Friday, January 14, 2011

Http Methods

HTTP offers a number of methods that can be used to perform actions on the web server. These HTTP methods can be used for various purposes.
Http Methods are.


* GET :- The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI.

* HEAD :- The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. This method is often used for testing hypertext links for validity, accessibility, and recent modification.

* POST :- The POST method is used to request that the origin server accepts the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. POST is designed to allow a uniform method to cover the following functions:

* DELETE :- This method allows a client to delete a file on the web server.

* PUT :- This method allows a client to upload new files on the web server.

* CONNECT :- This method could allow a client to use the web server as a proxy.

* TRACE :- This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman.

* OPTIONS :- The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

Responses to this method are not cacheable.

Some methods are really harmful for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, the methods that should be disabled are the following:


No comments: