summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/Makefile.am2
-rw-r--r--docs/TheArtOfHttpScripting758
-rw-r--r--docs/TheArtOfHttpScripting.md692
3 files changed, 693 insertions, 759 deletions
diff --git a/docs/Makefile.am b/docs/Makefile.am
index a8fc9540b..ce31b8bb9 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -84,7 +84,7 @@ EXTRA_DIST = \
SSLCERTS.md \
THANKS \
TODO \
- TheArtOfHttpScripting \
+ TheArtOfHttpScripting.md \
VERSIONS.md
MAN2HTML= roffit $< >$@
diff --git a/docs/TheArtOfHttpScripting b/docs/TheArtOfHttpScripting
deleted file mode 100644
index 65bda6255..000000000
--- a/docs/TheArtOfHttpScripting
+++ /dev/null
@@ -1,758 +0,0 @@
- _ _ ____ _
- ___| | | | _ \| |
- / __| | | | |_) | |
- | (__| |_| | _ <| |___
- \___|\___/|_| \_\_____|
-
-
-The Art Of Scripting HTTP Requests Using Curl
-
- 1. HTTP Scripting
- 1.1 Background
- 1.2 The HTTP Protocol
- 1.3 See the Protocol
- 1.4 See the Timing
- 1.5 See the Response
- 2. URL
- 2.1 Spec
- 2.2 Host
- 2.3 Port number
- 2.4 User name and password
- 2.5 Path part
- 3. Fetch a page
- 3.1 GET
- 3.2 HEAD
- 3.3 Multiple URLs in a single command line
- 3.4 Multiple HTTP methods in a single command line
- 4. HTML forms
- 4.1 Forms explained
- 4.2 GET
- 4.3 POST
- 4.4 File Upload POST
- 4.5 Hidden Fields
- 4.6 Figure Out What A POST Looks Like
- 5. HTTP upload
- 5.1 PUT
- 6. HTTP Authentication
- 6.1 Basic Authentication
- 6.2 Other Authentication
- 6.3 Proxy Authentication
- 6.4 Hiding credentials
- 7. More HTTP Headers
- 7.1 Referer
- 7.2 User Agent
- 8. Redirects
- 8.1 Location header
- 8.2 Other redirects
- 9. Cookies
- 9.1 Cookie Basics
- 9.2 Cookie options
- 10. HTTPS
- 10.1 HTTPS is HTTP secure
- 10.2 Certificates
- 11. Custom Request Elements
- 11.1 Modify method and headers
- 11.2 More on changed methods
- 12. Web Login
- 12.1 Some login tricks
- 13. Debug
- 13.1 Some debug tricks
- 14. References
- 14.1 Standards
- 14.2 Sites
-
-==============================================================================
-
-1. HTTP Scripting
-
- 1.1 Background
-
- This document assumes that you're familiar with HTML and general networking.
-
- The increasing amount of applications moving to the web has made "HTTP
- Scripting" more frequently requested and wanted. To be able to automatically
- extract information from the web, to fake users, to post or upload data to
- web servers are all important tasks today.
-
- Curl is a command line tool for doing all sorts of URL manipulations and
- transfers, but this particular document will focus on how to use it when
- doing HTTP requests for fun and profit. I'll assume that you know how to
- invoke 'curl --help' or 'curl --manual' to get basic information about it.
-
- Curl is not written to do everything for you. It makes the requests, it gets
- the data, it sends data and it retrieves the information. You probably need
- to glue everything together using some kind of script language or repeated
- manual invokes.
-
- 1.2 The HTTP Protocol
-
- HTTP is the protocol used to fetch data from web servers. It is a very simple
- protocol that is built upon TCP/IP. The protocol also allows information to
- get sent to the server from the client using a few different methods, as will
- be shown here.
-
- HTTP is plain ASCII text lines being sent by the client to a server to
- request a particular action, and then the server replies a few text lines
- before the actual requested content is sent to the client.
-
- The client, curl, sends a HTTP request. The request contains a method (like
- GET, POST, HEAD etc), a number of request headers and sometimes a request
- body. The HTTP server responds with a status line (indicating if things went
- well), response headers and most often also a response body. The "body" part
- is the plain data you requested, like the actual HTML or the image etc.
-
- 1.3 See the Protocol
-
- Using curl's option --verbose (-v as a short option) will display what kind
- of commands curl sends to the server, as well as a few other informational
- texts.
-
- --verbose is the single most useful option when it comes to debug or even
- understand the curl<->server interaction.
-
- Sometimes even --verbose is not enough. Then --trace and --trace-ascii offer
- even more details as they show EVERYTHING curl sends and receives. Use it
- like this:
-
- curl --trace-ascii debugdump.txt http://www.example.com/
-
- 1.4 See the Timing
-
- Many times you may wonder what exactly is taking all the time, or you just
- want to know the amount of milliseconds between two points in a
- transfer. For those, and other similar situations, the --trace-time option
- is what you need. It'll prepend the time to each trace output line:
-
- curl --trace-ascii d.txt --trace-time http://example.com/
-
- 1.5 See the Response
-
- By default curl sends the response to stdout. You need to redirect it
- somewhere to avoid that, most often that is done with -o or -O.
-
-2. URL
-
- 2.1 Spec
-
- The Uniform Resource Locator format is how you specify the address of a
- particular resource on the Internet. You know these, you've seen URLs like
- https://curl.haxx.se or https://yourbank.com a million times. RFC 3986 is the
- canonical spec. And yeah, the formal name is not URL, it is URI.
-
- 2.2 Host
-
- The host name is usually resolved using DNS or your /etc/hosts file to an IP
- address and that's what curl will communicate with. Alternatively you specify
- the IP address directly in the URL instead of a name.
-
- For development and other trying out situations, you can point to a different
- IP address for a host name than what would otherwise be used, by using curl's
- --resolve option:
-
- curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
-
- 2.3 Port number
-
- Each protocol curl supports operates on a default port number, be it over TCP
- or in some cases UDP. Normally you don't have to take that into
- consideration, but at times you run test servers on other ports or
- similar. Then you can specify the port number in the URL with a colon and a
- number immediately following the host name. Like when doing HTTP to port
- 1234:
-
- curl http://www.example.org:1234/
-
- The port number you specify in the URL is the number that the server uses to
- offer its services. Sometimes you may use a local proxy, and then you may
- need to specify that proxy's port number separately for what curl needs to
- connect to locally. Like when using a HTTP proxy on port 4321:
-
- curl --proxy http://proxy.example.org:4321 http://remote.example.org/
-
- 2.4 User name and password
-
- Some services are setup to require HTTP authentication and then you need to
- provide name and password which is then transferred to the remote site in
- various ways depending on the exact authentication protocol used.
