HTTP and Fiddler Dandan Shi Technical Advisor
Conditions and Terms of Use Microsoft Confidential This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited. The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Copyright and Trademarks © 2013 Microsoft Corporation. All rights reserved. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. For more information, see Use of Microsoft Copyrighted Content at Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Agenda 3 HTTP Request and Response HTTP Secure Fiddler Demo
HTTP 4 The HTTP protocol is a request/response protocol. An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server (typically port 80, occasionally port 8080). An HTTP server listening on that port waits for a client's request message.
Request Message 5 The request message consists of the following: A request line, for example GET /images/logo.png HTTP/1.1, which requests a resource called /images/logo.png from the server. Request header fields, such as Host: portal.office.com An empty line. An optional message body. The request line and other header fields must each end with.
Request Methods 6 GET Requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect. POST Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. HEAD Asks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta- information written in response headers, without having to transport the entire content.
Request Methods (Continued) 7 DELETE Deletes the specified resource. CONNECT Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy. PUT Requests that the enclosed entity be stored under the supplied URI. If the URI refers to an already existing resource, it is modified; if the URI does not point to an existing resource, then the server can create the resource with that URI. DELETE Deletes the specified resource.
Request Methods (Continued) 8 OPTIONS Returns the HTTP methods that the server supports for the specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource. TRACE Echoes back the received request so that a client can see what (if any) changes or additions have been made by intermediate servers. HTTP servers are required to implement at least the GET and HEAD methods[19] and, whenever possible, also the OPTIONS method. DELETE Deletes the specified resource.
Response Message 9 The response message consists of the following: A Status-Line, which include the status code and reason message. (e.g., HTTP/ OK, which indicates that the client's request succeeded) Response header fields, such as Content-Type: text/html An empty line An optional message body The Status-Line and other header fields must all end with.
Response Status Code 10 1xxx Informational Request received, continuing process. 2xxx Success This class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully. 200 OK Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.
Response Status Code (Continued) 11 3xx Redirection This class of status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection. 301 Moved Permanently This and all future requests should be directed to the given URI. 302 Found The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily").
Response Status Code (Continued) 12 4xx Client Error The 4xx class of status code is intended for cases in which the client seems to have errored. 400 Bad Request The server cannot or will not process the request due to something that is perceived to be a client error. 401 Unauthorized Authentication is required and has failed or has not yet been provided.
Response Status Code (Continued) Forbidden The request was a valid request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference. 404 Not Found The requested resource could not be found but may be available again in the future. Subsequent requests by the client are permissible.
Response Status Code (Continued) 14 5xx Server Error The server failed to fulfil an apparently valid request. 500 Internal Server Error A generic error message, given when an unexpected condition was encountered and no more specific message is suitable. 502 Bad Gateway The server was acting as a gateway or proxy and received an invalid response from the upstream server.
Example Session 15 Client Request GET HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: my.sharepoint.com/personal/dandanshi_isoftwareservice_onmicrosoft_com/Social/Sites.aspx Accept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: isoftwareservice.sharepoint.com DNT: 1 Connection: Keep-Alive Cookie: rtFa=IeHEEfanCK2CnJrGq2ioa6nXcuYfIEjtSbTTuUvzzdtUFHUI9d85l5it/kH/7/1rMkZXX/NxR8gQE5 RReKH0XzXocfBCvr+FsaISxL9530HfvfxzC/zoVgQrp6kM4BTyVio8kwRqkoTaIYGUXBQAXGnmZVlz b6pav+O6uQNU2J0zS/udL0FmTN0R+UoB73r6a8LRYVMd06NpGYMF8hpt5KUSZhtI/mScSwEPb8 U1jBN10LFb+U9faI47fRfspaPsK0RxO3laSlL5nBUS6mOHES8kzLZmGiUhLf64pE+xDbMb1Y5gIfb0 LSaH3ngnJnjQUu3IQRhL4AaymXSfhMMC0Pm55dfTPwWJXikwkjXZ5nZ9EsNBNoaEfuzQKtoNQJ wkIAAAAA==
Example Session (Continued) 16 Server Response HTTP/ Found Location: Server: Microsoft-IIS/7.5 X-SharePointHealthScore: 0 SPRequestGuid: ee81c69c-908f b72-ff155e8ade6a request-id: ee81c69c-908f b72-ff155e8ade6a X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Date: Tue, 28 Oct :49:28 GMT Content-Length: 197 Object moved Object moved to here.
HTTP Secure 17 Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. HTTPS URLs begin with " and use port 443 by default, whereas HTTP URLs begin with " and use port 80 by default. 1.A reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an imposter). 2.Ensure that the contents of communications between the user and site cannot be read or forged by any third party.
HTTPS Process 18
Fiddler 19 Fiddler is a HTTP Proxy running on port 8888 on your local PC. WinINET- based applications should automatically use Fiddler while it's running and the "Capture Traffic" box is checked on the Fiddler File menu. You can configure any application which accepts a HTTP Proxy to run through Fiddler so you can debug its traffic.
Fiddler Demo 20 1.Configuration 2.Observation DIY - Fiddler/Tasks/ConfigureFiddler
Resources 21 Hypertext Transfer Protocol -- HTTP/1.1 Hypertext Transfer Protocol HTTP Secure Fiddler
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION