When I left off (Hacking HTTP via GET; part the first) with this subject, I demonstrated the basics of “hacking” via modifying parameters on a GET method.
But what of methods? And why GET? and what else is there?
A method is the subroutine (or function or procedure or whichever semantic construct you prefer) which is bound to an object (or class); and is executed (or performed) whenever an instance (copy) of an object is encountered. Or so sayeth the oracle of the Wikipedia.
In the case of the web, wherein we are in a stateless protocol (that is, there is no implicit memory of what came before), the protocol itself defines a group of “methods” – or actions to be taken.
The currently-defined (HTTP 1.1; RFC 2616) methods are: GET, HEAD, POST, PUT, DELETE, TRACE and CONNECT. For our purposes, the methods of particular interest are GET and POST.
Why GET? Because it’s the basic, easiest-to-comprehend (and generally program) method when data needs passing from the client to the server. When you go to a web page such as the homepage of this blog, your browser sends a GET request with a parameter of “/” (root, or whatever is aliased to root).
GET has an attribute(/feature/flaw) of displaying all the parameters requested as part of the URI.
It’s this behavior that makes it possible to “hack” via the GET – the parameters are exposed, and thus changeable before the request is sent. It’s also this behavior which makes GET the most popular way to send parameters – it’s much easier to debug! And there is a deeper more technical reason as well; buffering on the server side is handled by the web-server software, not the applications program.
POST is the other method for sending data; the authors of HTTP 1.1 thought most forms would be handled via POST requests. POST hides the data being sent – and is capable of handling much larger objects than is GET. But it is significantly more trouble to program for a POST method, and debugging is a bit more “interesting” as well.
Of the other methods, HEAD is widely used – it requests and receives header and meta-information about a resource, and is often issued by browsers simply to check if the server version is newer than the locally-cached version.
PUT and DELETE are the precursor methods to WebDAV (web-basd distributed authoring and versioning) but are rarely encountered; TRACE is a debugging method and CONNECT deals with proxy tunneling.