2
0

TheArtOfHttpScripting 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758
  1. _ _ ____ _
  2. ___| | | | _ \| |
  3. / __| | | | |_) | |
  4. | (__| |_| | _ <| |___
  5. \___|\___/|_| \_\_____|
  6. The Art Of Scripting HTTP Requests Using Curl
  7. 1. HTTP Scripting
  8. 1.1 Background
  9. 1.2 The HTTP Protocol
  10. 1.3 See the Protocol
  11. 1.4 See the Timing
  12. 1.5 See the Response
  13. 2. URL
  14. 2.1 Spec
  15. 2.2 Host
  16. 2.3 Port number
  17. 2.4 User name and password
  18. 2.5 Path part
  19. 3. Fetch a page
  20. 3.1 GET
  21. 3.2 HEAD
  22. 3.3 Multiple URLs in a single command line
  23. 3.4 Multiple HTTP methods in a single command line
  24. 4. HTML forms
  25. 4.1 Forms explained
  26. 4.2 GET
  27. 4.3 POST
  28. 4.4 File Upload POST
  29. 4.5 Hidden Fields
  30. 4.6 Figure Out What A POST Looks Like
  31. 5. HTTP upload
  32. 5.1 PUT
  33. 6. HTTP Authentication
  34. 6.1 Basic Authentication
  35. 6.2 Other Authentication
  36. 6.3 Proxy Authentication
  37. 6.4 Hiding credentials
  38. 7. More HTTP Headers
  39. 7.1 Referer
  40. 7.2 User Agent
  41. 8. Redirects
  42. 8.1 Location header
  43. 8.2 Other redirects
  44. 9. Cookies
  45. 9.1 Cookie Basics
  46. 9.2 Cookie options
  47. 10. HTTPS
  48. 10.1 HTTPS is HTTP secure
  49. 10.2 Certificates
  50. 11. Custom Request Elements
  51. 11.1 Modify method and headers
  52. 11.2 More on changed methods
  53. 12. Web Login
  54. 12.1 Some login tricks
  55. 13. Debug
  56. 13.1 Some debug tricks
  57. 14. References
  58. 14.1 Standards
  59. 14.2 Sites
  60. ==============================================================================
  61. 1. HTTP Scripting
  62. 1.1 Background
  63. This document assumes that you're familiar with HTML and general networking.
  64. The increasing amount of applications moving to the web has made "HTTP
  65. Scripting" more frequently requested and wanted. To be able to automatically
  66. extract information from the web, to fake users, to post or upload data to
  67. web servers are all important tasks today.
  68. Curl is a command line tool for doing all sorts of URL manipulations and
  69. transfers, but this particular document will focus on how to use it when
  70. doing HTTP requests for fun and profit. I'll assume that you know how to
  71. invoke 'curl --help' or 'curl --manual' to get basic information about it.
  72. Curl is not written to do everything for you. It makes the requests, it gets
  73. the data, it sends data and it retrieves the information. You probably need
  74. to glue everything together using some kind of script language or repeated
  75. manual invokes.
  76. 1.2 The HTTP Protocol
  77. HTTP is the protocol used to fetch data from web servers. It is a very simple
  78. protocol that is built upon TCP/IP. The protocol also allows information to
  79. get sent to the server from the client using a few different methods, as will
  80. be shown here.
  81. HTTP is plain ASCII text lines being sent by the client to a server to
  82. request a particular action, and then the server replies a few text lines
  83. before the actual requested content is sent to the client.
  84. The client, curl, sends a HTTP request. The request contains a method (like
  85. GET, POST, HEAD etc), a number of request headers and sometimes a request
  86. body. The HTTP server responds with a status line (indicating if things went
  87. well), response headers and most often also a response body. The "body" part
  88. is the plain data you requested, like the actual HTML or the image etc.
  89. 1.3 See the Protocol
  90. Using curl's option --verbose (-v as a short option) will display what kind
  91. of commands curl sends to the server, as well as a few other informational
  92. texts.
  93. --verbose is the single most useful option when it comes to debug or even
  94. understand the curl<->server interaction.
  95. Sometimes even --verbose is not enough. Then --trace and --trace-ascii offer
  96. even more details as they show EVERYTHING curl sends and receives. Use it
  97. like this:
  98. curl --trace-ascii debugdump.txt http://www.example.com/
  99. 1.4 See the Timing
  100. Many times you may wonder what exactly is taking all the time, or you just
  101. want to know the amount of milliseconds between two points in a
  102. transfer. For those, and other similar situations, the --trace-time option
  103. is what you need. It'll prepend the time to each trace output line:
  104. curl --trace-ascii d.txt --trace-time http://example.com/
  105. 1.5 See the Response
  106. By default curl sends the response to stdout. You need to redirect it
  107. somewhere to avoid that, most often that is done with -o or -O.
  108. 2. URL
  109. 2.1 Spec
  110. The Uniform Resource Locator format is how you specify the address of a
  111. particular resource on the Internet. You know these, you've seen URLs like
  112. https://curl.haxx.se or https://yourbank.com a million times. RFC 3986 is the
  113. canonical spec. And yeah, the formal name is not URL, it is URI.
  114. 2.2 Host
  115. The host name is usually resolved using DNS or your /etc/hosts file to an IP
  116. address and that's what curl will communicate with. Alternatively you specify
  117. the IP address directly in the URL instead of a name.
  118. For development and other trying out situations, you can point to a different
  119. IP address for a host name than what would otherwise be used, by using curl's
  120. --resolve option:
  121. curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
  122. 2.3 Port number
  123. Each protocol curl supports operates on a default port number, be it over TCP
  124. or in some cases UDP. Normally you don't have to take that into
  125. consideration, but at times you run test servers on other ports or
  126. similar. Then you can specify the port number in the URL with a colon and a
  127. number immediately following the host name. Like when doing HTTP to port
  128. 1234:
  129. curl http://www.example.org:1234/
  130. The port number you specify in the URL is the number that the server uses to
  131. offer its services. Sometimes you may use a local proxy, and then you may
  132. need to specify that proxy's port number separately for what curl needs to
  133. connect to locally. Like when using a HTTP proxy on port 4321:
  134. curl --proxy http://proxy.example.org:4321 http://remote.example.org/
  135. 2.4 User name and password
  136. Some services are setup to require HTTP authentication and then you need to
  137. provide name and password which is then transferred to the remote site in
  138. various ways depending on the exact authentication protocol used.
  139. You can opt to either insert the user and password in the URL or you can
  140. provide them separately:
  141. curl http://user:password@example.org/
  142. or
  143. curl -u user:password http://example.org/
  144. You need to pay attention that this kind of HTTP authentication is not what
  145. is usually done and requested by user-oriented web sites these days. They
  146. tend to use forms and cookies instead.
  147. 2.5 Path part
  148. The path part is just sent off to the server to request that it sends back
  149. the associated response. The path is what is to the right side of the slash
  150. that follows the host name and possibly port number.
  151. 3. Fetch a page
  152. 3.1 GET
  153. The simplest and most common request/operation made using HTTP is to GET a
  154. URL. The URL could itself refer to a web page, an image or a file. The client
  155. issues a GET request to the server and receives the document it asked for.
  156. If you issue the command line
  157. curl https://curl.haxx.se
  158. you get a web page returned in your terminal window. The entire HTML document
  159. that that URL holds.
  160. All HTTP replies contain a set of response headers that are normally hidden,
  161. use curl's --include (-i) option to display them as well as the rest of the
  162. document.
  163. 3.2 HEAD
  164. You can ask the remote server for ONLY the headers by using the --head (-I)
  165. option which will make curl issue a HEAD request. In some special cases
  166. servers deny the HEAD method while others still work, which is a particular
  167. kind of annoyance.
