在关于web应用程序安全的思考(序)中我曾提到﹕web应用程序的安全不应该依赖于客户端的请求信息 。
众所周知﹐http协议是开放的﹐因此谁都能向网络上公开的web服务器发送request请求﹐要求一个 URL(Uniform Resource Locator 统一资源定位符)。
所谓request﹐不过是符合http协议(即遵守http请求语法)的一大段字符串而已﹕
下面是一个aspx的请求示例﹕
GET /FrameWorkService/TestRequest.aspx HTTP/1.1
Connection: Keep- Alive
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-tw
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
UA-CPU: x86
下面是一个web service的请求示例﹕
POST /testwssecurity/service2.asmx HTTP/1.1
Content-Length: 288
Content-Type: text/xml; charset=utf-8
Expect: 100-continue
Host: localhost
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.42)
SOAPAction: "http://tempuri.org/HelloWorld"
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><HelloWorld xmlns="http://tempuri.org/" /></soap:Body></soap:Envelope>
相信大家基本上能理解上述字符串的意义。这表明我们只要组织类似的字符串﹐然后发往相应的web服 务器﹐就可以请求到某个URL了﹐也就是说web请求不依赖浏览器(其实web也不依赖服务器﹐它只依赖http 协议)。
下面的这个程序是C#写的通过socket直接向web服务器发送http请求的示例﹕
1using System; 2using System.Text; 3using System.IO; 4using System.Net; 5using System.Net.Sockets; 6 7public class server 8{ 9 //建立socket連接 10 private static Socket ConnectSocket(string server, int port) 11 { 12 Socket s = null; 13 IPHostEntry hostEntry = null; 14 hostEntry = Dns.GetHostEntry(server); 15 foreach (IPAddress address in hostEntry.AddressList) 16 { 17 IPEndPoint ipe = new IPEndPoint(address, port); 18 Socket tempSocket = 19 new Socket(ipe.AddressFamily, SocketType.Stream, ProtocolType.Tcp); 20 tempSocket.Connect(ipe); 21 if (tempSocket.Connected) 22 { 23 s = tempSocket; 24 break; 25 } 26 else 27 { 28 continue; 29 } 30 } 31 Console.WriteLine(s==null?"":"連接建立成功﹗"); 32 return s; 33 } 34 35 //發送request請求并返回響應字串 36 private static string SocketSendReceive(string request,string server, int port) 37 { 38 Byte[] bytesSent = Encoding.ASCII.GetBytes(request); 39 Byte[] bytesReceived = new Byte[256]; 40 Socket s = ConnectSocket(server, port); 41 if (s == null) 42 return ("連接失敗﹗"); 43 Console.WriteLine("正在發送請求"); 44 s.Send(bytesSent, bytesSent.Length, 0); 45 int bytes = 0; 46 StringBuilder responsestr = new StringBuilder(); 47 Console.WriteLine("正在接收web服務器的回應"); 48 do 49 { 50 bytes = s.Receive(bytesReceived, bytesReceived.Length, 0); 51 responsestr.Append(Encoding.UTF8.GetString(bytesReceived, 0, bytes)); 52 } 53 while (bytes > 0); 54 return responsestr.ToString(); 55 } 56 57 //獲取Request請求字符串 58 private static string getRequestStr() 59 { 60 StringBuilder sb = new StringBuilder(); 61 sb.Append("GET /FrameWorkService/TestRequest.aspx?name=zkw&age=24 HTTP/1.1\r\n"); 62 sb.Append("Host: localhost\r\n"); 63 sb.Append("Accept: */*\r\n"); 64 sb.Append("Accept-Encoding: gzip, deflate\r\n"); 65 sb.Append("Accept-Language: zh-tw\r\n"); 66 sb.Append("User-Agent: Mozilla/8.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n"); 67 sb.Append("UA-CPU: x86\r\n"); 68 sb.Append("Cookie: ASP.NET_SessionId=g5vz3k55q4dhgy3dvmm3dj4x\r\n"); 69 sb.Append("Connection: Close\r\n\r\n"); 70 return sb.ToString(); 71 } 72 73 public static void Main(string[] args) 74 { 75 string requeststr = getRequestStr(); 76 Console.WriteLine("請求字串如下﹕\n{0}",requeststr); 77 string result = SocketSendReceive(requeststr,"localhost",80); 78 Console.WriteLine(result); 79 Console.ReadLine(); 80 } 81}
以上是小编为您精心准备的的内容,在的博客、问答、公众号、人物、课程等栏目也有的相关内容,欢迎继续使用右上角搜索按钮进行搜索web
, string
, 字符串
, append
, console
, WriteLine
100-continue
web应用程序开发技术、web应用程序、web应用程序开发、web应用程序设计、asp.net web应用程序,以便于您获取更多的相关知识。