the-web-application-hackers-handbook

Chapter 14 n Automating Customized Attacks 581
}
if (params[i].type == Param.Type.URL)
urlParams.append(params[i].name + “=” + value + “&”);
else if (params[i].type == Param.Type.COOKIE)
cookieParams.append(params[i].name + “=” + value + “; “);
else if (params[i].type == Param.Type.BODY)
bodyParams.append(params[i].name + “=” + value + “&”);
// build request
StringBuffer req = new StringBuffer();
req.append(method + “ “ + url);
if (urlParams.length() > 0)
req.append(“?” + urlParams.substring(0, urlParams.length() - 1));
req.append(“ HTTP/1.0\r\nHost: “ + host);
if (cookieParams.length() > 0)
req.append(“\r\nCookie: “ + cookieParams.toString());
if (bodyParams.length() > 0)
{
req.append(“\r\nContent-Type: application/x-www-form-urlencoded”);
req.append(“\r\nContent-Length: “ + (bodyParams.length() - 1));
req.append(“\r\n\r\n”);
req.append(bodyParams.substring(0, bodyParams.length() - 1));
}
else req.append(“\r\n\r\n”);
}
return req.toString();
NOTE If you write your own code to generate POST requests, you need to
include a valid Content-Length header that specifies the actual length of the
HTTP body in each request, as in the preceding code. If an invalid Content-
Length is submitted, most web servers either truncate the data you submit or
wait indefinitely for more data to be supplied.
To send our requests, we need to open network connections to the target web
server. Java makes it easy to open a TCP connection, submit data, and read the
server’s response:
String issueRequest(String req) throws UnknownHostException, IOException
{
Socket socket = new Socket(host, port);
OutputStream os = socket.getOutputStream();
os.write(req.getBytes());
os.flush();
BufferedReader br = new BufferedReader(new InputStreamReader(
socket.getInputStream()));
StringBuffer response = new StringBuffer();