Chapter 3  ■ Web Application Technologies

request. It can also sometimes be used as part of an attack against other

application users (see Chapter 12).

■■

OPTIONS — 

This method asks the server to report the HTTP methods

that are available for a particular resource. The server will typically

return a response containing an 

Allow

header that lists the available

methods.

■■

PUT — 

This method attempts to upload the specified resource to the

server, using the content contained in the body of the request. If this

method is enabled, then you may be able to leverage it to attack the

application; for example, by uploading an arbitrary script and execut-

ing this on the server.

Many other HTTP methods exist that are not directly relevant to attacking

web applications. However, a web server may expose itself to attack if certain

dangerous methods are available. See Chapter 17 for further details on these

and examples of using them in an attack.

URLs

A uniform resource locator (URL) is a unique identifier for a web resource, via

which that resource can be retrieved. The format of most URLs is as follows:

protocol://hostname[:port]/[path/]file[?param=value]

Several components in this scheme are optional, and the port number is nor-

mally only included if it diverges from the default used by the relevant proto-

col. The URL used to generate the HTTP request shown earlier is:

http://wahh-app.comm/books/search.asp?q=wahh

In addition to this absolute form, URLs may be specified relative to a partic-

ular host, or relative to a particular path on that host, for example:

/books/search.asp?q=wahh

search.asp?q=wahh

These relative forms are often used in web pages to describe navigation

within the web site or application itself.

Download 5,76 Mb.

Do'stlaringiz bilan baham: