Hidden Features in HTTP

I have explored weird corners of HTTP — malformed requests that try to trick a site admin into clicking spam links in 404 logs, an API that responds to POST but not GET, and more. In this talk I’ll walk you through those (using Python, netcat, and other tools you might have lying around the house).

Takeaway: Attendees will learn about HTTP 1.1 verbs, headers, response codes, and capabilities they did not know of before, with use cases, example code, and jokes. They will walk away feeling more capable of using more of the HTTP featureset and with a greater understanding of the underlying design of the protocol.

Introduction
——-

Crash course in HTTP, covering the structure of request and response messages (start-line, headers, and body)

Methods
——-

  • Popular methods (“verbs”) GET and POST
  • The inelegance of overloading POST
  • DELETE and PUT, with diagrams and Python 2 code examples of implementation
  • PATCH and OPTIONS
  • How HEAD saves time all around, with a demonstration using IPython speed profiling

Headers
——-

  • Popular and well-known headers such as Content-Type, and call-and-response header pairs such as Last-Modified and If-Modified-Since/If-Unmodified-Since
  • The From header and absurd ideas for using it
  • Why and how we use Host, and the difference between HTTP and DNS
  • Two loopholes in emergent behavior from misusage of the Host header
  • How and whether you should define your own header, with a netcat example

Response codes
——-

  • The five divisions of response codes
  • The distinction between the code and the reason-phrase
  • Gone and 451 Unavailable for Legal Reasons
  • A set of inexplicable or incomprehensible or otherwise wrong HTTP responses found in the wild
  • Python 3 code to change reason-phrases in responses

Conclusion
——-

More features to investigate, and next steps to learn more