Download to read offline
![@brainwane
A spam story
My 404 logs (Drupal admin console):
TYPE page not found
DATE Thursday, October 9, 2014 - 10:46
USER Anonymous (not verified)
LOCATION http://myphishingsite.biz/http://myphishingsite.biz
REFERRER
MESSAGE ttp://myphishingsite.biz
SEVERITY warning
HOSTNAME [IP address]](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-92-320.jpg)
![@brainwane
A spam story
My 404 logs (Drupal admin console):
TYPE page not found
DATE Thursday, October 9, 2014 - 10:46
USER Anonymous (not verified)
LOCATION http://myphishingsite.biz/http://myphishingsite.biz
REFERRER
MESSAGE ttp://myphishingsite.biz
SEVERITY warning
HOSTNAME [IP address]](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-93-320.jpg)
![@brainwane
A spam story
My access logs:
[IP address]
[09/Oct/2014:10:46:09 0400]
"GET http://myphishingsite.biz
HTTP/1.1" 404 7574 "" [UserAgent]](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-94-320.jpg)
![@brainwane
A spam story
Legit mistakes would look like:
[IP address]
[09/Oct/2014:10:46:09 0400]
"GET /http://berkeley.edu HTTP/1.1"
404 7574 "" [UserAgent]](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-95-320.jpg)
![@brainwane
Heard of these?
● 410 Gone
It was here, but now it’s not.
● 304 Not Modified
You said, ‘GET this, if it’s been modified since
[date]’. It hasn’t been.](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-110-320.jpg)
![@brainwane
WTF responses
Code: 732
Reason:
http://www.[hostname].com/intro/copyright.php](https://image.slidesharecdn.com/hidden-features-in-http-gwo-2016-160418182657/85/Hidden-Features-in-HTTP-132-320.jpg)
Uploaded byGreat Wide Open
Hidden Features in HTTP
The document discusses the functionalities and features of HTTP (Hypertext Transfer Protocol), emphasizing various methods such as GET, POST, PUT, DELETE, PATCH, and OPTIONS, along with their use cases and implications. It highlights common mistakes and bad practices in implementation, such as using POST incorrectly or mismanaging header information, as well as the significance of status codes in HTTP responses. The author also shares insights into underutilized methods and encourages further exploration of the protocol's capabilities, along with resources for deeper understanding.
More Related Content
Hidden Features in HTTP
- 1. Hidden Features inHTTP by Sumana Harihareswara @brainwane Changeset Consulting
- 2. HTTP Can DoThat?! A collection of bad ideas by Sumana Harihareswara @brainwane Changeset Consulting
- 3.
- 4. @brainwane Diagrams! – Internet EngineeringTask Force (IETF) RFC 7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- 5.
- 6.
- 7.
- 8. @brainwane An HTTP Message (Requestor Response) START-LINE HTTP version (1.1) Request method (GET, POST) Response status code (200, 404, 500)
- 9. @brainwane An HTTP Message (Requestor Response) HEADERS ContentType ContentLength …... START-LINE HTTP version (1.1) Request method (GET, POST) Response status code (200, 404, 500)
- 10. @brainwane An HTTP Message (Requestor Response) HEADERS ContentType ContentLength …... BODY START-LINE HTTP version (1.1) Request method (GET, POST) Response status code (200, 404, 500)
- 11.
- 12.
- 13. @brainwane ● GET gimme ● POST here you go Popularrequest methods (“verbs”)
- 14. @brainwane First bad idea: POSTbut not GET more: https://github.com/brainwane/secureapi
- 15. @brainwane POST but notGET: use cases letters to Santa Claus
- 16. @brainwane POST but notGET: use cases employee suggestion box
- 17. @brainwane POST but notGET: use cases extremely moderated blog comments
- 18.
- 19.
- 20.
- 21.
- 22. @brainwane Giving client noway to GET – bad idea
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40. @brainwane I thought POSTmeant “here you go” Wait
- 41. @brainwane So what isPOST, anyway? The standard says it means: “Above our pay grade; take this to the boss” a.k.a. Overloaded POST
- 42. @brainwane So what isPOST, anyway? Often, we use it for: “Create a new item in this set” a.k.a. POST-to-append
- 43.
- 44. @brainwane PUT vs. POST PUT /cards/5 Body: Means: “Putthis picture at /cards/5 .” POST /cards/5 Body: Means: “Tell the webapp that this picture applies to /cards/5 somehow – figure it out.”
- 45. @brainwane “CRUD” & HTTPverbs Create PUT Read GET Delete DELETE Update PUT
- 46.
- 47. @brainwane ● PATCH update just partof this document/resource More underused methods
- 48.
- 49. @brainwane ● PATCH update just partof this document/resource ● OPTIONS ask what verbs the client’s allowed to use (for a specific path, or server-wide) More underused methods
- 50.
- 51. @brainwane HEAD like GET, butjust for metadata A super-cool method
- 52. @brainwane GET vs. HEAD Request: GET / HTTP/1.1 Response: ●Start-line ● Headers ● Body Request: HEAD / HTTP/1.1 Response: ● Start-line ● Headers
- 53.
- 54.
- 55.
- 56. @brainwane You don’t needthe body to check: Does it exist? Do I have permission to GET it? ContentLength LastModified ContentType ETag RetryAfter
- 57.
- 58.
- 59. @brainwane Popular headers include: ContentType ContentLength Alsoknown as MIME or Mime
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67. @brainwane An unpopular header From Theemail address of the person making the request
- 68. @brainwane Uses for From Reallybad auth
- 69. @brainwane Uses for From “Yes,I saw your site launch”
- 70. @brainwane Uses for From Codedmessages meant for network surveillor
- 71.
- 72. @brainwane Another spy trick “Eachheader field consists of a case-insensitive field name followed by a colon (":")...” So: vary the case of the headers you send!!! – Internet Engineering Task Force (IETF) RFC 7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- 73. @brainwane Header casing as secretinfo channel – bad idea
- 74.
- 75. @brainwane A required header Host requiredin request messages
- 76.
- 77. @brainwane Host & pathwork together
- 78. @brainwane Host & pathwork together
- 79. @brainwane Host & pathwork together
- 80. @brainwane Host & pathwork together
- 81. @brainwane A popular header Host (wait– why do we need to repeat this? It's in the URL! right?)
- 82. @brainwane How Host helps HTTP isseparate from the Domain Name System
- 83. @brainwane How Host helps Host helpsroute requests among different domains that sit on the same server
- 84. @brainwane Examples of virtualhosts www.debian.org
- 85. @brainwane Examples of virtualhosts bugs.debian.org
- 86. @brainwane Examples of virtualhosts lists.debian.org
- 87. @brainwane Examples of virtualhosts wiki.debian.org
- 88.
- 89.
- 90.
- 91.
- 92. @brainwane A spam story My404 logs (Drupal admin console): TYPE page not found DATE Thursday, October 9, 2014 - 10:46 USER Anonymous (not verified) LOCATION http://myphishingsite.biz/http://myphishingsite.biz REFERRER MESSAGE ttp://myphishingsite.biz SEVERITY warning HOSTNAME [IP address]
- 93. @brainwane A spam story My404 logs (Drupal admin console): TYPE page not found DATE Thursday, October 9, 2014 - 10:46 USER Anonymous (not verified) LOCATION http://myphishingsite.biz/http://myphishingsite.biz REFERRER MESSAGE ttp://myphishingsite.biz SEVERITY warning HOSTNAME [IP address]
- 94. @brainwane A spam story Myaccess logs: [IP address] [09/Oct/2014:10:46:09 0400] "GET http://myphishingsite.biz HTTP/1.1" 404 7574 "" [UserAgent]
- 95. @brainwane A spam story Legitmistakes would look like: [IP address] [09/Oct/2014:10:46:09 0400] "GET /http://berkeley.edu HTTP/1.1" 404 7574 "" [UserAgent]
- 96. @brainwane A spam story Intentionallymalform your request! $ netcat myhostname.tld 80 GET http://spam.com HTTP/1.1 Host: spam.com
- 97. @brainwane A spam story Intentionallymalform your request! $ netcat myhostname.tld 80 GET /viagrabitcoin HTTP/1.1 Host: spam.com
- 98.
