faahfaahinta weerarka cusub ee goobaha adeegsada qaabka hore-dhamaadka-dhamaadka-dhamaadka, sida kuwa dhex mara shabakadaha gudbinta nuxurka, culeyska culeyska ama wakiillada. Weerarku wuxuu u oggolaanayaa, adoo diraya codsiyo gaar ah, in la dhex galo waxa ku jira codsiyada kale ee lagu farsameeyay isla dunta u dhaxaysa xagga hore iyo xagga dambe. Habka la soo jeediyay ayaa si guul leh loo isticmaalay si loo abaabulo weerar taas oo suurtogal ka dhigtay in la joojiyo xudduudaha aqoonsiga ee isticmaala adeegga PayPal, kaas oo cilmi-baarayaashu ku bixiyeen qiyaastii 40 kun oo doolar oo qayb ka ah barnaamij si loogu sheego jiritaanka dayacanka aan la daboolin. Weerarku sidoo kale waxa uu quseeyaa boggaga isticmaalaya shabakada gudbinta macluumaadka Akamai.
Mushkiladdu waxay tahay in hore iyo gadaalba ay inta badan bixiyaan heerar kala duwan oo taageero ah borotokoolka HTTP, laakiin isla mar ahaantaana soo koobaya codsiyada isticmaalayaasha kala duwan kanaalka guud. Si loogu xidho codsiyada soo dhawaynta hore iyo codsiyada habbaynta dhabarka, xidhiidh TCP-da dheer ayaa la aasaasay, kaas oo codsiyada isticmaalaha lagu kala qaado, lagu kala qaado silsiladda midba midka kale, oo lagu kala soocay hab-maamuuska HTTP. Si loo kala saaro codsiyada, madaxyada "Content-Length" (wuxuu go'aamiyaa cabbirka guud ee xogta codsiga) iyo ""(waxa ay ku ogolanaysaa in aad xogta u kala gudbiso qaybo ka mid ah, iyada oo qeexaysa baloogyada cabbirkoodu kala duwan yahay qaabka "{size}\r\n{block}\r\n{size}\r\n{block}\r\n0").
Dhibaatadu waxay soo baxdaa haddii dhinaca hore uu taageero kaliya "Content-Length" laakiin uu iska indhatiro "Transfer-Encoding: chunked" (tusaale, Akamai CDN ayaa tan sameeyay) ama lidkeeda. Haddii Transfer-Encoding: jeexan lagu taageeray labada dhinac, sifooyinka fulinta ee baarayaasha HTTP madaxa ayaa loo isticmaali karaa weerar (tusaale ahaan, marka dhamaadka hore uu iska indhatiro xariiqyada sida "Transfer-Encoding: xchunked", "Transfer-Encoding: jeexjeexay" ", "Transfer-Encoding" : [tab] la jarjaray", "X: X[\n] Wareejinta-Encoding: la jarjaray", "Transfer-Encoding" dhabarka ayaa si guul leh u socodsiiya iyaga).
Xaaladdan oo kale, weeraryahanku wuxuu soo diri karaa codsi ka kooban "Content-Length" iyo "Transfer-Encoding: chunked" madaxyada labadaba, laakiin cabbirka "Content-Length" uma dhigma xajmiga silsiladda la jarjaray, kaas oo wuu ka yar yahay qiimaha dhabta ah. Haddii horudhacku uu habeeyo oo uu u gudbiyo codsiga si waafaqsan "Content-Length" oo dhabarku uu sugayo in xannibaadda la dhammaystiro iyadoo lagu saleynayo "Transfer-Encoding: chunked", markaas dhammaadka xogta ku salaysan "Transfer-Encoding: chunked" hore loo go'aamin oo dabada hadhay ee codsiga weeraryahanku waxa uu ahaan doonaa bilowga codsiga soo socda, i.e. Weeraryahanku wuxuu awood u yeelan doonaa inuu ku lifaaqo xogta aan sabab lahayn bilowga codsiga qof kale la gudbiyo marka xigta.
Si loo go'aamiyo dhibaatada ka jirta isku dhafka hore ee la isticmaalay, waxaad codsi sidan oo kale ah ugu diri kartaa dhinaca hore:
POST/ku saabsan HTTP/1.1
Martigeliyaha: example.com
Wareejinta-Encoding: la jarjaray
Mawduuca-Length: 4
1
Z
Q
Dhibaatadu way jirtaa haddii dhabarka dambe aanu isla markiiba ka shaqayn codsiga oo uu sugo imaatinka xadka ugu dambeeya ee eber xogta la jarjaray. Si aad u hesho jeeg dhammaystiran utility gaar ah oo sidoo kale tijaabiya hababka suurtagalka ah ee lagu qarin karo madaxa "Transfer-Encoding: jeexan" oo ka soo jeeda dhinaca hore.
Qaadista weerarka dhabta ah waxay kuxirantahay awooda goobta la weeraray, tusaale ahaan, marka aad weerarayso codsiga shabakada Trello, waxaad bedeli kartaa bilowga codsiga (xogta bedelka sida "PUT / 1 / xubnaha / 1234 ... x = x&csrf =1234&username=testzzz&bio=cakeβ) oo dir fariin ay ku jiraan codsigii asalka ahaa ee isticmaale qolo saddexaad iyo xaqiijinta Kukiga lagu sheegay. Weerarkii saas-app.com, waxa ay u soo baxday in ay suurtagal tahay in lagu beddelo koodka JavaScript jawaabta iyada oo lagu beddelayo mid ka mid ah cabbirrada codsiga. Weerarkii redhat.com, maamule gudaha ah ayaa loo isticmaalay in lagu jiheeyo mareegaha weerarka geystay (codsi foomka "POST/search?dest=../assets/idx?redir=//)[emailka waa la ilaaliyay]/ HTTP/1.1").
Isticmaalka habka shabakadaha gudbinta nuxurka waxay suurtogal ka dhigtay in si fudud loo beddelo goobta la codsaday iyadoo lagu beddelayo madaxa "Host:" Weerarka waxa kale oo loo isticmaali karaa in lagu sumeeyo waxa ku jira hababka kaydinta macluumaadka iyo soo saarida xogta sirta ah ee la kaydiyay. Meesha ugu saraysa ee habku waxay ahayd abaabulka weerarka PayPal, kaas oo suurtageliyay in la dhexgalo furaha sirta ah ee isticmaalayaashu soo direen inta lagu guda jiro xaqiijinta (codsiga iframe waa la beddelay si loo fuliyo JavaScript ee macnaha guud ee bogga paypal.com/us/gifts, waayo, kaas oo CSP (Siyaasadda Amniga Maaddada) aan lagu dabaqin).
Waxa xiiso leh in 2005 ay jirtay codsi asal ahaan la mid ah farsamada xaaqidaynta taasoo kuu ogolaanaysa inaad xogta ku xakamayso kaydinta wakiillada (Tomcat, squid, mod_proxy) ama xidhidhiyaha dab-damiska adiga oo qeexaya dhowr codsiyo "GET" ama "POST" hal fadhi HTTP gudaheed.
Source: opennet.ru