-
- You can opt to either insert the user and password in the URL or you can
- provide them separately:
-
- curl http://user:password@example.org/
-
- or
-
- curl -u user:password http://example.org/
-
- You need to pay attention that this kind of HTTP authentication is not what
- is usually done and requested by user-oriented websites these days. They
- tend to use forms and cookies instead.
-
- 2.5 Path part
-
- The path part is just sent off to the server to request that it sends back
- the associated response. The path is what is to the right side of the slash
- that follows the host name and possibly port number.
-
-3. Fetch a page
-
- 3.1 GET
-
- The simplest and most common request/operation made using HTTP is to GET a
- URL. The URL could itself refer to a web page, an image or a file. The client
- issues a GET request to the server and receives the document it asked for.
- If you issue the command line
-
- curl https://curl.haxx.se
-
- you get a web page returned in your terminal window. The entire HTML document
- that that URL holds.
-
- All HTTP replies contain a set of response headers that are normally hidden,
- use curl's --include (-i) option to display them as well as the rest of the
- document.
-
- 3.2 HEAD
-
- You can ask the remote server for ONLY the headers by using the --head (-I)
- option which will make curl issue a HEAD request. In some special cases
- servers deny the HEAD method while others still work, which is a particular
- kind of annoyance.
-
- The HEAD method is defined and made so that the server returns the headers
- exactly the way it would do for a GET, but without a body. It means that you
- may see a Content-Length: in the response headers, but there must not be an
- actual body in the HEAD response.
-
- 3.3 Multiple URLs in a single command line
-
- A single curl command line may involve one or many URLs. The most common case
- is probably to just use one, but you can specify any amount of URLs. Yes
- any. No limits. You'll then get requests repeated over and over for all the
- given URLs.
-
- Example, send two GETs:
-
- curl http://url1.example.com http://url2.example.com
-
- If you use --data to POST to the URL, using multiple URLs means that you send
- that same POST to all the given URLs.
-
- Example, send two POSTs:
-
- curl --data name=curl http://url1.example.com http://url2.example.com
-
-
- 3.4 Multiple HTTP methods in a single command line
-
- Sometimes you need to operate on several URLs in a single command line and do
- different HTTP methods on each. For this, you'll enjoy the --next option. It
- is basically a separator that separates a bunch of options from the next. All
- the URLs before --next will get the same method and will get all the POST
- data merged into one.
-
- When curl reaches the --next on the command line, it'll sort of reset the
- method and the POST data and allow a new set.
-
- Perhaps this is best shown with a few examples. To send first a HEAD and then
- a GET:
-
- curl -I http://example.com --next http://example.com
-
- To first send a POST and then a GET:
-
- curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
-
-
-4. HTML forms
-
- 4.1 Forms explained
-
- Forms are the general way a website can present a HTML page with fields for
- the user to enter data in, and then press some kind of 'OK' or 'Submit'
- button to get that data sent to the server. The server then typically uses
- the posted data to decide how to act. Like using the entered words to search
- in a database, or to add the info in a bug tracking system, display the entered
- address on a map or using the info as a login-prompt verifying that the user
- is allowed to see what it is about to see.
-
- Of course there has to be some kind of program on the server end to receive
- the data you send. You cannot just invent something out of the air.
-
- 4.2 GET
-
- A GET-form uses the method GET, as specified in HTML like:
-
- <form method="GET" action="junk.cgi">
- <input type=text name="birthyear">
- <input type=submit name=press value="OK">
- </form>
-
- In your favorite browser, this form will appear with a text box to fill in
- and a press-button labeled "OK". If you fill in '1905' and press the OK
- button, your browser will then create a new URL to get for you. The URL will
- get "junk.cgi?birthyear=1905&press=OK" appended to the path part of the
- previous URL.
-
- If the original form was seen on the page "www.hotmail.com/when/birth.html",
- the second page you'll get will become
- "www.hotmail.com/when/junk.cgi?birthyear=1905&press=OK".
-
- Most search engines work this way.
-
- To make curl do the GET form post for you, just enter the expected created
- URL:
-
- curl "http://www.hotmail.com/when/junk.cgi?birthyear=1905&press=OK"
-
- 4.3 POST
-
- The GET method makes all input field names get displayed in the URL field of
- your browser. That's generally a good thing when you want to be able to
- bookmark that page with your given data, but it is an obvious disadvantage
- if you entered secret information in one of the fields or if there are a
- large amount of fields creating a very long and unreadable URL.
-
- The HTTP protocol then offers the POST method. This way the client sends the
- data separated from the URL and thus you won't see any of it in the URL
- address field.
-
- The form would look very similar to the previous one:
-
- <form method="POST" action="junk.cgi">
- <input type=text name="birthyear">
- <input type=submit name=press value=" OK ">
- </form>
-
- And to use curl to post this form with the same data filled in as before, we
- could do it like:
-
- curl --data "birthyear=1905&press=%20OK%20" \
- http://www.example.com/when.cgi
-
- This kind of POST will use the Content-Type
- application/x-www-form-urlencoded and is the most widely used POST kind.
-
- The data you send to the server MUST already be properly encoded, curl will
- not do that for you. For example, if you want the data to contain a space,
- you need to replace that space with %20 etc. Failing to comply with this
- will most likely cause your data to be received wrongly and messed up.
-
- Recent curl versions can in fact url-encode POST data for you, like this:
-
- curl --data-urlencode "name=I am Daniel" http://www.example.com
-
- If you repeat --data several times on the command line, curl will
- concatenate all the given data pieces - and put a '&' symbol between each
- data segment.
-
- 4.4 File Upload POST
-
- Back in late 1995 they defined an additional way to post data over HTTP. It
- is documented in the RFC 1867, why this method sometimes is referred to as
- RFC1867-posting.
-
- This method is mainly designed to better support file uploads. A form that
- allows a user to upload a file could be written like this in HTML:
-
- <form method="POST" enctype='multipart/form-data' action="upload.cgi">
- <input type=file name=upload>
- <input type=submit name=press value="OK">
- </form>
-
- This clearly shows that the Content-Type about to be sent is
- multipart/form-data.
-
- To post to a form like this with curl, you enter a command line like:
-
- curl --form upload=@localfilename --form press=OK [URL]
-
- 4.5 Hidden Fields
-
- A very common way for HTML based applications to pass state information
- between pages is to add hidden fields to the forms. Hidden fields are
- already filled in, they aren't displayed to the user and they get passed
- along just as all the other fields.
-
- A similar example form with one visible field, one hidden field and one
- submit button could look like:
-
- <form method="POST" action="foobar.cgi">
- <input type=text name="birthyear">
- <input type=hidden name="person" value="daniel">
- <input type=submit name="press" value="OK">
- </form>
-
- To POST this with curl, you won't have to think about if the fields are
- hidden or not. To curl they're all the same:
-
- curl --data "birthyear=1905&press=OK&person=daniel" [URL]
-
- 4.6 Figure Out What A POST Looks Like
-
- When you're about fill in a form and send to a server by using curl instead
- of a browser, you're of course very interested in sending a POST exactly the
- way your browser does.
-
- An easy way to get to see this, is to save the HTML page with the form on
- your local disk, modify the 'method' to a GET, and press the submit button
- (you could also change the action URL if you want to).
-
- You will then clearly see the data get appended to the URL, separated with a
- '?'-letter as GET forms are supposed to.
-
-5. HTTP upload
-
- 5.1 PUT
-
- Perhaps the best way to upload data to a HTTP server is to use PUT. Then
- again, this of course requires that someone put a program or script on the
- server end that knows how to receive a HTTP PUT stream.
-
- Put a file to a HTTP server with curl:
-
- curl --upload-file uploadfile http://www.example.com/receive.cgi
-
-6. HTTP Authentication
-
- 6.1 Basic Authentication
-
- HTTP Authentication is the ability to tell the server your username and
- password so that it can verify that you're allowed to do the request you're
- doing. The Basic authentication used in HTTP (which is the type curl uses by
- default) is *plain* *text* based, which means it sends username and password
- only slightly obfuscated, but still fully readable by anyone that sniffs on
- the network between you and the remote server.
-
- To tell curl to use a user and password for authentication:
-
- curl --user name:password http://www.example.com
-
- 6.2 Other Authentication
-
- The site might require a different authentication method (check the headers
- returned by the server), and then --ntlm, --digest, --negotiate or even
- --anyauth might be options that suit you.
-
- 6.3 Proxy Authentication
-
- Sometimes your HTTP access is only available through the use of a HTTP
- proxy. This seems to be especially common at various companies. A HTTP proxy
- may require its own user and password to allow the client to get through to
- the Internet. To specify those with curl, run something like:
-
- curl --proxy-user proxyuser:proxypassword curl.haxx.se
-
- If your proxy requires the authentication to be done using the NTLM method,
- use --proxy-ntlm, if it requires Digest use --proxy-digest.
-
- If you use any one of these user+password options but leave out the password
- part, curl will prompt for the password interactively.
-
- 6.4 Hiding credentials
-
- Do note that when a program is run, its parameters might be possible to see
- when listing the running processes of the system. Thus, other users may be
- able to watch your passwords if you pass them as plain command line
- options. There are ways to circumvent this.
-
- It is worth noting that while this is how HTTP Authentication works, very
- many websites will not use this concept when they provide logins etc. See
- the Web Login chapter further below for more details on that.
-
-7. More HTTP Headers
-
- 7.1 Referer
-
- A HTTP request may include a 'referer' field (yes it is misspelled), which
- can be used to tell from which URL the client got to this particular
- resource. Some programs/scripts check the referer field of requests to verify
- that this wasn't arriving from an external site or an unknown page. While
- this is a stupid way to check something so easily forged, many scripts still
- do it. Using curl, you can put anything you want in the referer-field and
- thus more easily be able to fool the server into serving your request.
-
- Use curl to set the referer field with:
-
- curl --referer http://www.example.come http://www.example.com
-
- 7.2 User Agent
-
- Very similar to the referer field, all HTTP requests may set the User-Agent
- field. It names what user agent (client) that is being used. Many
- applications use this information to decide how to display pages. Silly web
- programmers try to make different pages for users of different browsers to
- make them look the best possible for their particular browsers. They usually
- also do different kinds of javascript, vbscript etc.
-
- At times, you will see that getting a page with curl will not return the same
- page that you see when getting the page with your browser. Then you know it
- is time to set the User Agent field to fool the server into thinking you're
- one of those browsers.
-
- To make curl look like Internet Explorer 5 on a Windows 2000 box:
-
- curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
-
- Or why not look like you're using Netscape 4.73 on an old Linux box:
-
- curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
-
-8. Redirects
-
- 8.1 Location header
-
- When a resource is requested from a server, the reply from the server may
- include a hint about where the browser should go next to find this page, or a
- new page keeping newly generated output. The header that tells the browser
- to redirect is Location:.
-
- Curl does not follow Location: headers by default, but will simply display
- such pages in the same manner it displays all HTTP replies. It does however
- feature an option that will make it attempt to follow the Location: pointers.
-
- To tell curl to follow a Location:
-
- curl --location http://www.example.com
-
- If you use curl to POST to a site that immediately redirects you to another
- page, you can safely use --location (-L) and --data/--form together. Curl will
- only use POST in the first request, and then revert to GET in the following
- operations.
-
- 8.2 Other redirects
-
- Browser typically support at least two other ways of redirects that curl
- doesn't: first the html may contain a meta refresh tag that asks the browser
- to load a specific URL after a set number of seconds, or it may use
- javascript to do it.
-
-9. Cookies
-
- 9.1 Cookie Basics
-
- The way the web browsers do "client side state control" is by using
- cookies. Cookies are just names with associated contents. The cookies are
- sent to the client by the server. The server tells the client for what path
- and host name it wants the cookie sent back, and it also sends an expiration
- date and a few more properties.
-
- When a client communicates with a server with a name and path as previously
- specified in a received cookie, the client sends back the cookies and their
- contents to the server, unless of course they are expired.
-
- Many applications and servers use this method to connect a series of requests
- into a single logical session. To be able to use curl in such occasions, we
- must be able to record and send back cookies the way the web application
- expects them. The same way browsers deal with them.
-
- 9.2 Cookie options
-
- The simplest way to send a few cookies to the server when getting a page with
- curl is to add them on the command line like:
-
- curl --cookie "name=Daniel" http://www.example.com
-
- Cookies are sent as common HTTP headers. This is practical as it allows curl
- to record cookies simply by recording headers. Record cookies with curl by
- using the --dump-header (-D) option like:
-
- curl --dump-header headers_and_cookies http://www.example.com
-
- (Take note that the --cookie-jar option described below is a better way to
- store cookies.)
-
- Curl has a full blown cookie parsing engine built-in that comes in use if you
- want to reconnect to a server and use cookies that were stored from a
- previous connection (or hand-crafted manually to fool the server into
- believing you had a previous connection). To use previously stored cookies,
- you run curl like:
-
- curl --cookie stored_cookies_in_file http://www.example.com
-
- Curl's "cookie engine" gets enabled when you use the --cookie option. If you
- only want curl to understand received cookies, use --cookie with a file that
- doesn't exist. Example, if you want to let curl understand cookies from a
- page and follow a location (and thus possibly send back cookies it received),
- you can invoke it like:
-
- curl --cookie nada --location http://www.example.com
-
- Curl has the ability to read and write cookie files that use the same file
- format that Netscape and Mozilla once used. It is a convenient way to share
- cookies between scripts or invokes. The --cookie (-b) switch automatically
- detects if a given file is such a cookie file and parses it, and by using the
- --cookie-jar (-c) option you'll make curl write a new cookie file at the end
- of an operation:
-
- curl --cookie cookies.txt --cookie-jar newcookies.txt \
- http://www.example.com
-
-10. HTTPS
-
- 10.1 HTTPS is HTTP secure
-
- There are a few ways to do secure HTTP transfers. By far the most common
- protocol for doing this is what is generally known as HTTPS, HTTP over
- SSL. SSL encrypts all the data that is sent and received over the network and
- thus makes it harder for attackers to spy on sensitive information.
-
- SSL (or TLS as the latest version of the standard is called) offers a
- truckload of advanced features to allow all those encryptions and key
- infrastructure mechanisms encrypted HTTP requires.
-
- Curl supports encrypted fetches when built to use a TLS library and it can be
- built to use one out of a fairly large set of libraries - "curl -V" will show
- which one your curl was built to use (if any!). To get a page from a HTTPS
- server, simply run curl like:
-
- curl https://secure.example.com
-
- 10.2 Certificates
-
- In the HTTPS world, you use certificates to validate that you are the one
- you claim to be, as an addition to normal passwords. Curl supports client-
- side certificates. All certificates are locked with a pass phrase, which you
- need to enter before the certificate can be used by curl. The pass phrase
- can be specified on the command line or if not, entered interactively when
- curl queries for it. Use a certificate with curl on a HTTPS server like:
-
- curl --cert mycert.pem https://secure.example.com
-
- curl also tries to verify that the server is who it claims to be, by
- verifying the server's certificate against a locally stored CA cert
- bundle. Failing the verification will cause curl to deny the connection. You
- must then use --insecure (-k) in case you want to tell curl to ignore that
- the server can't be verified.
-
- More about server certificate verification and ca cert bundles can be read
- in the SSLCERTS document, available online here:
-
- https://curl.haxx.se/docs/sslcerts.html
-
- At times you may end up with your own CA cert store and then you can tell
- curl to use that to verify the server's certificate:
-
- curl --cacert ca-bundle.pem https://example.com/
-
-
-11. Custom Request Elements
-
-11.1 Modify method and headers
-
- Doing fancy stuff, you may need to add or change elements of a single curl
- request.
-
- For example, you can change the POST request to a PROPFIND and send the data
- as "Content-Type: text/xml" (instead of the default Content-Type) like this:
-
- curl --data "<xml>" --header "Content-Type: text/xml" \
- --request PROPFIND url.com
-
- You can delete a default header by providing one without content. Like you
- can ruin the request by chopping off the Host: header:
-
- curl --header "Host:" http://www.example.com
-
- You can add headers the same way. Your server may want a "Destination:"
- header, and you can add it:
-
- curl --header "Destination: http://nowhere" http://example.com
-
- 11.2 More on changed methods
-
- It should be noted that curl selects which methods to use on its own
- depending on what action to ask for. -d will do POST, -I will do HEAD and so
- on. If you use the --request / -X option you can change the method keyword
- curl selects, but you will not modify curl's behavior. This means that if you
- for example use -d "data" to do a POST, you can modify the method to a
- PROPFIND with -X and curl will still think it sends a POST. You can change
- the normal GET to a POST method by simply adding -X POST in a command line
- like:
-
- curl -X POST http://example.org/
-
- ... but curl will still think and act as if it sent a GET so it won't send any
- request body etc.
-
-
-12. Web Login
-
- 12.1 Some login tricks
-
- While not strictly just HTTP related, it still causes a lot of people problems
- so here's the executive run-down of how the vast majority of all login forms
- work and how to login to them using curl.
-
- It can also be noted that to do this properly in an automated fashion, you
- will most certainly need to script things and do multiple curl invokes etc.
-
- First, servers mostly use cookies to track the logged-in status of the
- client, so you will need to capture the cookies you receive in the
- responses. Then, many sites also set a special cookie on the login page (to
- make sure you got there through their login page) so you should make a habit
- of first getting the login-form page to capture the cookies set there.
-
- Some web-based login systems feature various amounts of javascript, and
- sometimes they use such code to set or modify cookie contents. Possibly they
- do that to prevent programmed logins, like this manual describes how to...
- Anyway, if reading the code isn't enough to let you repeat the behavior
- manually, capturing the HTTP requests done by your browsers and analyzing the
- sent cookies is usually a working method to work out how to shortcut the
- javascript need.
-
- In the actual <form> tag for the login, lots of sites fill-in random/session
- or otherwise secretly generated hidden tags and you may need to first capture
- the HTML code for the login form and extract all the hidden fields to be able
- to do a proper login POST. Remember that the contents need to be URL encoded
- when sent in a normal POST.
-
-13. Debug
-
- 13.1 Some debug tricks
-
- Many times when you run curl on a site, you'll notice that the site doesn't
- seem to respond the same way to your curl requests as it does to your
- browser's.
-
- Then you need to start making your curl requests more similar to your
- browser's requests:
-
- * Use the --trace-ascii option to store fully detailed logs of the requests
- for easier analyzing and better understanding
-
- * Make sure you check for and use cookies when needed (both reading with
- --cookie and writing with --cookie-jar)
-
- * Set user-agent to one like a recent popular browser does
-
- * Set referer like it is set by the browser
-
- * If you use POST, make sure you send all the fields and in the same order as
- the browser does it.
-
- A very good helper to make sure you do this right, is the LiveHTTPHeader tool
- that lets you view all headers you send and receive with Mozilla/Firefox
- (even when using HTTPS). Chrome features similar functionality out of the box
- among the developer's tools.
-
- A more raw approach is to capture the HTTP traffic on the network with tools
- such as ethereal or tcpdump and check what headers that were sent and
- received by the browser. (HTTPS makes this technique inefficient.)
