您好,Khabrovites!期望从“ Web应用程序安全性”专业课程的最近组中开始上课,我们为您准备了另一本有用的翻译。
什么是CRLF?
-, , HTTP- , . HTTP- HTML- ( ) , (carriage return) (line feed). CRLF.
- CRLF, , HTTP- . CRLF - , . CRLF – HTTP/1.1, -, Apache, Microsoft IIS .
CRLF-?
CRLF- , , - , , , . , CRLF- , HTTP- (HTTP Response Splitting).
CRLF- -
- CRLF- , , . , -. CRLF- - , OWASP Top 10. , , .
CRLF-
IP — – , :
123.123.123.123 - 08:15 - /index.php?page=home
CRLF- HTTP-, . - - :
/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
%0d %0a – URL CR LF. , , , :
IP — –
123.123.123.123 - 08:15 - /index.php?page=home&
127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
, CRLF-, , . hijacking . , , restrictedaction, .
, , IP restrictedaction, , - . , localhost (, , , -, , , ), .
, %0d%0a . & restrictedaction, , . , , :
/index.php?page=home&restrictedaction=edit
HTTP Response Splitting
HTTP- CRLF, . CRLFCRLF , . , HTML-. .
HTTP Response Splitting, XSS
, , :
X-Your-Name: Bob
GET- «name». URL- , CRLFCRLF, . , , XSS:
?name=Bob%0d%0a%0d%0a<script>alert(document.domain)</script>
.
HTTP-
CRLF-, HTTP-, , XSS- (same-origin-policy). , CSRF-. cookie, (XSS).
HTTP-
HTTP-, CORS (Cross Origin Resource Sharing), javascript , SOP (Same Origin Policy), .
CRLF-
CRLF- XSS . , XSS Same Origin Policy , .
CRLF/HTTP- -
– . , CRLF. – , CR LF , HTTP-.