  168. The HEAD method is defined and made so that the server returns the headers
  169. exactly the way it would do for a GET, but without a body. It means that you
  170. may see a Content-Length: in the response headers, but there must not be an
  171. actual body in the HEAD response.
  172. 3.3 Multiple URLs in a single command line
  173. A single curl command line may involve one or many URLs. The most common case
  174. is probably to just use one, but you can specify any amount of URLs. Yes
  175. any. No limits. You'll then get requests repeated over and over for all the
  176. given URLs.
  177. Example, send two GETs:
  178. curl http://url1.example.com http://url2.example.com
  179. If you use --data to POST to the URL, using multiple URLs means that you send
  180. that same POST to all the given URLs.
  181. Example, send two POSTs:
  182. curl --data name=curl http://url1.example.com http://url2.example.com
  183. 3.4 Multiple HTTP methods in a single command line
  184. Sometimes you need to operate on several URLs in a single command line and do
  185. different HTTP methods on each. For this, you'll enjoy the --next option. It
  186. is basically a separator that separates a bunch of options from the next. All
  187. the URLs before --next will get the same method and will get all the POST
  188. data merged into one.
  189. When curl reaches the --next on the command line, it'll sort of reset the
  190. method and the POST data and allow a new set.
  191. Perhaps this is best shown with a few examples. To send first a HEAD and then
  192. a GET:
  193. curl -I http://example.com --next http://example.com
  194. To first send a POST and then a GET:
  195. curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
  196. 4. HTML forms
  197. 4.1 Forms explained
  198. Forms are the general way a web site can present a HTML page with fields for
  199. the user to enter data in, and then press some kind of 'OK' or 'Submit'
  200. button to get that data sent to the server. The server then typically uses
  201. the posted data to decide how to act. Like using the entered words to search
  202. in a database, or to add the info in a bug tracking system, display the entered
  203. address on a map or using the info as a login-prompt verifying that the user
  204. is allowed to see what it is about to see.
  205. Of course there has to be some kind of program on the server end to receive
  206. the data you send. You cannot just invent something out of the air.
  207. 4.2 GET
  208. A GET-form uses the method GET, as specified in HTML like:
  209. <form method="GET" action="junk.cgi">
  210. <input type=text name="birthyear">
  211. <input type=submit name=press value="OK">
  212. </form>
  213. In your favorite browser, this form will appear with a text box to fill in
  214. and a press-button labeled "OK". If you fill in '1905' and press the OK
  215. button, your browser will then create a new URL to get for you. The URL will
  216. get "junk.cgi?birthyear=1905&press=OK" appended to the path part of the
  217. previous URL.
  218. If the original form was seen on the page "www.hotmail.com/when/birth.html",
  219. the second page you'll get will become
  220. "www.hotmail.com/when/junk.cgi?birthyear=1905&press=OK".
  221. Most search engines work this way.
  222. To make curl do the GET form post for you, just enter the expected created
  223. URL:
  224. curl "http://www.hotmail.com/when/junk.cgi?birthyear=1905&press=OK"
  225. 4.3 POST
  226. The GET method makes all input field names get displayed in the URL field of
  227. your browser. That's generally a good thing when you want to be able to
  228. bookmark that page with your given data, but it is an obvious disadvantage
  229. if you entered secret information in one of the fields or if there are a
  230. large amount of fields creating a very long and unreadable URL.
  231. The HTTP protocol then offers the POST method. This way the client sends the
  232. data separated from the URL and thus you won't see any of it in the URL
  233. address field.
  234. The form would look very similar to the previous one:
  235. <form method="POST" action="junk.cgi">
  236. <input type=text name="birthyear">
  237. <input type=submit name=press value=" OK ">
  238. </form>
  239. And to use curl to post this form with the same data filled in as before, we
  240. could do it like:
  241. curl --data "birthyear=1905&press=%20OK%20" \
  242. http://www.example.com/when.cgi
  243. This kind of POST will use the Content-Type
  244. application/x-www-form-urlencoded and is the most widely used POST kind.
  245. The data you send to the server MUST already be properly encoded, curl will
  246. not do that for you. For example, if you want the data to contain a space,
  247. you need to replace that space with %20 etc. Failing to comply with this
  248. will most likely cause your data to be received wrongly and messed up.
  249. Recent curl versions can in fact url-encode POST data for you, like this:
  250. curl --data-urlencode "name=I am Daniel" http://www.example.com
  251. If you repeat --data several times on the command line, curl will
  252. concatenate all the given data pieces - and put a '&' symbol between each
  253. data segment.
  254. 4.4 File Upload POST
  255. Back in late 1995 they defined an additional way to post data over HTTP. It
  256. is documented in the RFC 1867, why this method sometimes is referred to as
  257. RFC1867-posting.
  258. This method is mainly designed to better support file uploads. A form that
  259. allows a user to upload a file could be written like this in HTML:
  260. <form method="POST" enctype='multipart/form-data' action="upload.cgi">
  261. <input type=file name=upload>
  262. <input type=submit name=press value="OK">
  263. </form>
  264. This clearly shows that the Content-Type about to be sent is
  265. multipart/form-data.
  266. To post to a form like this with curl, you enter a command line like:
  267. curl --form upload=@localfilename --form press=OK [URL]
  268. 4.5 Hidden Fields
  269. A very common way for HTML based applications to pass state information
  270. between pages is to add hidden fields to the forms. Hidden fields are
  271. already filled in, they aren't displayed to the user and they get passed
  272. along just as all the other fields.
  273. A similar example form with one visible field, one hidden field and one
  274. submit button could look like:
  275. <form method="POST" action="foobar.cgi">
  276. <input type=text name="birthyear">
  277. <input type=hidden name="person" value="daniel">
  278. <input type=submit name="press" value="OK">
  279. </form>
  280. To POST this with curl, you won't have to think about if the fields are
  281. hidden or not. To curl they're all the same:
  282. curl --data "birthyear=1905&press=OK&person=daniel" [URL]
  283. 4.6 Figure Out What A POST Looks Like
  284. When you're about fill in a form and send to a server by using curl instead
  285. of a browser, you're of course very interested in sending a POST exactly the
  286. way your browser does.
  287. An easy way to get to see this, is to save the HTML page with the form on
  288. your local disk, modify the 'method' to a GET, and press the submit button
  289. (you could also change the action URL if you want to).
  290. You will then clearly see the data get appended to the URL, separated with a
  291. '?'-letter as GET forms are supposed to.
  292. 5. HTTP upload
  293. 5.1 PUT
  294. Perhaps the best way to upload data to a HTTP server is to use PUT. Then
  295. again, this of course requires that someone put a program or script on the
  296. server end that knows how to receive a HTTP PUT stream.
  297. Put a file to a HTTP server with curl:
  298. curl --upload-file uploadfile http://www.example.com/receive.cgi
  299. 6. HTTP Authentication
  300. 6.1 Basic Authentication
  301. HTTP Authentication is the ability to tell the server your username and
  302. password so that it can verify that you're allowed to do the request you're
  303. doing. The Basic authentication used in HTTP (which is the type curl uses by
  304. default) is *plain* *text* based, which means it sends username and password
  305. only slightly obfuscated, but still fully readable by anyone that sniffs on
  306. the network between you and the remote server.
  307. To tell curl to use a user and password for authentication:
  308. curl --user name:password http://www.example.com
  309. 6.2 Other Authentication
  310. The site might require a different authentication method (check the headers
  311. returned by the server), and then --ntlm, --digest, --negotiate or even
  312. --anyauth might be options that suit you.
  313. 6.3 Proxy Authentication
  314. Sometimes your HTTP access is only available through the use of a HTTP
  315. proxy. This seems to be especially common at various companies. A HTTP proxy
  316. may require its own user and password to allow the client to get through to
  317. the Internet. To specify those with curl, run something like:
  318. curl --proxy-user proxyuser:proxypassword curl.haxx.se
  319. If your proxy requires the authentication to be done using the NTLM method,
  320. use --proxy-ntlm, if it requires Digest use --proxy-digest.