-
-14. References
-
- 14.1 Standards
-
- RFC 7230 is a must to read if you want in-depth understanding of the HTTP
- protocol
-
- RFC 3986 explains the URL syntax
-
- RFC 1867 defines the HTTP post upload format
-
- RFC 6525 defines how HTTP cookies work
-
- 14.2 Sites
-
- https://curl.haxx.se is the home of the curl project
diff --git a/docs/TheArtOfHttpScripting.md b/docs/TheArtOfHttpScripting.md
new file mode 100644
index 000000000..8de00f0a9
--- /dev/null
+++ b/docs/TheArtOfHttpScripting.md
@@ -0,0 +1,692 @@
+# The Art Of Scripting HTTP Requests Using Curl
+
+## Background
+
+ This document assumes that you're familiar with HTML and general networking.
+
+ The increasing amount of applications moving to the web has made "HTTP
+ Scripting" more frequently requested and wanted. To be able to automatically
+ extract information from the web, to fake users, to post or upload data to
+ web servers are all important tasks today.
+
+ Curl is a command line tool for doing all sorts of URL manipulations and
+ transfers, but this particular document will focus on how to use it when
+ doing HTTP requests for fun and profit. I willl assume that you know how to
+ invoke `curl --help` or `curl --manual` to get basic information about it.
+
+ Curl is not written to do everything for you. It makes the requests, it gets
+ the data, it sends data and it retrieves the information. You probably need
+ to glue everything together using some kind of script language or repeated
+ manual invokes.
+
+## The HTTP Protocol
+
+ HTTP is the protocol used to fetch data from web servers. It is a very simple
+ protocol that is built upon TCP/IP. The protocol also allows information to
+ get sent to the server from the client using a few different methods, as will
+ be shown here.
+
+ HTTP is plain ASCII text lines being sent by the client to a server to
+ request a particular action, and then the server replies a few text lines
+ before the actual requested content is sent to the client.
+
+ The client, curl, sends a HTTP request. The request contains a method (like
+ GET, POST, HEAD etc), a number of request headers and sometimes a request
+ body. The HTTP server responds with a status line (indicating if things went
+ well), response headers and most often also a response body. The "body" part
+ is the plain data you requested, like the actual HTML or the image etc.
+
+## See the Protocol
+
+ Using curl's option [`--verbose`](https://curl.haxx.se/docs/manpage.html#-v)
+ (`-v` as a short option) will display what kind of commands curl sends to the
+ server, as well as a few other informational texts.
+
+ `--verbose` is the single most useful option when it comes to debug or even
+ understand the curl<->server interaction.
+
+ Sometimes even `--verbose` is not enough. Then
+ [`--trace`](https://curl.haxx.se/docs/manpage.html#-trace) and
+ [`--trace-ascii`]((https://curl.haxx.se/docs/manpage.html#--trace-ascii)
+ offer even more details as they show **everything** curl sends and
+ receives. Use it like this:
+
+ curl --trace-ascii debugdump.txt http://www.example.com/
+
+## See the Timing
+
+ Many times you may wonder what exactly is taking all the time, or you just
+ want to know the amount of milliseconds between two points in a transfer. For
+ those, and other similar situations, the
+ [`--trace-time`]((https://curl.haxx.se/docs/manpage.html#--trace-time) option
+ is what you need. It'll prepend the time to each trace output line:
+
+ curl --trace-ascii d.txt --trace-time http://example.com/
+
+## See the Response
+
+ By default curl sends the response to stdout. You need to redirect it
+ somewhere to avoid that, most often that is done with ` -o` or `-O`.
+
+# URL
+
+## Spec
+
+ The Uniform Resource Locator format is how you specify the address of a
+ particular resource on the Internet. You know these, you've seen URLs like
+ https://curl.haxx.se or https://yourbank.com a million times. RFC 3986 is the
+ canonical spec. And yeah, the formal name is not URL, it is URI.
+
+## Host
+
+ The host name is usually resolved using DNS or your /etc/hosts file to an IP
+ address and that's what curl will communicate with. Alternatively you specify
+ the IP address directly in the URL instead of a name.
+
+ For development and other trying out situations, you can point to a different
+ IP address for a host name than what would otherwise be used, by using curl's
+ [`--resolve`](https://curl.haxx.se/docs/manpage.html#--resolve) option:
+
+ curl --resolve www.example.org:80:127.0.0.1 http://www.example.org/
+
+## Port number
+
+ Each protocol curl supports operates on a default port number, be it over TCP
+ or in some cases UDP. Normally you don't have to take that into
+ consideration, but at times you run test servers on other ports or
+ similar. Then you can specify the port number in the URL with a colon and a
+ number immediately following the host name. Like when doing HTTP to port
+ 1234:
+
+ curl http://www.example.org:1234/
+
+ The port number you specify in the URL is the number that the server uses to
+ offer its services. Sometimes you may use a local proxy, and then you may
+ need to specify that proxy's port number separately for what curl needs to
+ connect to locally. Like when using a HTTP proxy on port 4321:
+
+ curl --proxy http://proxy.example.org:4321 http://remote.example.org/
+
+## User name and password
+
+ Some services are setup to require HTTP authentication and then you need to
+ provide name and password which is then transferred to the remote site in
+ various ways depending on the exact authentication protocol used.
+
+ You can opt to either insert the user and password in the URL or you can
+ provide them separately:
+
+ curl http://user:password@example.org/
+
+ or
+
+ curl -u user:password http://example.org/
+
+ You need to pay attention that this kind of HTTP authentication is not what
+ is usually done and requested by user-oriented websites these days. They tend
+ to use forms and cookies instead.
+
+## Path part
+
+ The path part is just sent off to the server to request that it sends back
+ the associated response. The path is what is to the right side of the slash
+ that follows the host name and possibly port number.
+
+# Fetch a page
+
+## GET
+
+ The simplest and most common request/operation made using HTTP is to GET a
+ URL. The URL could itself refer to a web page, an image or a file. The client
+ issues a GET request to the server and receives the document it asked for.
+ If you issue the command line
+
+ curl https://curl.haxx.se
+
+ you get a web page returned in your terminal window. The entire HTML document
+ that that URL holds.
+
+ All HTTP replies contain a set of response headers that are normally hidden,
+ use curl's [`--include`](https://curl.haxx.se/docs/manpage.html#-i) (`-i`)
+ option to display them as well as the rest of the document.
+
+## HEAD
+
+ You can ask the remote server for ONLY the headers by using the
+ [`--head`](https://curl.haxx.se/docs/manpage.html#-I) (`-I`) option which
+ will make curl issue a HEAD request. In some special cases servers deny the
+ HEAD method while others still work, which is a particular kind of annoyance.
+
+ The HEAD method is defined and made so that the server returns the headers
+ exactly the way it would do for a GET, but without a body. It means that you
+ may see a `Content-Length:` in the response headers, but there must not be an
+ actual body in the HEAD response.
