HTTP request format
1) Request information: for example, "Get/index. php HTTP/1.1", request the index. php file
2) header: for example, "Host: localhost", indicating the server address
3) blank lines
4) information body
Both "Request Information" and "Header" must end with the line break character CRLF. blank lines can only contain line breaks, but cannot contain other space characters.
The following example shows how to send an HTTP request to the server www.yhsafe.com.
GET/index. php HTTP/1.1 // request information
Host: www.yhsafe.com // Header
// A space line symbol indicates the Enter key. After a blank line is entered, an HTTP request will be sent by pressing a space. In the HTTP Request Header, only the Host header is required to be hungry, the rest of the HTTP headers are determined based on the content of the HTTP request. HTTP Request Method 1) GET: Request Response 2) HEAD: Same as GET, only request header 3) POST: send data to the server for processing, data is included in the HTTP message body. 4) PUT: upload a file. 5) DELETE: DELETE a file. 6) TRACE: track received requests. 7) OPTIONS: return the HTTP Request Method supported by the server. 8) CONNECT: the server sends the following response after processing the HTTP request submitted by the client. 1) The first line is the status code. 2) the second line starts with other information. The status code contains a number indicating the status and a word describing the status. For example, HTTP/1.1 200 OK200 indicates a number indicating the status, and OK indicates a word describing the status. This status code indicates that the request is successful.
Example of HTTP request and response
Open cmd, input telnet, and enter open www.00aq.com 80
Enter
Getindex. php HTTP/1.1
Host: www.00aq.com
Returns the HTTP response header.
Returned homepage content
Use PHP to send HTTP requests
The header function can be used to send HTTP request and response headers.
Function prototype
Void header (string [, bool replace [, int http_response_code])
String is the string of the HTTP header.
If replace is TRUE, it indicates that similar headers are replaced with the current header. If replace is FALSE, multiple similar headers are used. The default value is TRUE.
Http_response_code is used to force the HTTP response code to use the value of http_response_code.
Instance:
-
- // Enable the Internet socket connection
- $ Fp = fsockopen (www.00aq.com, 80 );
- // Write the HTTP Request Header
- Fputs ($ fp, "GET/HTTP/1.1 \ r \ n ");
- Fputs ($ fp, "Host: www.00aq.com \ r \ n ");
- // The HTTP Response string
- $ Http_response = "";
- While (! Feof ($ fp ))
- {
- // Read the 256-bit HTTP Response string
- $ Http_response. = fgets ($ fp ,);
- }
- // Disable the Internet socket connection
- Fclose ($ fp );
- // Display HTTP Response Information
- Echo nl2br (htmlentities ($ http_response ));
- ?>
HTTP response splitting attack
HTTP response splitting is because the attacker has carefully designed and used emails or links to allow the target user to use one request to generate two responses. The previous response is the server response, the other is the response designed by the attacker. This attack occurs because the WEB program places user data in the HTTP Response Header, which is specially designed by attackers.
Functions that may suffer from HTTP Request Response Splitting include:
Header (); setcookie (); session_id (); setrawcookie ();
HTTP Response Splitting usually occurs in:
Location header: write user data into the redirected URL
Set-Cookie header: write user data into cookies
Instance:
-
- header("Location: " . $_GET['page']);
- ?>
Request
GET/location. php? Page = http://www.00aq.com HTTP/1.1
Host: localhost
Return
HTTP/1.1 302 Found
Date: Wed, 13 Jan 2010 03:44:24 GMT
Server: Apache/2.2.8 (Win32) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Location: http://www.00aq.com
Content-Length: 0
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
Content-Type: text/html
Access the following link and a login window will appear.
Http: // localhost/location. php? Page = % 0d % 0aContent-Type: % 20 text/html % 0d % 0 aHTTP/1.1% 20200% 20OK % 0d % 0aContent-Type: % 20 text/html % 0d % 0aContent-Length: % 20158% 0d % 0a % 0d % 0a
Convert to a readable string:
Content-Type: text/html
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 158
An HTTP request generates two responses.
Defense methods:
1) Replace the CRLF line feed character
-
- header("Location: " . strtr($_GET['page'], array("\r"=>"", "\n"=>"")));
- ?>
2) use the latest PHP version.
In the latest PHP version, line breaks are no longer allowed in the HTTP header.
Hide the HTTP Response Header
In apache, httpd. conf, ServerTokens = Prod, ServerSignature = Off
Php. ini in php, option expose_php = Off