Security Testing 简明教程
Security Testing - HTTP Protocol Basics
理解协议对于充分掌握安全测试非常重要。当我们在 Web 服务器和客户端之间截取数据包时,您将能够体会到协议的重要性。
Understanding the protocol is very important to get a good grasp on security testing. You will be able to appreciate the importance of the protocol when we intercept the packet data between the webserver and the client.
HTTP Protocol
超文本传输协议 (HTTP) 是用于分布式、协作式、超媒体信息系统的应用程序级协议。它自 1990 年以来一直是万维网数据通信的基础。HTTP 是一个通用无状态协议,还可以使用其请求方法、错误代码和标头的扩展用于其他目的。
The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. This is the foundation for data communication for the World Wide Web since 1990. HTTP is a generic and stateless protocol which can be used for other purposes as well using extension of its request methods, error codes, and headers.
基本上,HTTP 是一个基于 TCP/IP 的通信协议,用于通过 Web 传输诸如 HTML 文件、图像文件、查询结果等数据。它为计算机之间通信提供了一种标准化方式。HTTP 规范指定了如何将客户端请求的数据发送到服务器,以及服务器如何响应这些请求。
Basically, HTTP is a TCP/IP based communication protocol, which is used to deliver data such as HTML files, image files, query results etc. over the web. It provides a standardized way for computers to communicate with each other. HTTP specification specifies how clients’ requested data are sent to the server, and how servers respond to these requests.
Basic Features
以下三个基本特性使 HTTP 成为一个简单但功能强大的协议 −
There are following three basic features which make HTTP a simple yet powerful protocol −
-
HTTP is connectionless − The HTTP client, i.e., the browser initiates an HTTP request. After making a request, the client disconnects from the server and waits for a response. The server processes the request and re-establishes the connection with the client to send the response back.
-
HTTP is media independent − Any type of data can be sent by HTTP as long as both the client and server know how to handle the data content. This is required for client as well as server to specify the content type using appropriate MIME-type.
-
HTTP is stateless − HTTP is a connectionless and this is a direct result that HTTP is a stateless protocol. The server and client are aware of each other only during a current request. Afterwards, both of them forget about each other. Due to this nature of the protocol, neither the client nor the browser can retain information between different requests across the web pages.
HTTP/1.0 为每次请求/响应交换使用一个新连接,而 HTTP/1.1 连接可能用于一个或多个请求/响应交换。
HTTP/1.0 uses a new connection for each request/response exchange whereas HTTP/1.1 connection may be used for one or more request/response exchanges.
Architecture
下图显示了一个 Web 应用程序非常基础的架构,并描述了 HTTP 所在的位置 −
The following diagram shows a very basic architecture of a web application and depicts where HTTP resides −
HTTP 协议是一个基于客户端/服务器架构的请求/响应协议,其中网络浏览器、机器人和搜索引擎等充当 HTTP 客户端,而网络服务器充当服务器。
The HTTP protocol is a request/response protocol based on the client/server architecture where web browser, robots, and search engines etc. act as HTTP clients and the web server acts as a server.
-
Client − The HTTP client sends a request to the server in the form of a request method, URI, and protocol version, followed by a MIME-like message containing request modifiers, client information, and possible body content over a TCP/IP connection.
-
Server − The HTTP server responds with a status line, including the protocol version of the message and a success or error code, followed by a MIME-like message containing server information, entity meta information, and possible entity-body content.
HTTP – Disadvantages
-
HTTP is not a completely secured protocol.
-
HTTP uses port 80 as default port for communication.
-
HTTP operates at the application Layer. It needs to create multiple connections for data transfer, which increases administration overheads.
-
No encryption/digital certificates are required for using HTTP.