+
+## Multiple URLs in a single command line
+
+ A single curl command line may involve one or many URLs. The most common case
+ is probably to just use one, but you can specify any amount of URLs. Yes
+ any. No limits. You'll then get requests repeated over and over for all the
+ given URLs.
+
+ Example, send two GETs:
+
+ curl http://url1.example.com http://url2.example.com
+
+ If you use [`--data`](https://curl.haxx.se/docs/manpage.html#-d) to POST to
+ the URL, using multiple URLs means that you send that same POST to all the
+ given URLs.
+
+ Example, send two POSTs:
+
+ curl --data name=curl http://url1.example.com http://url2.example.com
+
+
+## Multiple HTTP methods in a single command line
+
+ Sometimes you need to operate on several URLs in a single command line and do
+ different HTTP methods on each. For this, you'll enjoy the
+ [`--next`](https://curl.haxx.se/docs/manpage.html#-:) option. It is basically
+ a separator that separates a bunch of options from the next. All the URLs
+ before `--next` will get the same method and will get all the POST data
+ merged into one.
+
+ When curl reaches the `--next` on the command line, it'll sort of reset the
+ method and the POST data and allow a new set.
+
+ Perhaps this is best shown with a few examples. To send first a HEAD and then
+ a GET:
+
+ curl -I http://example.com --next http://example.com
+
+ To first send a POST and then a GET:
+
+ curl -d score=10 http://example.com/post.cgi --next http://example.com/results.html
+
+# HTML forms
+
+## Forms explained
+
+ Forms are the general way a website can present a HTML page with fields for
+ the user to enter data in, and then press some kind of 'OK' or 'Submit'
+ button to get that data sent to the server. The server then typically uses
+ the posted data to decide how to act. Like using the entered words to search
+ in a database, or to add the info in a bug tracking system, display the
+ entered address on a map or using the info as a login-prompt verifying that
+ the user is allowed to see what it is about to see.
+
+ Of course there has to be some kind of program on the server end to receive
+ the data you send. You cannot just invent something out of the air.
+
+## GET
+
+ A GET-form uses the method GET, as specified in HTML like:
+
+ <form method="GET" action="junk.cgi">
+ <input type=text name="birthyear">
+ <input type=submit name=press value="OK">
+ </form>
+
+ In your favorite browser, this form will appear with a text box to fill in
+ and a press-button labeled "OK". If you fill in '1905' and press the OK
+ button, your browser will then create a new URL to get for you. The URL will
+ get `junk.cgi?birthyear=1905&press=OK` appended to the path part of the
+ previous URL.
+
+ If the original form was seen on the page `www.example.com/when/birth.html`,
+ the second page you'll get will become
+ `www.example.com/when/junk.cgi?birthyear=1905&press=OK`.
+
+ Most search engines work this way.
+
+ To make curl do the GET form post for you, just enter the expected created
+ URL:
+
+ curl "http://www.example.com/when/junk.cgi?birthyear=1905&press=OK"
+
+## POST
+
+ The GET method makes all input field names get displayed in the URL field of
+ your browser. That's generally a good thing when you want to be able to
+ bookmark that page with your given data, but it is an obvious disadvantage if
+ you entered secret information in one of the fields or if there are a large
+ amount of fields creating a very long and unreadable URL.
+
+ The HTTP protocol then offers the POST method. This way the client sends the
+ data separated from the URL and thus you won't see any of it in the URL
+ address field.
+
+ The form would look very similar to the previous one:
+
+ <form method="POST" action="junk.cgi">
+ <input type=text name="birthyear">
+ <input type=submit name=press value=" OK ">
+ </form>
+
+ And to use curl to post this form with the same data filled in as before, we
+ could do it like:
+
+ curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when.cgi
+
+ This kind of POST will use the Content-Type
+ `application/x-www-form-urlencoded' and is the most widely used POST kind.
+
+ The data you send to the server MUST already be properly encoded, curl will
+ not do that for you. For example, if you want the data to contain a space,
+ you need to replace that space with %20 etc. Failing to comply with this will
+ most likely cause your data to be received wrongly and messed up.
+
+ Recent curl versions can in fact url-encode POST data for you, like this:
+
+ curl --data-urlencode "name=I am Daniel" http://www.example.com
+
+ If you repeat `--data` several times on the command line, curl will
+ concatenate all the given data pieces - and put a `&` symbol between each
+ data segment.
+
+## File Upload POST
+
+ Back in late 1995 they defined an additional way to post data over HTTP. It
+ is documented in the RFC 1867, why this method sometimes is referred to as
+ RFC1867-posting.
+
+ This method is mainly designed to better support file uploads. A form that
+ allows a user to upload a file could be written like this in HTML:
+
+ <form method="POST" enctype='multipart/form-data' action="upload.cgi">
+ <input type=file name=upload>
+ <input type=submit name=press value="OK">
+ </form>
+
+ This clearly shows that the Content-Type about to be sent is
+ `multipart/form-data`.
+
+ To post to a form like this with curl, you enter a command line like:
+
+ curl --form upload=@localfilename --form press=OK [URL]
+
+## Hidden Fields
+
+ A very common way for HTML based applications to pass state information
+ between pages is to add hidden fields to the forms. Hidden fields are already
+ filled in, they aren't displayed to the user and they get passed along just
+ as all the other fields.
+
+ A similar example form with one visible field, one hidden field and one
+ submit button could look like:
+
+ <form method="POST" action="foobar.cgi">
+ <input type=text name="birthyear">
+ <input type=hidden name="person" value="daniel">
+ <input type=submit name="press" value="OK">
+ </form>
+
+ To POST this with curl, you won't have to think about if the fields are
+ hidden or not. To curl they're all the same:
+
+ curl --data "birthyear=1905&press=OK&person=daniel" [URL]
+
+## Figure Out What A POST Looks Like
+
+ When you're about fill in a form and send to a server by using curl instead
+ of a browser, you're of course very interested in sending a POST exactly the
+ way your browser does.
+
+ An easy way to get to see this, is to save the HTML page with the form on
+ your local disk, modify the 'method' to a GET, and press the submit button
+ (you could also change the action URL if you want to).
+
+ You will then clearly see the data get appended to the URL, separated with a
+ `?`-letter as GET forms are supposed to.
+
+# HTTP upload
+
+## PUT
+
+ Perhaps the best way to upload data to a HTTP server is to use PUT. Then
+ again, this of course requires that someone put a program or script on the
+ server end that knows how to receive a HTTP PUT stream.
