I-Los web systems lapho i-frontend yemukela ukuxhumana nge-HTTP / 2 bese ubadlulisela emuva nge-HTTP / 1.1 hkuvezwe uhlobo olusha lokuhlaselwa kwe- "HTTP Cela Ukushushumbisa", Ivumela ngokuthumela izicelo zamakhasimende ezenzelwe ngokukhethekile, ukuhlukanisa kokuqukethwe kwezicelo zabanye abasebenzisi ezicutshungulwe ngokugeleza okufanayo phakathi kwe-frontend ne-backend.
Ukuhlasela ingasetshenziselwa ukufaka ikhodi enonya yeJavaScript ngeseshini enesiza esisemthethweni, dlula amasistimu wokuvimbela ukufinyelela futhi unqande imingcele yokufakazela ubuqiniso.
Umbhali wocwaningo ikhombise ukuthi kungenzeka ukuhlasela iNetflix, iVerizon, iBitbucket, iNetlify CDN nezinhlelo ze-Atlassian, futhi wathola ama- $ 56.000 ezinhlelweni zomvuzo wokukhomba ukuba sengozini. Inkinga iphinde yaqinisekiswa kumikhiqizo yamaF5 Networks.
Inkinga kuthinta kancane i-mod_proxy kuseva ye-Apache http (CVE-2021-33193), ukulungiswa okulindelwe kunguqulo 2.4.49 (onjiniyela baziswa ngenkinga ekuqaleni kukaMeyi futhi bathola izinyanga ezi-3 zokuyilungisa). Ku-nginx, ikhono lokucacisa ngasikhathi sinye izihloko ze- "Content-Length" ne- "Transfer-Encoding" livinjwe enguqulweni edlule (1.21.1).
Isimiso sokusebenza kwendlela entsha yezicelo ezifanayo kuthrafikhi kuyafana nokuba sengozini okutholwe ngumcwaningi ofanayo eminyakeni emibili edlule, kepha kukhawulelwe ezinhlangothini ezamukela izicelo ngaphezulu kwe-HTTP / 1.1.
Ukuhlaselwa okudala kwe- "HTTP Isicelo Sokushushumbisa" bekususelwa eqinisweni lokuthi izingxenyeni ezingasemuva nezingemuva zihumusha ukusetshenziswa kwamaheda we-HTTP "Okuqukethwe-Ubude" ngokuhlukile (kunquma usayizi ophelele wedatha ekuso isicelo) kanye ne- "Transfer-Encoding: chunked" ( ikuvumela ukuthi udlulise idatha kuma-chunks) ...
Isibonelo, uma i-interface isekela kuphela i- "Content-Length" kodwa inganaki i- "Transfer-Encoding: fragmented", umhlaseli angathumela isicelo esiqukethe izihloko "Content-Length" ne- "Transfer-Encoding: fragmented", kodwa ubukhulu zu "Ubude bokuqukethwe" abufani nosayizi wentambo ehlanganisiwe. Kulokhu, i-frontend izocubungula iphinde iqondise kabusha isicelo ngokuya nge- "Ubude bokuqukethwe", futhi i-backend izolinda ukuthi ibhulokhi iqede ngokususelwa ku- "Transfer encoding: chunked".
Ngokungafani nombhalo olandelwayo we-HTTP / 1.1, odluliswe ezingeni lomugqa, I-HTTP / 2 iyi-protocol kanambambili futhi ilawula amabhulokhi idatha yosayizi onqunyelwe ngaphambili. Noma kunjalo, i-HTTP / 2 sebenzisa izihloko zamanga ezihambelana namakhanda ajwayelekile we-HTTP. Lapho usebenzisana ne-backend usebenzisa umthetho olandelwayo we-HTTP / 1.1, i-frontend ihumusha lezi zihloko zamanga ngezihloko ezifanayo ze-HTTP / 1.1 HTTP. Inkinga ukuthi i-backend yenza izinqumo ngokuhlaziywa kokudluliswa ngokuya ngezihloko ze-HTTP ezibekwe ngaphambili, ngaphandle kokwazi amapharamitha wesicelo sokuqala.
Ngisho nangendlela yama-pseudo-headers, amanani "Ubude bokuqukethwe" ne- "transfer-encoding" zingasakazwa, yize zingasetshenziswanga ku-HTTP / 2, ngoba ubukhulu bayo yonke idatha bunqunywa enkambeni ehlukile. Kodwa-ke, lapho kuguqulwa isicelo se-HTTP / 2 ku-HTTP / 1.1, lezi zihloko ziyadlula futhi zingadida emuva.
Kunezinketho ezimbili zokuhlasela okuyinhloko: i-H2.TE ne-H2.CL, lapho i-backend ikhohliswa ukufaka ikhodi engalungile noma inani lobude bokuqukethwe elingahambelani nosayizi wangempela womzimba wesicelo otholwe yi-frontend nge-HTTP / 2 Protocol.
Njengesibonelo sokuhlaselwa kwe-H2.CL, usayizi ongalungile ucacisiwe kusihloko-mbumbulu ubude bokuqukethwe lapho ufaka isicelo I-HTTP / 2 iye kuNetflix. Lesi sicelo siholela ekwengezweni kwesihloko Ubude bokuqukethwe be-HTTP efanayo lapho ufinyelela i-backend nge-HTTP / 1.1, kepha kusukela ngosayizi ku- Ubude bokuqukethwe ingaphansi kokungokoqobo, ingxenye yedatha kulayini icutshungulwa njengokuqala kwesicelo esilandelayo.
Amathuluzi okuhlasela aseveziwe engezwa ku-Toolkit yeBurp futhi ayatholakala njengesandiso se-Turbo Intruder. Ama-proxies weWebhu, ama-balancers wokulayisha, ama-accelerator wewebhu, amasistimu wokulethwa kokuqukethwe, nokunye ukucushwa lapho izicelo ziqondiswa kabusha kusikimu se-frontend-backend zingaba senkingeni.
Umthombo: https://portswigger.net