Matsalolin matsalar ita ce gaba da baya sau da yawa suna ba da matakai daban-daban na tallafi ga ka'idar HTTP, amma a lokaci guda suna tattara buƙatun masu amfani daban-daban zuwa tashar gama gari. Don haɗa buƙatun karɓa na gaba da buƙatun sarrafa bayanan baya, an kafa haɗin TCP mai tsawo, ta hanyar da ake watsa buƙatun mai amfani, ana watsa shi tare da sarkar ɗaya bayan ɗaya, rabuwa ta hanyar ka'idar HTTP. Don raba buƙatun, masu taken "Tsarin Abun ciki" (yana ƙayyade adadin adadin bayanai a cikin buƙatar) da "
Matsalar ta taso idan gaban gaba yana goyan bayan "Tsawon-Tsawon Abun ciki" amma yayi watsi da "Transfer-Encoding: chunked" (misali, Akamai CDN yayi wannan) ko akasin haka. Idan Canja wurin-Encoding: chunked yana goyan bayan bangarorin biyu, ana iya amfani da fasalulluka na aiwatarwa na masu bitar taken HTTP don hari (misali, lokacin da ƙarshen gaba yayi watsi da layukan kamar "Transfer-Encoding: xchunked", "Transfer-Encoding: chunked" ", "Transfer-Encoding": [tab] chunked", "X: X[\n] Canja wurin-Encoding: chunked", "Transfer-Encoding[\n]: chunked" ko "Transfer-Encoding: chunked", da kuma backend yayi nasarar aiwatar da su).
A wannan yanayin, maharin na iya aika buƙatun da ke ɗauke da duka biyun "Length Content-Length" da "Transfer-Encoding: chunked", amma girman da ke cikin "Content-Length" bai dace da girman sarkar da aka yanke ba, wanda ya yi ƙasa da ainihin ƙimar. Idan frontend ya aiwatar da tura buƙatun bisa ga "Length Content-Length" kuma bayan yana jiran toshewar don kammala bisa "Transfer-Encoding: chunked", to ƙarshen bayanan dangane da "Transfer-Encoding: chunked" zai a tantance a baya kuma sauran wutsiya na bukatar wanda ya kai harin zai kasance a farkon bukata ta gaba, watau. maharin zai iya makala bayanan sabani zuwa farkon bukatar wani da ake yadawa a gaba.
Don tantance matsalar a haɗawar gaba-baya da aka yi amfani da ita, zaku iya aika buƙatu kamar wannan ta gaban gaban:
POST /game da HTTP/1.1
Mai watsa shiri: example.com
Canja wurin-Encoding: chunked
Abun ciki-Length: 4
1
Z
Q
Matsalar tana nan idan mai baya bai aiwatar da buƙatar nan da nan ba kuma yana jiran isowar shingen iyaka na ƙarshe na chunked bayanai. Don ƙarin cikakken bincike
Aiwatar da kai hari na gaske ya dogara da damar wurin da aka kai harin, alal misali, lokacin da kake kai hari kan aikace-aikacen gidan yanar gizo na Trello, zaku iya maye gurbin farkon buƙatun (masanin bayanan kamar “PUT / 1/members/1234... x=x&csrf) =1234&username=testzzz&bio=cake”) da aika saƙo gami da ainihin buƙatun mai amfani na ɓangare na uku da kuki ɗin da aka ƙayyade a ciki. Don kai hari kan saas-app.com, ya zama mai yiwuwa a sauya lambar JavaScript a cikin martani ta hanyar musanya shi a ɗayan sigogin buƙatun. Don harin akan redhat.com, an yi amfani da mai kula da ciki don turawa zuwa gidan yanar gizon maharin (buƙatar fom "POST /search?dest=../assets/idx?redir=//)[email kariya]/ HTTP/1.1).
Yin amfani da hanyar don hanyoyin sadarwar isar da abun ciki ya ba da damar a sauƙaƙe maye gurbin rukunin yanar gizon da aka nema ta hanyar musanya taken "Mai watsa shiri:". Hakanan ana iya amfani da harin don guba abubuwan da ke cikin tsarin adana abun ciki da fitar da bayanan sirri da aka adana. Babbar hanyar ita ce tsara harin da aka yi wa PayPal, wanda ya ba da damar shigar da kalmomin shiga da masu amfani suka aiko yayin tantancewa (an canza buƙatar iframe don aiwatar da JavaScript a cikin mahallin shafin paypal.com/us/gifts, don wanda CSP (Manufofin Tsaro na Abubuwan ciki) ba a yi amfani da su ba).
Abin sha'awa, a cikin 2005 akwai
source: budenet.ru