da tsarin yanar gizo inda gaba ke karɓar sadarwa ta hanyar HTTP / 2 kuma yana ba da su zuwa bayan baya ta hanyar HTTP / 1.1 han fallasa su ga sabon sigar harin "HTTP Request Smuggling", Yana ba da izini ta hanyar aika buƙatun abokin ciniki da aka ƙera musamman, don raba cikin abun cikin buƙatun sauran masu amfani da aka sarrafa a cikin kwarara guda tsakanin gaba da baya.
Harin za a iya amfani da shi don allurar mugun lambar JavaScript a cikin zama tare da ingantaccen shafin yanar gizo, kewaya tsarin ƙuntatawa damar shiga da sigogi na tabbatarwa.
Marubucin binciken ya nuna yiwuwar kai hari ga Netflix, Verizon, Bitbucket, Netlify CDN da tsarin Atlassian, kuma sun karɓi $ 56.000 a cikin shirye -shiryen lada don gano rauni. An kuma tabbatar da matsalar a samfuran F5 Networks.
Matsalar sashi yana shafar mod_proxy akan sabar http na Apache (CVE-2021-33193), gyaran da ake tsammanin a sigar 2.4.49 (an sanar da masu haɓaka matsalar a farkon Mayu kuma sun karɓi watanni 3 don gyara shi). A cikin nginx, an toshe ikon toshe lokaci guda "Abubuwan Ciki-Ciki" da "Canja-Canzawa" a sigar da ta gabata (1.21.1).
Ka'idar aiki da sabuwar hanya na buƙatun dacewa a cikin zirga -zirga yayi kama da raunin da wannan mai binciken ya gano shekaru biyu da suka gabata, amma yana iyakance ga musaya da ke karɓar buƙatun akan HTTP / 1.1.
Harin "Harshen Neman buƙatun HTTP" ya dogara ne akan gaskiyar cewa masu gaba da baya suna fassara amfani da kanun labarai na HTTP "Content-Length" daban (yana ƙayyade girman girman bayanan a cikin buƙatun) da "Canja-Encoding: chunked" ( yana ba ku damar canja wurin bayanai a chunks) ...
Misali, idan abin dubawa yana tallafawa "Ƙarshen-Ƙarshe" amma ya yi watsi da "Canja-Canzawa: rarrabuwa", maharin na iya aika buƙatun da ke ɗauke da taken "Ƙarshen-abun ciki" da "Canja-Canza: rarrabuwa", amma girman ha "Tsawon abun ciki" bai dace da girman igiyar da aka yanke ba. A wannan yanayin, gabanin zai aiwatar da juyar da buƙatun gwargwadon "Tsawon abun ciki", kuma bayan baya zai jira toshe ya cika bisa "Canja wurin canja wuri: chunked".
Ba kamar ƙa'idar HTTP / 1.1 na rubutu ba, wanda aka daidaita a matakin layi, HTTP / 2 yarjejeniya ce ta binary kuma tana sarrafa tubalan bayanai na ƙaddarar da aka ƙaddara. Koyaya, HTTP / 2 amfani da labaran karya wanda yayi daidai da kanun labarai na HTTP na al'ada. Lokacin yin hulɗa tare da mara baya ta amfani da yarjejeniyar HTTP / 1.1, frontend yana fassara waɗannan labaran kanun labarai a cikin irin wannan taken na HTTP / 1.1 HTTP. Matsalar ita ce mara baya yana yanke shawara game da nazarin watsawa dangane da kanun labarai na HTTP da frontend ya kafa, ba tare da sanin sigogin buƙatun asali ba.
Ko da a cikin nau'i na kanun labarai, ƙimomi "Tsayin abun ciki" da "canja wurin rikodi" ana iya watsa su, kodayake ba a amfani da su a cikin HTTP / 2, tunda an ƙaddara girman duk bayanan a cikin filin daban. Koyaya, lokacin juyawa buƙatun HTTP / 2 zuwa HTTP / 1.1, waɗannan kanun labarai suna wucewa kuma suna iya rikicewa ga baya.
Akwai manyan zaɓuɓɓukan hari guda biyu: H2.TE da H2.CL, a cikin abin da aka ruɗe mara baya ta hanyar canja wurin ba daidai ba ko ƙimar tsayin abun ciki wanda bai dace da ainihin girman ƙimar da ƙungiyar buƙatun ta karɓa ba ta hanyar hanyar HTTP / 2.
A matsayin misalin harin H2.CL, an kayyade girman da ba daidai ba a cikin kanun labarai tsawon abun ciki lokacin ƙaddamar da buƙata HTTP / 2 zuwa Netflix. Wannan roƙon yana haifar da ƙari na kanun labarai Tsayin abun ciki na HTTP mai kama da lokacin samun damar mara baya ta hanyar HTTP / 1.1, amma tunda girman a Abun ciki-Length kasa da ainihin, ana sarrafa wani sashi na bayanan da ke cikin jerin gwano a matsayin farkon buƙatar na gaba.
An riga an ƙara kayan aikin Attack zuwa Kayan aiki na Burp kuma ana samun su azaman tsawaita Turbo Intruder. Wakilan gidan yanar gizo, masu daidaita ma'aunin nauyi, masu saurin yanar gizo, tsarin isar da abun ciki, da sauran saitunan inda ake juyar da buƙatun a cikin tsarin gaba-da baya na iya fuskantar matsalar.
Source: https://portswigger.net