- 99. @brainwane Define your ownheader! “Header fields are fully extensible: there is no limit on the introduction of new field names, each presumably defining new semantics, nor on the number of header fields used in a given message.” -(RFC 7230)
- 100. @brainwane Define your ownheader! Xblahblahblah
- 101. @brainwane Define your ownheader! XClacksOverhead: GNU Terry Pratchett
- 102. @brainwane Define your ownheader!
- 103. @brainwane Define your ownheader!
- 104. @brainwane Define your ownheader!
- 105. @brainwane Define your ownheader!
- 106. @brainwane Defining your ownheaders – good idea?
- 107. @brainwane Status codes 100 &101: Informational 2xx: Successful 3xx: Redirection 4xx: Client error 5xx: Server error
- 108. @brainwane Status (response) codes 404Not Found Code Reason-phrase
- 109. @brainwane Status (response) codes “Aclient SHOULD ignore the reason-phrase content.”
- 110. @brainwane Heard of these? ●410 Gone It was here, but now it’s not. ● 304 Not Modified You said, ‘GET this, if it’s been modified since [date]’. It hasn’t been.
- 111. @brainwane 451 Unavailable For Legal Reasons Server is legallyrequired to reject client’s request
- 112. @brainwane 451 Unavailable For Legal Reasons Can’t let yousee that; it’s censored.
- 113. @brainwane 451 Unavailable For Legal Reasons “This is considereda client-side error even though the request is well formed and the legal requirement exists on the server side. After all, that representation was censored for a reason. There must be something wrong with you, citizen.” -RESTful Web APIs, Leonard Richardson & Mike Amundsen
- 114.
- 115.
- 116. @brainwane WTF responses All ofthese were found in the wild
- 117. @brainwane WTF responses Code: 126 Reason:Incorrect key file for table '/tmp/mysqltmp/#sql_13fb_2.MYI'; try to repair it SQL=SHOW FULL COLUMNS FROM `y4dnu_extensions`
- 118. @brainwane WTF responses Code: 301 Reason:explicit_header_response_code
- 119. @brainwane WTF responses Code: 403 Reason:You've got to ask yourself one question: Do I feel lucky?
- 120. @brainwane WTF responses Code: 403 Reason:can't put wasabi in bed
- 121. @brainwane WTF responses Code: 404 Reason:HTTP/1.1 404
- 122. @brainwane WTF responses Code: 404 Reason:Not Found"); ?><?php Header("cache- Control: no-store, no-cache, must-revalidate
- 123.
- 124. @brainwane WTF responses Code: 404 Reason:Apple WebObjects
- 125.
- 126. @brainwane WTF responses Code: 434 Reason:HTTP/1.1 434
- 127. @brainwane WTF responses Code: 451 Reason:Unknown Reason-Phrase
- 128. @brainwane WTF responses Code: 503 Reason:Backend is unhealthy
- 129. @brainwane WTF responses Code: 520 Reason:Origin Error
- 130. @brainwane WTF responses Code: 525 Reason:Origin SSL Handshake Error
- 131. @brainwane WTF responses Code: 533 Reason:mtd::http: Unknown: Banned
- 132.
- 133. @brainwane WTF responses Code: 999 Reason:Request denied
- 134. @brainwane Changing Reason-phrases more athttps://gitlab.com/brainwane/http-can-do-that/
- 135.
- 136.
- 137. @brainwane Bespoke status codes/reasons– good idea?
- 138. @brainwane There’s so muchmore ● “Don’t cache this” ● Pragma – pass instructions to server/client ● CONNECT, TRACE, LINK, & UNLINK methods ● 409 Conflict ● Look-before-you-leap requests ● Resources at HTTPS vs. HTTP URLs can differ ● “q” and preference ranking in the Accept header ● Content-Disposition (e.g. “attachment”)
- 139. @brainwane The feeling ofpower The sense of wonder
- 140. @brainwane What might theweb have been? What might it still be?
- 141. @brainwane Read & play ●RFCs 7230-7235 ● netcat, wget, netstat, telnet ● basic HTTP servers (in your favorite language) ● https://gitlab.com/brainwane/http-can-do- that/
- 142. @brainwane Thanks Leonard Richardson Greg Hendershott ZackWeinberg The Recurse Center Clay Hallock Paul Tagliamonte Open Source Bridge Julia Evans, Allison Kaptur, Amy Hanlon, and Katie Silverio
- 143.