程序代写代做代考 database Cross Site Request Forgery

Cross Site Request Forgery

HTTP
HyperText Transfer Protocol

Intro – HTTP, Client, Server
Web-applications – make use of the internet and the HyperText Transfer Protocol (HTTP) to communicate with other programs.
The most common form of web-based applications occur as web browsers using HTTP to communicate with web servers.
For example, when you type a URL of the formhttp://www.somewhere.com/index.html
In real life index.html is a file stored on a computer
Server – The computer that your browser eventually gets connected to which will deliver this document
The computer that you are running your browser binary on and which you are directly interacting with is called the Client.
More on client server model link

Brief look at HTTP
User on client machine type URL  HTTP request is generate
TCP connection is made to the host on port usually 80
Server listening on port 80  receive a string detailing request plus request body
Eight different types of request / HTTP methods
GET HEAD POST PUT DELETE TRACE CONNECT OPTIONS
You will only need to make use of two of these, GET and POST.

Typing a URL in to a browser or clicking an href link 
OR
Submission of form data

 tag in HTML is method can generate different kinds of HTTP requests.

Username:
Password:

GET HTTP request

HTTP request
An HTTP request takes the form:
   METHOD URL HTTP/version
   Host: target-host
   [other headers]
   [blank line]
   [contents]
Example of Get request string
GET /pages/My%20First%20Webpage HTTP/1.1
Host: www.somewhere.com
Connection: Keep-Alive
User-Agent: Mozilla/4.0 ( compatible; MSIE 4.01; Windows NT)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg

Note: (space= %20) My First Webpage as My%20First%20Webpage

HTTP response
If a server program which knows how to handle HTTP requests receives one, it should generate an HTTP response.
HTTP is what is known as a stateless protocol  subsequent request from the same client will be independent of the first request.
HTTP responses take the form
   HTTP/version status-code status-text
   [headers]
   [blank line]
   [content]
where the status-code is a numerical code from a list of pre-defined responses.
200 OK The request succeeded and the result is attached
404 Not Found The requested URL doesn’t exist
301 Moved Permanently 302 Moved Temporarily
303 See Other The resource has moved, new location in headers
500 Server Error Unexpected server error, usually an error in the server code

typical example response string
HTTP/1.1 200 OK
Date: Fri, 31 Dec 1999 23:59:59 GMT
Content-Type: text/html
Content-Length: 1354


Is anyone still awake?

I’m an example response message, get me out of here!


Again, these HTTP responses are generated for us by server applications so that we don’t need to worry about them.

This method is most appropriate for requesting services
Query the server but do not change its state in any way
Looking up a person’s telephone number in a server database, but not editing or updating that number in any way.

The URL (in red) below), requests a file in the cgi-bin directory, which indicates to an HTTP server that an application is to be executed. The program being requested is called CheckLogin and then, the parameters being passed follow in the URL.

GET /cgi-bin/CheckLogin?username=julianr&password=banana HTTP/1.1 Connection: Keep-Alive
User-Agent: Mozilla/4.0 ( compatible; MSIE 4.01; Windows NT)
Host: www.somewhere.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg

THE HTTP GET METHOD

How did attributes/values got into the URL?
Can you type them or modify into a browser location box.
Form whose method attribute is set to GET, will generate parameters based on the name attributes of its input boxes.

Username:
Password:

HTTP Post method
HTTP POST requests are a complement to the GET requests in that they are designed for applications which need to send information to the server, as opposed to querying it.
Uses
Whenever there is information to be changed at the server.
Browsers will only accept URLs of a restricted length
Does not use URL to pass parameters like Get

Typical POST request

POST /cgi-bin/MyProgram HTTP/1.1
User-Agent: Mozilla/4.0 (
compatible;
MSIE 4.01;
Windows NT)
Host: www.somewhere.com
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, */
Content-type: application/x-www-form-urlencoded
Content-length: 39

name=julianr&password=green%20bananas
——–
Header information
This there is a blank line – this signals the end of the POST request header and the beginning of the extended information.
The parameters to be passed are part of this extended information.
Unlike the GET method, POST is not expected to be safe nor idempotent; it can perform modifications to data, and it is not required to be repeatable.