在关于web应用程序安全的思考(序)中我曾提到﹕web应用程序的安全不应该依赖于客户端的请求信息 。
众所周知﹐http协议是开放的﹐因此谁都能向网络上公开的web服务器发送request请求﹐要求一个 URL(Uniform Resource Locator 统一资源定位符)。
所谓request﹐不过是符合http协议(即遵守http请求语法)的一大段字符串而已﹕
下面是一个aspx的请求示例﹕
GET /FrameWorkService/TestRequest.aspx HTTP/1.1
Connection: Keep- Alive
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-tw
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
UA-CPU: x86
下面是一个web service的请求示例﹕
POST /testwssecurity/service2.asmx HTTP/1.1
Content-Length: 288
Content-Type: text/xml; charset=utf-8
Expect: 100-continue
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.42)
SOAPAction: "http://tempuri.org/HelloWorld"
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><HelloWorld xmlns="http://tempuri.org/" /></soap:Body></soap:Envelope>
相信大家基本上能理解上述字符串的意义。这表明我们只要组织类似的字符串﹐然后发往相应的web服 务器﹐就可以请求到某个URL了﹐也就是说web请求不依赖浏览器(其实web也不依赖服务器﹐它只依赖http 协议)。
下面的这个程序是C#写的通过socket直接向web服务器发送http请求的示例﹕
1using System;
2using System.Text;
3using System.IO;
4using System.Net;
5using System.Net.Sockets;
6
7public class server
8{
9 //建立socket連接
10 private static Socket ConnectSocket(string server, int port)
11 {
12 Socket s = null;
13 IPHostEntry hostEntry = null;
14 hostEntry = Dns.GetHostEntry(server);
15 foreach (IPAddress address in hostEntry.AddressList)
16 {
17 IPEndPoint ipe = new IPEndPoint(address, port);
18 Socket tempSocket =
19 new Socket(ipe.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
20 tempSocket.Connect(ipe);
21 if (tempSocket.Connected)
22 {
23 s = tempSocket;
24 break;
25 }
26 else
27 {
28 continue;
29 }
30 }
31 Console.WriteLine(s==null?"":"連接建立成功﹗");
32 return s;
33 }
34
35 //發送request請求并返回響應字串
36 private static string SocketSendReceive(string request,string server, int port)
37 {
38 Byte[] bytesSent = Encoding.ASCII.GetBytes(request);
39 Byte[] bytesReceived = new Byte[256];
40 Socket s = ConnectSocket(server, port);
41 if (s == null)
42 return ("連接失敗﹗");
43 Console.WriteLine("正在發送請求");
44 s.Send(bytesSent, bytesSent.Length, 0);
45 int bytes = 0;
46 StringBuilder responsestr = new StringBuilder();
47 Console.WriteLine("正在接收web服務器的回應");
48 do
49 {
50 bytes = s.Receive(bytesReceived, bytesReceived.Length, 0);
51 responsestr.Append(Encoding.UTF8.GetString(bytesReceived, 0, bytes));
52 }
53 while (bytes > 0);
54 return responsestr.ToString();
55 }
56
57 //獲取Request請求字符串
58 private static string getRequestStr()
59 {
60 StringBuilder sb = new StringBuilder();
61 sb.Append("GET /FrameWorkService/TestRequest.aspx?name=zkw&age=24
HTTP/1.1\r\n");
62 sb.Append("Host: localhost\r\n");
63 sb.Append("Accept: */*\r\n");
64 sb.Append("Accept-Encoding: gzip, deflate\r\n");
65 sb.Append("Accept-Language: zh-tw\r\n");
66 sb.Append("User-Agent: Mozilla/8.0 (compatible; MSIE 7.0; Windows NT 5.2;
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n");
67 sb.Append("UA-CPU: x86\r\n");
68 sb.Append("Cookie: ASP.NET_SessionId=g5vz3k55q4dhgy3dvmm3dj4x\r\n");
69 sb.Append("Connection: Close\r\n\r\n");
70 return sb.ToString();
71 }
72
73 public static void Main(string[] args)
74 {
75 string requeststr = getRequestStr();
76 Console.WriteLine("請求字串如下﹕\n{0}",requeststr);
77 string result = SocketSendReceive(requeststr,"localhost",80);
78 Console.WriteLine(result);
79 Console.ReadLine();
80 }
81}
以上是小编为您精心准备的的内容,在的博客、问答、公众号、人物、课程等栏目也有的相关内容,欢迎继续使用右上角搜索按钮进行搜索web
, string
, 字符串
, append
, console
, WriteLine
100-continue
web应用程序开发技术、web应用程序、web应用程序开发、web应用程序设计、asp.net web应用程序,以便于您获取更多的相关知识。