  321. If you use any one of these user+password options but leave out the password
  322. part, curl will prompt for the password interactively.
  323. 6.4 Hiding credentials
  324. Do note that when a program is run, its parameters might be possible to see
  325. when listing the running processes of the system. Thus, other users may be
  326. able to watch your passwords if you pass them as plain command line
  327. options. There are ways to circumvent this.
  328. It is worth noting that while this is how HTTP Authentication works, very
  329. many web sites will not use this concept when they provide logins etc. See
  330. the Web Login chapter further below for more details on that.
  331. 7. More HTTP Headers
  332. 7.1 Referer
  333. A HTTP request may include a 'referer' field (yes it is misspelled), which
  334. can be used to tell from which URL the client got to this particular
  335. resource. Some programs/scripts check the referer field of requests to verify
  336. that this wasn't arriving from an external site or an unknown page. While
  337. this is a stupid way to check something so easily forged, many scripts still
  338. do it. Using curl, you can put anything you want in the referer-field and
  339. thus more easily be able to fool the server into serving your request.
  340. Use curl to set the referer field with:
  341. curl --referer http://www.example.come http://www.example.com
  342. 7.2 User Agent
  343. Very similar to the referer field, all HTTP requests may set the User-Agent
  344. field. It names what user agent (client) that is being used. Many
  345. applications use this information to decide how to display pages. Silly web
  346. programmers try to make different pages for users of different browsers to
  347. make them look the best possible for their particular browsers. They usually
  348. also do different kinds of javascript, vbscript etc.
  349. At times, you will see that getting a page with curl will not return the same
  350. page that you see when getting the page with your browser. Then you know it
  351. is time to set the User Agent field to fool the server into thinking you're
  352. one of those browsers.
  353. To make curl look like Internet Explorer 5 on a Windows 2000 box:
  354. curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
  355. Or why not look like you're using Netscape 4.73 on an old Linux box:
  356. curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
  357. 8. Redirects
  358. 8.1 Location header
  359. When a resource is requested from a server, the reply from the server may
  360. include a hint about where the browser should go next to find this page, or a
  361. new page keeping newly generated output. The header that tells the browser
  362. to redirect is Location:.
  363. Curl does not follow Location: headers by default, but will simply display
  364. such pages in the same manner it displays all HTTP replies. It does however
  365. feature an option that will make it attempt to follow the Location: pointers.
  366. To tell curl to follow a Location:
  367. curl --location http://www.example.com
  368. If you use curl to POST to a site that immediately redirects you to another
  369. page, you can safely use --location (-L) and --data/--form together. Curl will
  370. only use POST in the first request, and then revert to GET in the following
  371. operations.
  372. 8.2 Other redirects
  373. Browser typically support at least two other ways of redirects that curl
  374. doesn't: first the html may contain a meta refresh tag that asks the browser
  375. to load a specific URL after a set number of seconds, or it may use
  376. javascript to do it.
  377. 9. Cookies
  378. 9.1 Cookie Basics
  379. The way the web browsers do "client side state control" is by using
  380. cookies. Cookies are just names with associated contents. The cookies are
  381. sent to the client by the server. The server tells the client for what path
  382. and host name it wants the cookie sent back, and it also sends an expiration
  383. date and a few more properties.
  384. When a client communicates with a server with a name and path as previously
  385. specified in a received cookie, the client sends back the cookies and their
  386. contents to the server, unless of course they are expired.
  387. Many applications and servers use this method to connect a series of requests
  388. into a single logical session. To be able to use curl in such occasions, we
  389. must be able to record and send back cookies the way the web application
  390. expects them. The same way browsers deal with them.
