Web application security - the fast guide 1.1 | 页面 28

Chapter 2 - Web Application technologies
P a g e | 28
Http is hypertext transfer protocol it is the main protocol used on web, it was
originally developed to retrieve text pages from web server developed after that
to allow retrieving other types of media and web pages’ contents.
HTTP adopts Request Response approach which means that it is a connect-less
protocol. The protocol depends on the TCP protocol on the transport layer as it is
a state full protocol.
The HTTP protocol messages (request and response) as most of protocols
messages are composed of two parts, Message Headers part containing one or
more headers with optional values and Message Body part that optionally
contains the payload of the message.
2.2.1 HTTP Request:
The following example shows an Http request message:
GET /index.php?lang=ar HTTP/1.1 Host: skcomputerco.com
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Referer: http://skcomputerco.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=c41ee7c06b099b2644ff707b72b792bd
As you see the request begins with HTTP method that decides whether the
request is meant to request a resource from the server (GET) or to send user
input to server to be processed (POST)
As the example is using the GET method the message body is not necessary.
Next is the uniform resource locator (URL) this part represent the address for
the resource that needs to be fetched any extra parameters are passed after (?)
sign and this part is called Query String.
The last part in in first line is the version of used HTTP protocol. In our example
we are using the most used version 1.1.
Next we will have a set of headers in the format of (header name : header
value) , headers will be separated by blank line.
Http protocol support many headers the following are the most commonly used:
 Referrer: the resource from which the Request-URI was obtained
 User-agent: contains information about the user agent originating the
request
 Host: this is the hostname necessary specially when virtual hosts exist on
the web server (more than one site on the same webserver).