CRLF-Injektionen und HTTP-Antwortaufteilung

Hallo Khabrovites! Im Vorgriff auf den Beginn des Unterrichts in der nächstgelegenen Gruppe des Fachkurses "Web Application Security" haben wir für Sie eine weitere nützliche Übersetzung vorbereitet.








Was ist CRLF?



-, , HTTP- , . HTTP- HTML- ( ) , (carriage return) (line feed). CRLF.



- CRLF, , HTTP- . CRLF - , . CRLF – HTTP/1.1, -, Apache, Microsoft IIS .





CRLF-?



CRLF- , , - , , , . , CRLF- , HTTP- (HTTP Response Splitting).



CRLF- -



- CRLF- , , . , -. CRLF- - , OWASP Top 10. , , .



CRLF-



IP — – , :



123.123.123.123 - 08:15 - /index.php?page=home


CRLF- HTTP-, . - - :



/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit


%0d %0a – URL CR LF. , , , :



IP — –



123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit


, CRLF-, , . hijacking . , , restrictedaction, .



, , IP restrictedaction, , - . , localhost (, , , -, , , ), .



, %0d%0a . & restrictedaction, , . , , :



/index.php?page=home&restrictedaction=edit


HTTP Response Splitting





HTTP- CRLF, . CRLFCRLF , . , HTML-. .



HTTP Response Splitting, XSS



, , :



X-Your-Name: Bob


GET- «name». URL- , CRLFCRLF, . , , XSS:



?name=Bob%0d%0a%0d%0a<script>alert(document.domain)</script>


.



HTTP-





CRLF-, HTTP-, , XSS- (same-origin-policy). , CSRF-. cookie, (XSS).



HTTP-



HTTP-, CORS (Cross Origin Resource Sharing), javascript , SOP (Same Origin Policy), .



CRLF-



CRLF- XSS . , XSS Same Origin Policy , .



CRLF/HTTP- -



– . , CRLF. – , CR LF , HTTP-.










« -»







All Articles