  391. 9.2 Cookie options
  392. The simplest way to send a few cookies to the server when getting a page with
  393. curl is to add them on the command line like:
  394. curl --cookie "name=Daniel" http://www.example.com
  395. Cookies are sent as common HTTP headers. This is practical as it allows curl
  396. to record cookies simply by recording headers. Record cookies with curl by
  397. using the --dump-header (-D) option like:
  398. curl --dump-header headers_and_cookies http://www.example.com
  399. (Take note that the --cookie-jar option described below is a better way to
  400. store cookies.)
  401. Curl has a full blown cookie parsing engine built-in that comes in use if you
  402. want to reconnect to a server and use cookies that were stored from a
  403. previous connection (or hand-crafted manually to fool the server into
  404. believing you had a previous connection). To use previously stored cookies,
  405. you run curl like:
  406. curl --cookie stored_cookies_in_file http://www.example.com
  407. Curl's "cookie engine" gets enabled when you use the --cookie option. If you
  408. only want curl to understand received cookies, use --cookie with a file that
  409. doesn't exist. Example, if you want to let curl understand cookies from a
  410. page and follow a location (and thus possibly send back cookies it received),
  411. you can invoke it like:
  412. curl --cookie nada --location http://www.example.com
  413. Curl has the ability to read and write cookie files that use the same file
  414. format that Netscape and Mozilla once used. It is a convenient way to share
  415. cookies between scripts or invokes. The --cookie (-b) switch automatically
  416. detects if a given file is such a cookie file and parses it, and by using the
  417. --cookie-jar (-c) option you'll make curl write a new cookie file at the end
  418. of an operation:
  419. curl --cookie cookies.txt --cookie-jar newcookies.txt \
  420. http://www.example.com
  421. 10. HTTPS
  422. 10.1 HTTPS is HTTP secure
  423. There are a few ways to do secure HTTP transfers. By far the most common
  424. protocol for doing this is what is generally known as HTTPS, HTTP over
  425. SSL. SSL encrypts all the data that is sent and received over the network and
  426. thus makes it harder for attackers to spy on sensitive information.
  427. SSL (or TLS as the latest version of the standard is called) offers a
  428. truckload of advanced features to allow all those encryptions and key
  429. infrastructure mechanisms encrypted HTTP requires.
  430. Curl supports encrypted fetches when built to use a TLS library and it can be
  431. built to use one out of a fairly large set of libraries - "curl -V" will show
  432. which one your curl was built to use (if any!). To get a page from a HTTPS
  433. server, simply run curl like:
  434. curl https://secure.example.com
  435. 10.2 Certificates
  436. In the HTTPS world, you use certificates to validate that you are the one
  437. you claim to be, as an addition to normal passwords. Curl supports client-
  438. side certificates. All certificates are locked with a pass phrase, which you
  439. need to enter before the certificate can be used by curl. The pass phrase
  440. can be specified on the command line or if not, entered interactively when
  441. curl queries for it. Use a certificate with curl on a HTTPS server like:
  442. curl --cert mycert.pem https://secure.example.com
  443. curl also tries to verify that the server is who it claims to be, by
  444. verifying the server's certificate against a locally stored CA cert
  445. bundle. Failing the verification will cause curl to deny the connection. You
  446. must then use --insecure (-k) in case you want to tell curl to ignore that
  447. the server can't be verified.
  448. More about server certificate verification and ca cert bundles can be read
  449. in the SSLCERTS document, available online here:
  450. https://curl.haxx.se/docs/sslcerts.html
  451. At times you may end up with your own CA cert store and then you can tell
  452. curl to use that to verify the server's certificate:
  453. curl --cacert ca-bundle.pem https://example.com/
  454. 11. Custom Request Elements
  455. 11.1 Modify method and headers
  456. Doing fancy stuff, you may need to add or change elements of a single curl
  457. request.
  458. For example, you can change the POST request to a PROPFIND and send the data
  459. as "Content-Type: text/xml" (instead of the default Content-Type) like this:
  460. curl --data "<xml>" --header "Content-Type: text/xml" \
  461. --request PROPFIND url.com
  462. You can delete a default header by providing one without content. Like you
  463. can ruin the request by chopping off the Host: header:
  464. curl --header "Host:" http://www.example.com
  465. You can add headers the same way. Your server may want a "Destination:"
  466. header, and you can add it:
  467. curl --header "Destination: http://nowhere" http://example.com
  468. 11.2 More on changed methods
  469. It should be noted that curl selects which methods to use on its own
  470. depending on what action to ask for. -d will do POST, -I will do HEAD and so
  471. on. If you use the --request / -X option you can change the method keyword
  472. curl selects, but you will not modify curl's behavior. This means that if you
  473. for example use -d "data" to do a POST, you can modify the method to a
  474. PROPFIND with -X and curl will still think it sends a POST. You can change
  475. the normal GET to a POST method by simply adding -X POST in a command line
  476. like:
  477. curl -X POST http://example.org/
  478. ... but curl will still think and act as if it sent a GET so it won't send any
  479. request body etc.
  480. 12. Web Login
  481. 12.1 Some login tricks
  482. While not strictly just HTTP related, it still causes a lot of people problems
  483. so here's the executive run-down of how the vast majority of all login forms
  484. work and how to login to them using curl.
  485. It can also be noted that to do this properly in an automated fashion, you
  486. will most certainly need to script things and do multiple curl invokes etc.
  487. First, servers mostly use cookies to track the logged-in status of the
  488. client, so you will need to capture the cookies you receive in the
  489. responses. Then, many sites also set a special cookie on the login page (to
  490. make sure you got there through their login page) so you should make a habit
  491. of first getting the login-form page to capture the cookies set there.
  492. Some web-based login systems feature various amounts of javascript, and
  493. sometimes they use such code to set or modify cookie contents. Possibly they
  494. do that to prevent programmed logins, like this manual describes how to...
  495. Anyway, if reading the code isn't enough to let you repeat the behavior
  496. manually, capturing the HTTP requests done by your browsers and analyzing the
  497. sent cookies is usually a working method to work out how to shortcut the
  498. javascript need.
  499. In the actual <form> tag for the login, lots of sites fill-in random/session
  500. or otherwise secretly generated hidden tags and you may need to first capture
  501. the HTML code for the login form and extract all the hidden fields to be able
  502. to do a proper login POST. Remember that the contents need to be URL encoded
  503. when sent in a normal POST.
  504. 13. Debug
  505. 13.1 Some debug tricks
  506. Many times when you run curl on a site, you'll notice that the site doesn't
  507. seem to respond the same way to your curl requests as it does to your
  508. browser's.
  509. Then you need to start making your curl requests more similar to your
  510. browser's requests:
  511. * Use the --trace-ascii option to store fully detailed logs of the requests
  512. for easier analyzing and better understanding
  513. * Make sure you check for and use cookies when needed (both reading with
  514. --cookie and writing with --cookie-jar)
  515. * Set user-agent to one like a recent popular browser does
  516. * Set referer like it is set by the browser
  517. * If you use POST, make sure you send all the fields and in the same order as
  518. the browser does it.
  519. A very good helper to make sure you do this right, is the LiveHTTPHeader tool
  520. that lets you view all headers you send and receive with Mozilla/Firefox
  521. (even when using HTTPS). Chrome features similar functionality out of the box
  522. among the developer's tools.
  523. A more raw approach is to capture the HTTP traffic on the network with tools
  524. such as ethereal or tcpdump and check what headers that were sent and
  525. received by the browser. (HTTPS makes this technique inefficient.)
  526. 14. References
  527. 14.1 Standards
  528. RFC 7230 is a must to read if you want in-depth understanding of the HTTP
  529. protocol
  530. RFC 3986 explains the URL syntax
  531. RFC 1867 defines the HTTP post upload format
  532. RFC 6525 defines how HTTP cookies work
  533. 14.2 Sites
  534. https://curl.haxx.se is the home of the curl project