+
+ Put a file to a HTTP server with curl:
+
+ curl --upload-file uploadfile http://www.example.com/receive.cgi
+
+# HTTP Authentication
+
+## Basic Authentication
+
+ HTTP Authentication is the ability to tell the server your username and
+ password so that it can verify that you're allowed to do the request you're
+ doing. The Basic authentication used in HTTP (which is the type curl uses by
+ default) is **plain text** based, which means it sends username and password
+ only slightly obfuscated, but still fully readable by anyone that sniffs on
+ the network between you and the remote server.
+
+ To tell curl to use a user and password for authentication:
+
+ curl --user name:password http://www.example.com
+
+## Other Authentication
+
+ The site might require a different authentication method (check the headers
+ returned by the server), and then
+ [`--ntlm`](https://curl.haxx.se/docs/manpage.html#--ntlm),
+ [`--digest`](https://curl.haxx.se/docs/manpage.html#--digest),
+ [`--negotiate`](https://curl.haxx.se/docs/manpage.html#--negotiate) or even
+ [`--anyauth`](https://curl.haxx.se/docs/manpage.html#--anyauth) might be
+ options that suit you.
+
+## Proxy Authentication
+
+ Sometimes your HTTP access is only available through the use of a HTTP
+ proxy. This seems to be especially common at various companies. A HTTP proxy
+ may require its own user and password to allow the client to get through to
+ the Internet. To specify those with curl, run something like:
+
+ curl --proxy-user proxyuser:proxypassword curl.haxx.se
+
+ If your proxy requires the authentication to be done using the NTLM method,
+ use [`--proxy-ntlm`](https://curl.haxx.se/docs/manpage.html#--proxy-ntlm), if
+ it requires Digest use
+ [`--proxy-digest`](https://curl.haxx.se/docs/manpage.html#--proxy-digest).
+
+ If you use any one of these user+password options but leave out the password
+ part, curl will prompt for the password interactively.
+
+## Hiding credentials
+
+ Do note that when a program is run, its parameters might be possible to see
+ when listing the running processes of the system. Thus, other users may be
+ able to watch your passwords if you pass them as plain command line
+ options. There are ways to circumvent this.
+
+ It is worth noting that while this is how HTTP Authentication works, very
+ many websites will not use this concept when they provide logins etc. See the
+ Web Login chapter further below for more details on that.
+
+# More HTTP Headers
+
+## Referer
+
+ A HTTP request may include a 'referer' field (yes it is misspelled), which
+ can be used to tell from which URL the client got to this particular
+ resource. Some programs/scripts check the referer field of requests to verify
+ that this wasn't arriving from an external site or an unknown page. While
+ this is a stupid way to check something so easily forged, many scripts still
+ do it. Using curl, you can put anything you want in the referer-field and
+ thus more easily be able to fool the server into serving your request.
+
+ Use curl to set the referer field with:
+
+ curl --referer http://www.example.come http://www.example.com
+
+## User Agent
+
+ Very similar to the referer field, all HTTP requests may set the User-Agent
+ field. It names what user agent (client) that is being used. Many
+ applications use this information to decide how to display pages. Silly web
+ programmers try to make different pages for users of different browsers to
+ make them look the best possible for their particular browsers. They usually
+ also do different kinds of javascript, vbscript etc.
+
+ At times, you will see that getting a page with curl will not return the same
+ page that you see when getting the page with your browser. Then you know it
+ is time to set the User Agent field to fool the server into thinking you're
+ one of those browsers.
+
+ To make curl look like Internet Explorer 5 on a Windows 2000 box:
+
+ curl --user-agent "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [URL]
+
+ Or why not look like you're using Netscape 4.73 on an old Linux box:
+
+ curl --user-agent "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" [URL]
+
+## Redirects
+
+## Location header
+
+ When a resource is requested from a server, the reply from the server may
+ include a hint about where the browser should go next to find this page, or a
+ new page keeping newly generated output. The header that tells the browser to
+ redirect is `Location:`.
+
+ Curl does not follow `Location:` headers by default, but will simply display
+ such pages in the same manner it displays all HTTP replies. It does however
+ feature an option that will make it attempt to follow the `Location:`
+ pointers.
+
+ To tell curl to follow a Location:
+
+ curl --location http://www.example.com
+
+ If you use curl to POST to a site that immediately redirects you to another
+ page, you can safely use
+ [`--location`](https://curl.haxx.se/docs/manpage.html#-L) (`-L`) and
+ `--data`/`--form` together. curl will only use POST in the first request, and
+ then revert to GET in the following operations.
+
+## Other redirects
+
+ Browser typically support at least two other ways of redirects that curl
+ doesn't: first the html may contain a meta refresh tag that asks the browser
+ to load a specific URL after a set number of seconds, or it may use
+ javascript to do it.
+
+# Cookies
+
+## Cookie Basics
+
+ The way the web browsers do "client side state control" is by using
+ cookies. Cookies are just names with associated contents. The cookies are
+ sent to the client by the server. The server tells the client for what path
+ and host name it wants the cookie sent back, and it also sends an expiration
+ date and a few more properties.
+
+ When a client communicates with a server with a name and path as previously
+ specified in a received cookie, the client sends back the cookies and their
+ contents to the server, unless of course they are expired.
+
+ Many applications and servers use this method to connect a series of requests
+ into a single logical session. To be able to use curl in such occasions, we
+ must be able to record and send back cookies the way the web application
+ expects them. The same way browsers deal with them.
+
+## Cookie options
+
+ The simplest way to send a few cookies to the server when getting a page with
+ curl is to add them on the command line like:
+
+ curl --cookie "name=Daniel" http://www.example.com
+
+ Cookies are sent as common HTTP headers. This is practical as it allows curl
+ to record cookies simply by recording headers. Record cookies with curl by
+ using the [`--dump-header`](https://curl.haxx.se/docs/manpage.html#-D) (`-D`)
+ option like:
+
+ curl --dump-header headers_and_cookies http://www.example.com
+
+ (Take note that the
+ [`--cookie-jar`](https://curl.haxx.se/docs/manpage.html#-c) option described
+ below is a better way to store cookies.)
