I want to encode a URL such that it sends a POST request to a server. is that possible? and if so, how? I have searched around and mostly found that appending parameters to a url only sends them as parameters for GET request. is there a way to do that for POST request?
basically, i am trying to implement a CSRF (not for malicious but testing purposes) and i want to be able to send a POST request to a server by encoding my url.
GET and POST are HTTP methods. In GET the request parameters are taken as query string in the request URL. In POST the request parameters are taken as query string in the request body.
So you need to instruct whatever tool you're using to pass the parameters through the request body instead of the request URL along with a HTTP method of POST instead of (usually the default) GET.
Either way, the parameters just needs to be URL encoded anyway. There's no difference for POST or GET, unless you're setting the content encoding to multipart/form-data instead of (usually the default) application/x-www-form-urlencoded.
If you give more details about what programming language and/or library and/or framework you're using, then we may be able to give a more detailed answer how to invoke a HTTP POST request.
No.
The method is not part of the Url. You'd have to make the request in such a way that it uses the post method.
You didn't mention any details, but if it's from inside a document in the browser, you can either use a form:
<FORM action="someUrl.htm" method="post">
You can make a link that will send the form by javascript:
<form action="http://www.example.com/?param=value" method="post" id="someForm">
link
</form>
or an XmlHttpRequest with javascript:
var xhr = new XMLHttpRequest();
xhr.open("POST", url);
...
Related
I am new to HTTP requests (GET, POST, PUT, ETC.) and I am having some issues understanding the "anatomy" of these procedures.
What exactly is the difference between the body and the data? Are they the same thing? Or are headers the same thing as the param? When authentication takes place, are the username and password params or headers or does it vary from API to API? Any help is greatly appreciated. Are there any tutorials or reads you recommend to better understand how to deal with HTTP requests?
Thank you!
Based on This article and some points of others, you could find out about differences between HTTP header & HTTP parameter ,and and also Body:
Header:
meta data about the request
HTTP Headers are NOT part of the URL
if it's information about the request or about the client, then the header is appropriate
headers are hidden to end-users
globally data
restrict Dos-attack by detecting authorisation on it's header, because a header can be accessed before the body is downloaded
Param:
the query params are within the URL
like this "tag=networking&order=newest"
if it's the content of the request itself, then it's a parameter
The product id and requested image size are examples of "some detail" (or parameter) being supplied as part of the content of a request
parameters can be seen by end-users (query parameters) on URL
Body:
data of business logic
important information
unlike body, proxy servers are allowed to modify headers
data in specefic kinds of requests
you can pass token by body as encoding & decoding in servers
For a full and correct understanding of these questions, RFC2616 recommend by Remy Lebeau is worth reading.
What exactly is the difference between the body and the data?
If you are reading some blog, the body (HTTP body) is be used to transfer data (probably in JSON format). The body carries data, in another way, you get data from body.
Are they the same thing?
So they are not same at all.
Or are headers the same thing as the param?
Header (HTTP header) is related to body, they are part of the HTTP message.
As param, it's usually refer to http request param, which usually looks like the following part of the question mark
url?paramName=paramValue¶mTwo=Value2
When authentication takes place, are the username and password params
or headers or does it vary from API to API?
They vary for different API's, normally not in param, probably in body of a post request.
Again, start from the RFC2616 would be a good choice.
data is not a HTTP specific term. data can be anything.
a 'parameter' is also not a HTTP specific term. Many web frameworks might consider parameters everything behind the ? in a url, but this is not an absolute truth.
usernames and passwords sometimes appear in the request body, sometimes in headers. In web applications they typically are in the request body, but certain types of authentication systems place them in the Authorization header.
Im wondering if I can detect whether some webpage was reached by a link (button, link, redirect, ...) or by typping in the URL bar.
Im using Clojure for web programming, and I wish I could block the access to some page when the request came from a "typed url".
Right now I am encoding the urls so the user can't have access to the "real" url.
Thanks in advance.
Short answer is no. Your aproach is correct.
And with a bit of skills one can also send arbitrary HTTP requests, GET or POST, modifying cookies, headers and the body of the request, so if this is about security, your approach to use encrypted data seems the only one possible to ensure that the URL is not tampered or manually typed.
The HTTP Referer header can be also faked, the same as a url parameter. There is no more security on using a http header or a url encoded parameter.
Courtesy of Wikipedia:
The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.
I assume you can access the HTTP header fields. If the user were to type in the URL into the address bar, there would be no HTTP referer.
I've been working with django restframework, I have not managed to make a PUT or a POST to JSON, I could only make a post with the form of the rest django web interface framework
As I can make a PUT, POST to be called from an app
It's not about Django. All the other HTTP methods except GET, e.g. PUT, POST, DELETE etc require a form to simulate. Because when the HTTP request is made, the request needs to mention what type of request it is. When you enter an URL on the browser address bar, it's always GET. You can write a form and modify it's method attribute to say if it's PUT, POST etc. Other ways to request those methods is to use a http library like requests or simple Javascript
var xmlhttp;
function test(){
execute('GET', 'http://server.com/testServer.php');
execute('POST', 'http://server.com/testServer.php');
execute('PUT', 'http://server.com/testServer.php');
execute('DELETE', 'http://server.com/testServer.php');
}
function execute($method,$url){
xmlhttp=new XMLHttpRequest();
xmlhttp.open($method,$url,true)
xmlhttp.send(null);
}
You can read this question for more details. JS snippet taken from here.
I am calling webservice which takes two parameters like category and salt then provide the json output with constructed url but url is not working. PFA url
Service Url:
http://qalisting.corelogic.com/ChaseListingServices/v1.5/test
constructed URL: http://qalisting.corelogic.com/ChaseListingServices/v1.5/listings/search/test/0/4e9c00b32794edfeba257aa0c74f500b
Looking at the error message on your constructed URL, the Service needs to be called using a POST and not a GET Request.
Responding to your comments: it's not the URL which is the problem but how it is called. When you follow a link, such as the one you posted - the browser sends it as a GET request. The service is expecting the JSON arguments as part of the "body" of a POST request. This must be done programmatically.
Should I use the GET or POST method when sending information to a server in the body of the HTTP request? There are no query parameters appended to the URL, the server will inspect the body of the request for what it needs.
GET extracts parameters from the request URL. POST extracts parameters from the request body.
So you need POST.
A nice description and interesting discussion on the topic:
http://thinkvitamin.com/code/the-definitive-guide-to-get-vs-post/
POST should be used if you are not planing on using the query string.