HTTP and Fiddler

Dandan ShiTechnical Advisor

Conditions and Terms of UseMicrosoft ConfidentialThis training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks © 2013 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/

Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

3

Agenda HTTP Request and ResponseHTTP SecureFiddlerDemo

4

HTTP The HTTP protocol is a request/response protocol.

An HTTP client initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server (typically port 80, occasionally port 8080).

An HTTP server listening on that port waits for a client's request message.

5

Request Message

The request message consists of the following:

• A request line, for example GET /images/logo.png HTTP/1.1, which requests a resource called /images/logo.png from the server.

• Request header fields, such as Host: portal.office.com• An empty line.• An optional message body.

The request line and other header fields must each end with <CR><LF>.

6

Request Methods

GETRequests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.

POST Requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI.

HEADAsks for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.

7

Request Methods (Continued)

DELETEDeletes the specified resource.

CONNECTConverts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.

PUTRequests that the enclosed entity be stored under the supplied URI. If the URI refers to an already existing resource, it is modified; if the URI does not point to an existing resource, then the server can create the resource with that URI.

DELETEDeletes the specified resource.

8

Request Methods(Continued)

OPTIONSReturns the HTTP methods that the server supports for the specified URL. This can be used to check the functionality of a web server by requesting '*' instead of a specific resource.

TRACEEchoes back the received request so that a client can see what (if any) changes or additions have been made by intermediate servers.

HTTP servers are required to implement at least the GET and HEAD methods[19] and, whenever possible, also the OPTIONS method.

DELETEDeletes the specified resource.

9

Response Message

The response message consists of the following:

• A Status-Line, which include the status code and reason message. (e.g., HTTP/1.1 200 OK, which indicates that the client's request succeeded)

• Response header fields, such as Content-Type: text/html• An empty line• An optional message body

The Status-Line and other header fields must all end with <CR><LF>.

10

Response Status Code

1xxx InformationalRequest received, continuing process.

2xxx SuccessThis class of status codes indicates the action requested by the client was received, understood, accepted and processed successfully.

• 200 OKStandard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request the response will contain an entity describing or containing the result of the action.

11

Response Status Code (Continued)

3xx RedirectionThis class of status code indicates the client must take additional action to complete the request. Many of these status codes are used in URL redirection.

• 301 Moved PermanentlyThis and all future requests should be directed to the given URI.

• 302 FoundThe HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect (the original describing phrase was "Moved Temporarily").

12

Response Status Code (Continued)

4xx Client ErrorThe 4xx class of status code is intended for cases in which the client seems to have errored.

• 400 Bad RequestThe server cannot or will not process the request due to something that is perceived to be a client error.

• 401 UnauthorizedAuthentication is required and has failed or has not yet been provided.

13

Response Status Code (Continued)

• 403 ForbiddenThe request was a valid request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference.

• 404 Not FoundThe requested resource could not be found but may be available again in the future. Subsequent requests by the client are permissible.

14

Response Status Code (Continued)

5xx Server ErrorThe server failed to fulfil an apparently valid request.

• 500 Internal Server ErrorA generic error message, given when an unexpected condition was encountered and no more specific message is suitable.

• 502 Bad GatewayThe server was acting as a gateway or proxy and received an invalid response from the upstream server.

15

Example Session

Client RequestGET https://isoftwareservice.sharepoint.com/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: https://isoftwareservice-my.sharepoint.com/personal/dandanshi_isoftwareservice_onmicrosoft_com/Social/Sites.aspxAccept-Language: en-US,en;q=0.8,zh-Hans-CN;q=0.5,zh-Hans;q=0.3User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: isoftwareservice.sharepoint.comDNT: 1Connection: Keep-AliveCookie: rtFa=IeHEEfanCK2CnJrGq2ioa6nXcuYfIEjtSbTTuUvzzdtUFHUI9d85l5it/kH/7/1rMkZXX/NxR8gQE5RReKH0XzXocfBCvr+FsaISxL9530HfvfxzC/zoVgQrp6kM4BTyVio8kwRqkoTaIYGUXBQAXGnmZVlzb6pav+O6uQNU2J0zS/udL0FmTN0R+UoB73r6a8LRYVMd06NpGYMF8hpt5KUSZhtI/mScSwEPb8U1jBN10LFb+U9faI47fRfspaPsK0RxO3laSlL5nBUS6mOHES8kzLZmGiUhLf64pE+xDbMb1Y5gIfb0LSaH3ngnJnjQUu3IQRhL4AaymXSfhMMC0Pm55dfTPwWJXikwkjXZ5nZ9EsNBNoaEfuzQKtoNQJwkIAAAAA==

16

Example Session(Continued)

Server ResponseHTTP/1.1 302 FoundLocation: https://isoftwareservice.sharepoint.com/_layouts/15/Authenticate.aspx?Source=%2FServer: Microsoft-IIS/7.5X-SharePointHealthScore: 0SPRequestGuid: ee81c69c-908f-1000-9b72-ff155e8ade6arequest-id: ee81c69c-908f-1000-9b72-ff155e8ade6aX-Powered-By: ASP.NETMicrosoftSharePointTeamServices: 16.0.0.3403X-Content-Type-Options: nosniffX-MS-InvokeApp: 1; RequireReadOnlyP3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"Date: Tue, 28 Oct 2014 08:49:28 GMTContent-Length: 197

<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://isoftwareservice.sharepoint.com/_layouts/15/Authenticate.aspx?Source=%2F">here</a>.</h2></body></html>

17

HTTP Secure

Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications.

HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with "http://" and use port 80 by default.

1. A reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an imposter).

2. Ensure that the contents of communications between the user and site cannot be read or forged by any third party.

18

HTTPS Process

19

FiddlerFiddler is a HTTP Proxy running on port 8888 on your local PC. WinINET-based applications should automatically use Fiddler while it's running and the "Capture Traffic" box is checked on the Fiddler File menu.You can configure any application which accepts a HTTP Proxy to run through Fiddler so you can debug its traffic.

20

Fiddler Demo

1. Configuration2. Observation

DIY - http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureFiddler

21

Resources Hypertext Transfer Protocol -- HTTP/1.1http://www.w3.org/Protocols/rfc2616/rfc2616.html

Hypertext Transfer Protocolhttp://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

HTTP Securehttp://en.wikipedia.org/wiki/HTTP_Secure

Fiddlerhttp://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureFiddler

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION