Los iinkqubo zewebhu apho umphambili wamkela unxibelelwano nge-HTTP / 2 kwaye ubadlulisele ngasemva nge-HTTP / 1.1 hbavezwe kuhlobo olutsha lwesihlaselo se- "HTTP Request Smuggling", Ivumela ngokuthumela izicelo zabaxhasi eziyilelwe ngokukodwa, ukwahlula kumxholo wezicelo zabanye abasebenzisi ezenziwa ngokuhamba okufanayo phakathi komphambili kunye nomva ongasemva.
Uhlaselo inokusetyenziselwa ukufaka ikhowudi yeJavaScript enobungozi kwiseshoni enesiza esisemthethweni, ukugqitha iinkqubo zokuthintela ukufikelela kunye nokuthintela iiparameter zokungqinisisa.
Umbhali wophando ibonakalise ukuba kunokwenzeka ukuhlasela iNetflix, iVerizon, iBitbucket, iNetlify CDN kunye neenkqubo zeAtlassian, Kwaye yafumana i $ 56.000 kwiinkqubo zemivuzo yokuchonga ubungozi. Ingxaki ikwaqinisekisiwe kwiimveliso zeNethiwekhi zeF5.
Ingxaki ichaphazela ngokuyinxenye mod_proxy kwi-Apache http server (CVE-2021-33193), izilungiso ezilindelweyo kuguqulelo 2.4.49 (abaphuhlisi baziswa ngengxaki kwangoko ngoMeyi kwaye bafumana iinyanga ezi-3 zokuyilungisa). Kwi-nginx, ukukwazi ukukhankanya ngaxeshanye "umxholo-ubude" kunye ne "Transfer-Encoding" izihloko zavalwa kuhlobo lwangaphambili (1.21.1).
Umgaqo osebenzayo wendlela entsha yezicelo ezifanayo kwitrafikhi iyafana nokuba sesichengeni kokufunyanwa ngumphandi omnye kwiminyaka emibini edlulileyo, kodwa isikelwe umda kwizidibanisi ezamkela izicelo ngaphezulu kwe-HTTP / 1.1.
Uhlaselo oludala "lokucela ukuthutyeleziswa kwe-HTTP" lwalusekwe kwinto yokuba ngaphambili kunye nasemva ukutolika ukusetyenziswa kwe-HTTP "Umxholo-ubude" izihloko ngokwahlukileyo (kugqiba ubungakanani bebonke bedatha kwisicelo) kunye ne "Transfer-Encoding: chunked" ( ikuvumela ukuba udlulise idatha kwii-chunks) ...
Umzekelo, ukuba ujongano luxhasa kuphela "uMxholo-ubude" kodwa alihoyi "iTransfer-Encoding: Fragmented", umhlaseli angathumela isicelo esiqulathe izihloko "Ubungakanani bomxholo" kunye no "Transfer-Encoding: Fragmented", kodwa ubukhulu xh "Ubude bomxholo" abuhambelani nobungakanani bomtya oqhotyiweyo. Kule meko, umphambili uya kuqwalasela kwaye uqondise isicelo ngokubhekisele "kubude bokuqukethwe", kwaye umva osemva uya kulinda ibhloko ukuba igqitywe ngokusekwe kwi "Transfer encoding: chunked".
Ngokungafaniyo nokubhaliweyo kwe-HTTP / 1.1 protocol, ecaciswe kwinqanaba lomgca, I-HTTP / 2 yinkqubo ebambekayo kwaye ilawula iibhloko idatha yobungakanani obumiselwe kwangaphambili. Nangona kunjalo, i-HTTP / 2 Sebenzisa ii-pseudo-headers ezingqinelana nezihloko eziqhelekileyo ze-HTTP. Xa unxibelelana ne-backend usebenzisa umthetho olandelwayo we-HTTP / 1.1, umphambili uguqulela ezi zihloko-mbumbulu Kwizihloko ezifanayo ze-HTTP / 1.1 ze-HTTP. Ingxaki kukuba i-backend yenza izigqibo malunga nohlalutyo lokuhambisa ngokusekwe kwiintloko ze-HTTP ezibekwe ngaphambili, ngaphandle kokwazi iiparameter zesicelo sokuqala.
Nokuba ikwimo yesihloko-mbumbulu, amaxabiso "Umxholo ubude" kunye "nogqithiso-lwekhowudi" zinokuhanjiswa, nangona zingasetyenziswanga kwi-HTTP / 2, kuba ubungakanani bayo yonke idatha bumiselwe kwicandelo elahlukileyo. Nangona kunjalo, xa uguqula isicelo se-HTTP / 2 kwi-HTTP / 1.1, ezi zihloko zidlula kwaye zinokudideka kwi-backend.
Zimbini iindlela eziphambili zokuhlasela: i-H2.TE kunye ne-H2.CL, apho i-backend ikhohliswa kukudlulisa okungalunganga okanye ixabiso lomxholo elingahambelani nobungakanani bomzimba wesicelo ofunyenwe ngaphambili nge-HTTP / 2 Protocol.
Njengomzekelo wohlaselo lwe-H2.CL, ubungakanani obungachanekanga buchaziwe kwi-pseudo-header ubude bomxholo xa ufaka isicelo I-HTTP / 2 ukuya kwiNetflix. Esi sicelo sikhokelela kulongezo lwentloko Ubude be-HTTP efanayo xa ufikelela ngasemva nge-HTTP / 1.1, kodwa ukusukela kubungakanani kwi Umxholo-Ubude ingaphantsi kunokoqobo, inxenye yedatha emgceni iqhutywa njengesiqalo sesicelo esilandelayo.
Izixhobo zokuhlasela sele zongezwa kwiBurk's Toolkit kwaye ziyafumaneka njengeTurbo Intruder extension. Iiproxies zeWebhu, ii-balancers zomthwalo, ii-accelerators zewebhu, iinkqubo zokuhanjiswa komxholo, kunye nolunye uhlengahlengiso apho izicelo zithunyelwa khona kwiskimu se-frontend-backend zichaphazeleka kule ngxaki.
Umthombo: https://portswigger.net