+
+ Curl has a full blown cookie parsing engine built-in that comes in use if you
+ want to reconnect to a server and use cookies that were stored from a
+ previous connection (or hand-crafted manually to fool the server into
+ believing you had a previous connection). To use previously stored cookies,
+ you run curl like:
+
+ curl --cookie stored_cookies_in_file http://www.example.com
+
+ Curl's "cookie engine" gets enabled when you use the
+ [`--cookie`](https://curl.haxx.se/docs/manpage.html#-b) option. If you only
+ want curl to understand received cookies, use `--cookie` with a file that
+ doesn't exist. Example, if you want to let curl understand cookies from a
+ page and follow a location (and thus possibly send back cookies it received),
+ you can invoke it like:
+
+ curl --cookie nada --location http://www.example.com
+
+ Curl has the ability to read and write cookie files that use the same file
+ format that Netscape and Mozilla once used. It is a convenient way to share
+ cookies between scripts or invokes. The `--cookie` (`-b`) switch
+ automatically detects if a given file is such a cookie file and parses it,
+ and by using the `--cookie-jar` (`-c`) option you'll make curl write a new
+ cookie file at the end of an operation:
+
+ curl --cookie cookies.txt --cookie-jar newcookies.txt \
+ http://www.example.com
+
+# HTTPS
+
+## HTTPS is HTTP secure
+
+ There are a few ways to do secure HTTP transfers. By far the most common
+ protocol for doing this is what is generally known as HTTPS, HTTP over
+ SSL. SSL encrypts all the data that is sent and received over the network and
+ thus makes it harder for attackers to spy on sensitive information.
+
+ SSL (or TLS as the latest version of the standard is called) offers a
+ truckload of advanced features to allow all those encryptions and key
+ infrastructure mechanisms encrypted HTTP requires.
+
+ Curl supports encrypted fetches when built to use a TLS library and it can be
+ built to use one out of a fairly large set of libraries - `curl -V` will show
+ which one your curl was built to use (if any!). To get a page from a HTTPS
+ server, simply run curl like:
+
+ curl https://secure.example.com
+
+## Certificates
+
+ In the HTTPS world, you use certificates to validate that you are the one
+ you claim to be, as an addition to normal passwords. Curl supports client-
+ side certificates. All certificates are locked with a pass phrase, which you
+ need to enter before the certificate can be used by curl. The pass phrase
+ can be specified on the command line or if not, entered interactively when
+ curl queries for it. Use a certificate with curl on a HTTPS server like:
+
+ curl --cert mycert.pem https://secure.example.com
+
+ curl also tries to verify that the server is who it claims to be, by
+ verifying the server's certificate against a locally stored CA cert
+ bundle. Failing the verification will cause curl to deny the connection. You
+ must then use [`--insecure`](https://curl.haxx.se/docs/manpage.html#-k)
+ (`-k`) in case you want to tell curl to ignore that the server can't be
+ verified.
+
+ More about server certificate verification and ca cert bundles can be read in
+ the [SSLCERTS document](https://curl.haxx.se/docs/sslcerts.html).
+
+ At times you may end up with your own CA cert store and then you can tell
+ curl to use that to verify the server's certificate:
+
+ curl --cacert ca-bundle.pem https://example.com/
+
+# Custom Request Elements
+
+## Modify method and headers
+
+ Doing fancy stuff, you may need to add or change elements of a single curl
+ request.
+
+ For example, you can change the POST request to a PROPFIND and send the data
+ as `Content-Type: text/xml` (instead of the default Content-Type) like this:
+
+ curl --data "<xml>" --header "Content-Type: text/xml" \
+ --request PROPFIND example.com
+
+ You can delete a default header by providing one without content. Like you
+ can ruin the request by chopping off the Host: header:
+
+ curl --header "Host:" http://www.example.com
+
+ You can add headers the same way. Your server may want a `Destination:`
+ header, and you can add it:
+
+ curl --header "Destination: http://nowhere" http://example.com
+
+## More on changed methods
+
+ It should be noted that curl selects which methods to use on its own
+ depending on what action to ask for. `-d` will do POST, `-I` will do HEAD and
+ so on. If you use the
+ [`--request`](https://curl.haxx.se/docs/manpage.html#-X) / `-X` option you
+ can change the method keyword curl selects, but you will not modify curl's
+ behavior. This means that if you for example use -d "data" to do a POST, you
+ can modify the method to a `PROPFIND` with `-X` and curl will still think it
+ sends a POST . You can change the normal GET to a POST method by simply
+ adding `-X POST` in a command line like:
+
+ curl -X POST http://example.org/
+
+ ... but curl will still think and act as if it sent a GET so it won't send
+ any request body etc.
+
+# Web Login
+
+## Some login tricks
+
+ While not strictly just HTTP related, it still causes a lot of people
+ problems so here's the executive run-down of how the vast majority of all
+ login forms work and how to login to them using curl.
+
+ It can also be noted that to do this properly in an automated fashion, you
+ will most certainly need to script things and do multiple curl invokes etc.
+
+ First, servers mostly use cookies to track the logged-in status of the
+ client, so you will need to capture the cookies you receive in the
+ responses. Then, many sites also set a special cookie on the login page (to
+ make sure you got there through their login page) so you should make a habit
+ of first getting the login-form page to capture the cookies set there.
+
+ Some web-based login systems feature various amounts of javascript, and
+ sometimes they use such code to set or modify cookie contents. Possibly they
+ do that to prevent programmed logins, like this manual describes how to...
+ Anyway, if reading the code isn't enough to let you repeat the behavior
+ manually, capturing the HTTP requests done by your browsers and analyzing the
+ sent cookies is usually a working method to work out how to shortcut the
+ javascript need.
+
+ In the actual `<form>` tag for the login, lots of sites fill-in
+ random/session or otherwise secretly generated hidden tags and you may need
+ to first capture the HTML code for the login form and extract all the hidden
+ fields to be able to do a proper login POST. Remember that the contents need
+ to be URL encoded when sent in a normal POST.
+
+# Debug
+
+## Some debug tricks
+
+ Many times when you run curl on a site, you'll notice that the site doesn't
+ seem to respond the same way to your curl requests as it does to your
+ browser's.
+
+ Then you need to start making your curl requests more similar to your
+ browser's requests:
+
+ - Use the `--trace-ascii` option to store fully detailed logs of the requests
+ for easier analyzing and better understanding
+
+ - Make sure you check for and use cookies when needed (both reading with
+ `--cookie` and writing with `--cookie-jar`)
+
+ - Set user-agent (with [`-A`](https://curl.haxx.se/docs/manpage.html#-A)) to
+ one like a recent popular browser does
+
+ - Set referer (with [`-E`](https://curl.haxx.se/docs/manpage.html#-E)) like
+ it is set by the browser
+
+ - If you use POST, make sure you send all the fields and in the same order as
+ the browser does it.
+
+## Check what the browsers do
+
+ A very good helper to make sure you do this right, is the web browsers'
+ developers tools that let you view all headers you send and receive (even
+ when using HTTPS).
+
+ A more raw approach is to capture the HTTP traffic on the network with tools
+ such as Wireshark or tcpdump and check what headers that were sent and
+ received by the browser. (HTTPS forces you to use `SSLKEYLOGFILE` to do
+ that.)