Example of a Mischevious Client


HTTP is a pretty simple protocol. If you want to see what actually happens, you can telnet to a WWW server and talk to it yourself. This can often be used to debug a misbehaving server. However, some servers or the CGI scripts they run don't check their input too carefully, and it may be possible to compromise the server by mistakenly typing incorrect HTTP commands or to deliberately attack them by constructing improper HTTP commands. The simplest HTTP command is GET. An example of telnetting to a server and issuing a GET request is:


telnet> open www.slac.stanford.edu 80
Connected to www.slac.stanford.edu.
Escape character is '^]'.
telnet> GET /~cottrell/cgi-form HTTP/1.0

HTTP/1.0 200 Document follows
MIME-Version: 1.0
Server: CERN/3.0
Date: Tuesday, 21-Mar-95 18:22:52 GMT
Content-Type: text/plain
Content-Length: 408
Last-Modified: Sunday, 19-Mar-95 01:53:28 GMT

/* ************************************ */
/* Input from a form comes in the form: */ 
/* name1=value1&name2=value2. Here we   */                               
/* decode the input into an array of    */
/* names and values.                    */
/* ************************************ */
DO I=1 BY 1 UNTIL Input=''
   PARSE VAR Input Name.I'='Value.I'&'Input
END I
Connection closed.

telnet> 

Les Cottrell 24 Apr 1995
[ Top | Suggestion Box | Disclaimer ]