ari webhu masisitimu uko kumberi kunogamuchira kubatana kuburikidza neHTTP / 2 uye unozvipfuudza kumashure neHTTP / 1.1 hvakafumurwa kune vhezheni itsva ye "HTTP Kumbira Kupaza", Iyo inobvumidza nekutumira yakanyatsogadzirirwa zvikumbiro zvevatengi, kupatsanura mune zviri mukati zvezvikumbiro zvevamwe vashandisi zvakagadziriswa mukuyerera kumwe chete pakati pemberi neremberi.
Kurwisa inogona kushandiswa kubaya yakaipa JavaScript kodhi muchikamu chine saiti yepamutemo, pfuura masisitimu ekudzivirira ekuwana uye bvisa mapaseti ekuvimbisa.
Munyori wekudzidza yakaratidza mukana wekurwisa Netflix, Verizon, Bitbucket, Netlify CDN uye Atlassian masisitimu, uye akagashira $ 56.000 muzvirongwa zvemubairo zvekuona kusagadzikana. Dambudziko rakasimbiswa zvakare muF5 Networks zvigadzirwa.
Dambudziko inokanganisa mod_proxy pane Apache http server (CVE-2021-33193), zvigadziriso zvinotarisirwa mushanduro 2.4.49 (vagadziri vakaziviswa nezvedambudziko kutanga kwaMay uye vakapihwa mwedzi mitatu yekugadzirisa). In nginx, iko kugona kutsanangura panguva imwe chete iyo "Zvemukati-Kureba" uye "Kutamisa-Encoding" misoro yakavharwa mune yapfuura vhezheni (3).
Nheyo yekushanda kwenzira nyowani yezvikumbiro zvinoenderana munzira yakafanana nekushushikana kwakawanikwa nemuongorori mumwechete makore maviri apfuura, asi inogumira kune maficha anogamuchira zvikumbiro pamusoro peHTTP / 1.1.
Iyo yakasarudzika "HTTP Kumbira Kupfuurisa" kurwisa kwaive kwakavakirwa pachokwadi chekuti kumberi uye kumashure kunodudzira kushandiswa kweHTTP "Zvemukati-Kureba" misoro zvakasiyana (inosarudza huwandu hwese hwedata iri muchikumbiro) uye "Transfer-Encoding: chunked" ( inokutendera iwe kuendesa data mune chunks) ...
Semuenzaniso, kana iyo interface ichingotsigira "Zvemukati-Kureba" asi ichiregeredza "Transfer-Encoding: yakatsemurwa", anorwisa anogona kutumira chikumbiro chine misoro "Zvemukati-Kureba" uye "Kutamisa-Encoding: zvakapatsanurwa", asi saizi sn "Kureba kwezviri mukati" hakuenderani nehukuru hwetambo yakakoshwa. Mune ino kesi, iyo yekumberi ichagadzirisa uye kuendesa chikumbiro zvinoenderana ne "Zvemukati urefu", uye iyo yekumashure inomirira kuti block ipedze zvichienderana ne "Transfer encoding: chunked".
Kusiyana nerunyorwa rweHTTP / 1.1 protocol, inoiswa padanho remutsara, HTTP / 2 ndeye binary protocol uye inoshandura mabhuroko data yehukuru hwakagara hwatemerwa. Nekudaro, HTTP / 2 shandisa pseudo-misoro zvinoenderana nemusoro wakajairwa weHTTP. Kana uchitaurirana neiyo backend uchishandisa iyo HTTP / 1.1 protocol, kumberi kunoshandura aya manyepo-misoro mune akafanana HTTP / 1.1 HTTP misoro. Dambudziko nderekuti backend inoita sarudzo nezve kuongororwa kwekutapurirana zvichibva pamisoro yeHTTP yakagadzwa nechemberi, ndisingazive paramende yechikumbiro chekutanga.
Kunyangwe muchimiro chemanyepo-misoro, iwo maitiro "Zvemukati-kureba" uye "chinja-encoding" dzinogona kuyeredzwa, kunyangwe dzisingashandiswe muHTTP / 2, nekuti saizi yedata rese rinotemerwa mune yakasarudzika munda. Nekudaro, kana uchishandura chikumbiro cheHTTP / 2 kuHTTP / 1.1, misoro iyi inopfuura uye inogona kuvhiringidza kumashure.
Pane maviri makuru ekurwisa sarudzo: H2.TE uye H2.CL, mune iyo yekumashure inonyengedzwa nekukanganisa kudhinda kukodha kana kukosha kwehurefu husingaenderane nehukuru chaihwo hwemuviri wekukumbira unogashirwa nechemberi kuburikidza neHTTP / 2 Protocol.
Semuenzaniso wekurwiswa kweH2.CL, saizi isiriyo inotsanangurwa mupseudo-musoro zvemukati urefu kana uchiendesa chikumbiro HTTP / 2 kuenda kuNetflix. Ichi chikumbiro chinotungamira mukuwedzeredzwa kwemusoro HTTP Yemukati-Kureba zvakafanana kana uchiwana backend kuburikidza neHTTP / 1.1, asi kubvira saizi mu Zvemukati-Kureba iri pasi peicho chaicho, chikamu chedhata mumutsara chinogadziriswa sekutanga kwechikumbiro chinotevera.
Maturusi ekurwisa akatowedzerwa kuBurp's Toolkit uye anowanikwa seTurbo Intruder yekuwedzera. Ma proxies eWebhu, vatakuri vemitoro, mawebhu ekuchinjisa, masisitimu ekuendesa zvirimo, uye kumwe kumisikidzwa uko zvikumbiro zvinodzoserwa kumberi-backend scheme zvinokonzeresa dambudziko.
mabviro: https://portswigger.net