The GET method is used to retrieve information from a specified URI and is assumed to be a safe, repeatable operation by browsers, caches and other HTTP aware components.

This means that the operation must have no side effects and GET requests can be re-issued without worrying about the consequences.

For example, displaying the balance of a bank account has no effect on the account and can be safely repeated.

In fact, Internet Explorer will allow a user to refresh a page that resulted from a GET, without displaying any kind of warning.

Other HTTP aware components such as proxies may automatically retry GET requests if they encounter a temporary network connection problem.

The conditional GET method is intended to reduce network usage by allowing cached entities to be refreshed without requiring multiple requests or transferring unnecessary data.

The GET method can also be used to submit forms. The form data is URL-encoded and appended to the request URI.

Page 5: Study of http

One downside of GET requests is that they can only supply data in the form of parameters encoded in the URI (Universel Resource Identifier

known as a Query String) or as cookies in the cookie request header. Therefore, GET cannot be used for uploading files or other

operations that require large amounts of data to be sent to the server.

(ii) Head :-

A HEAD request is just like a GET request, except it asks the server to return the response headers only, and not the actual resource (i.e. no message body).

This is useful to check characteristics of a resource without actually downloading it, thus saving bandwidth.

This is useful for retrieving meta-information written in response headers without having to transport the entire content.

We can use HEAD when we don't actually need a file's contents. The response to a HEAD request must never contain a message

body, just the status line and headers. The head method is often used for testing hyperlinks, accessibility

and for determining if a document has been recently modifed.

(iii) Put :-

This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files. e.g.: an ASP (Active server Pages) file that executes commands by

invoking cmd.exe , or by simply using the victim's server as a file repository.

HTTP/1.1 does not define how a PUT method affects the state of an origin server.

PUT requests must obey the message transmission requirements.

Page 6: Study of http

(iv)Post:-

The POST method is used for operations that have side effects and cannot be safely repeated.

For example, transferring money from one bank account to another has side effects and should not be repeated without explicit approval by the user.

If you try to refresh a page in Internet Explorer that resulted from a POST, it displays the following message to warn you that there may be side effects:

For banking, and other transactional web applications, the best approach is to use a POST when the user submits a change and then use a 302 redirection to change to a GET that displays the result of the action.

A person who working with Microsoft's Internet Information Server (IIS) may notice that it returns two status codes in its response for a POST request.

The first is 100 Continue to indicate that it has successfully received the POST request and the second is 200 OK after the request has been processed.

(v) Delete:-

This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to

deface a web site or to mount a DoS (Disk Operating System) attack.

Page 7: Study of http

This method may be overridden by human intervention (or other means) on the Web Server.

If the response includes an entity describing the status of deletion, the 200(OK) response code specifies that the resource has been deleted successfully.

If the response is 202(Accepted), it specifies that the resource has not yet been deleted.

Similarly, if the response code is 204 (No Content), it specifies that the resource has been deleted but the response code does not include an entity.

(vi) Trace:-

This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing.

Thus, It is useful to locate exact location of your request.

(vii) Option:-

This method is Used when the client wants to determine other available methods to retrieve a document on the Web server.

This method requests for information about the communication options available on the request chain identified by a Request-URI (Uniform Resource Identifier).

Responses to this method are not cacheable. If the OPTIONS method includes an entity body, the media type

must be indicated by the content-type field.

Page 8: Study of http