cov ntsiab lus ntawm kev tawm tsam tshiab ntawm cov chaw uas siv cov qauv pem hauv ntej-kawg-rov qab-kawg, xws li cov uas khiav los ntawm cov ntsiab lus xa tawm, thauj khoom sib npaug lossis cov neeg sawv cev. Qhov kev tawm tsam tso cai, los ntawm kev xa qee qhov kev thov, kom nkag mus rau hauv cov ntsiab lus ntawm lwm qhov kev thov ua tiav hauv tib cov xov ntawm lub hauv ntej thiab nraub qaum. Txoj kev npaj tau ua tiav siv los npaj qhov kev tawm tsam uas ua rau nws tuaj yeem cuam tshuam qhov kev lees paub qhov tseeb ntawm cov neeg siv cov kev pabcuam PayPal, uas them nyiaj rau cov kws tshawb fawb txog 40 txhiab daus las raws li ib feem ntawm qhov kev pab cuam los qhia txog qhov muaj qhov tsis muaj qhov tsis zoo. Qhov kev tawm tsam kuj tseem siv tau rau cov chaw siv Akamai cov ntsiab lus xa tawm network.
Qhov tseem ceeb ntawm qhov teeb meem yog tias frontends thiab backends feem ntau muab ntau theem ntawm kev txhawb nqa rau HTTP raws tu qauv, tab sis tib lub sij hawm encapsulate thov los ntawm cov neeg siv sib txawv rau hauv ib qho channel. Txhawm rau txuas rau qhov kev thov txais tos thiab cov kev thov rov qab ua haujlwm, kev sib txuas TCP ntev tau tsim, los ntawm cov neeg siv kev thov raug xa mus, xa mus rau cov saw hlau ib tom qab, sib cais los ntawm HTTP raws tu qauv. Txhawm rau cais cov kev thov, cov headers "Content-Length" (txiav txim siab tag nrho qhov loj ntawm cov ntaub ntawv hauv kev thov) thiab ""( tso cai rau koj hloov cov ntaub ntawv hauv qhov chaw, qhia cov blocks ntawm ntau qhov sib txawv hauv hom "{size}\r\n{block}\r\n{size}\r\n{block}\r\n0").
Qhov teeb meem tshwm sim yog hais tias lub frontend tsuas txhawb "Cov ntsiab lus-Length" tab sis tsis quav ntsej "Transfer-Encoding: chunked" (piv txwv li, Akamai CDN tau ua qhov no) lossis rov ua dua. Yog tias Transfer-Encoding: chunked tau txais kev txhawb nqa ntawm ob sab, kev siv cov yam ntxwv ntawm HTTP header parsers tuaj yeem siv rau kev tawm tsam (piv txwv li, thaum lub hauv ntej kawg tsis quav ntsej cov kab xws li "Transfer-Encoding: xchunked", "Transfer-Encoding: chunked ", "Transfer-Encoding" :[tab]chunked", "X: X[\n]Transfer-Encoding: chunked", "Transfer-Encoding[\n]: chunked" or "Transfer-Encoding : chunked", thiab lub backend ua tiav lawv).
Hauv qhov no, tus neeg tawm tsam tuaj yeem xa daim ntawv thov uas muaj ob qho "Cov Ntsiab Lus-Length" thiab "Transfer-Encoding: chunked" headers, tab sis qhov loj hauv "Cov ntsiab lus-Length" tsis sib haum rau qhov loj ntawm cov saw hlau chunked, uas. yog me dua tus nqi tiag tiag. Yog hais tias lub frontend txheej txheem thiab xa mus rau qhov kev thov raws li "Cov ntsiab lus-Length" thiab lub backend tos rau lub block kom tiav raws li "Transfer-Encoding: chunked", ces qhov kawg ntawm cov ntaub ntawv raws li "Transfer-Encoding: chunked" yuav. tau txiav txim siab ua ntej thiab qhov seem seem ntawm qhov kev thov tus neeg tawm tsam yuav yog thaum pib ntawm qhov kev thov tom ntej, i.e. tus neeg tawm tsam yuav tuaj yeem xa cov ntaub ntawv arbitrary mus rau qhov pib ntawm lwm tus neeg qhov kev thov xa mus tom ntej.
Txhawm rau txiav txim siab qhov teeb meem hauv kev siv frontend-backend ua ke, koj tuaj yeem xa daim ntawv thov zoo li no ntawm lub frontend:
POST / txog HTTP / 1.1
Host: example.com
Hloov-Encoding: chunked
Cov ntsiab lus-Ntev: 4
1
Z
Q
Qhov teeb meem yog tam sim no yog hais tias tus backend tsis tam sim ntawd ua qhov kev thov thiab tos rau lub sij hawm tuaj txog ntawm qhov kawg xoom bounding thaiv ntawm chunked cov ntaub ntawv. Rau kev kuaj kom tiav ib qho khoom siv tshwj xeeb uas tseem sim cov txheej txheem ua tau los nkaum qhov "Transfer-Encoding: chunked" header los ntawm frontend.
Ua kom muaj kev tawm tsam tiag tiag nyob ntawm lub peev xwm ntawm qhov chaw tawm tsam, piv txwv li, thaum tawm tsam Trello lub vev xaib thov, koj tuaj yeem hloov qhov pib ntawm qhov kev thov (hloov cov ntaub ntawv xws li "PUT / 1 / cov tswv cuab / 1234... x=x&csrf =1234&username=testzzz&bio=cake") thiab xa lus nrog rau thawj qhov kev thov ntawm tus neeg siv thib peb thiab daim ntawv pov thawj daim ntawv pov thawj tau teev tseg hauv nws. Rau kev tawm tsam ntawm saas-app.com, nws tau dhau los ua qhov muaj peev xwm hloov pauv JavaScript code hauv cov lus teb los ntawm kev hloov nws hauv ib qho ntawm qhov kev thov tsis. Rau kev tawm tsam ntawm redhat.com, tus neeg saib xyuas sab hauv tau siv los hloov mus rau tus neeg tawm tsam lub vev xaib (kev thov ntawm daim ntawv "POST /search?dest=../assets/idx?redir=//[email tiv thaiv]/ HTTP/1.1").
Siv txoj hauv kev rau cov ntsiab lus xa khoom sib txuas ua rau nws tuaj yeem hloov qhov chaw thov los ntawm kev hloov lub "Host:" header. Qhov kev tawm tsam kuj tuaj yeem siv los tshuaj lom cov ntsiab lus ntawm cov ntsiab lus caching thiab tshem tawm cov ntaub ntawv tsis pub lwm tus paub. Lub pinnacle ntawm txoj kev yog lub koom haum ntawm kev tawm tsam ntawm PayPal, uas ua rau nws muaj peev xwm cuam tshuam cov passwords xa los ntawm cov neeg siv thaum muaj kev lees paub (qhov kev thov iframe tau hloov kho kom ua tiav JavaScript hauv cov ntsiab lus ntawm nplooj ntawv paypal.com/us/gifts, rau uas CSP (Content Security Policy) tsis raug siv).
Interestingly, nyob rau hauv 2005 muaj ib qho tseem ceeb zoo sib xws thov spoofing txheej txheem uas tso cai rau koj mus spoof cov ntaub ntawv nyob rau hauv caching proxies (Tomcat, squid, mod_proxy) los yog bypass firewall thaiv los ntawm kev qhia ntau yam "GET" los yog "POST" thov nyob rau hauv ib tug HTTP kev sib kho.
Tau qhov twg los: opennet.ru