我发现了一个域名(网站和 API),它向每个 HTTP 响应添加了这样的 header :
XTVOpalL: Gtm; path=/; Max-Age=900
header 名称看起来是随机的。以下是其他几个示例:
XRQOJalT: LtZ; path=/; Max-Age=900
XYjOzalA: Ntx; path=/; Max-Age=900
XykOMalm: ytD; path=/; Max-Age=900
注意前导的 4 个空格。并与其他响应 header 进行比较:
HTTP/1.1 301 Moved Permanently
Date: Sat, 05 May 2018 11:52:25 GMT
Server: Apache
Location: http://example.com/wp/
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: visid_incap_993094=GuEL85vzTDKQUJ9jfphhgvma7VoAAAAAQUIPAAAAAACgWz3NlkG3smvkXeB6Ewyl; expires=Sun, 05 May 2019 08:21:45 GMT; path=/; Domain=.example.com
Set-Cookie: nlbi_993094=z0NWEcMl0wAVBr8CiwzebQAAAACu2KRRlrUCoWpyWKTrUAJF; path=/; Domain=.example.com
Set-Cookie: incap_ses_115_993094=/xoUXc5Kags3fAFBHpCYAfma7VoAAAAABT/i1XAh1J4D/02wGnXO9w==; path=/; Domain=.example.com
Set-Cookie: ___utmvmicuVtwf=peInjtBXhca; path=/; Max-Age=900
Set-Cookie: ___utmvaicuVtwf=wYxmyOU; path=/; Max-Age=900
Set-Cookie: ___utmvbicuVtwf=TZr
XYjOzalA: Ntx; path=/; Max-Age=900
X-Iinfo: 13-63374213-63374214 NNNN CT(222 -1 0) RT(1525521145044 0) q(0 0 2 0) r(5 5) U11
X-CDN: Incapsula
主要问题 - 此 header 有时是响应中的第一个 header 。反过来,这被认为是一个漏洞。
在我的例子中它看起来像这样:
HTTP/1.1 301 Moved Permanently
XYjOzalA: Ntx; path=/; Max-Age=900
Date: Sat, 05 May 2018 11:52:25 GMT
Server: Apache
Location: http://example.com/wp/
...
引用 HTTP 1.1 的 RFC https://www.rfc-editor.org/rfc/rfc7230#section-3
A sender MUST NOT send whitespace between the start-line and the first header field. ...
The presence of such whitespace in a request might be an attempt to trick a server into ignoring that field or processing the line after it as a new request, either of which might result in a security vulnerability if other implementations within the request chain interpret the same message differently. Likewise, the presence of such whitespace in a response might be ignored by some clients or cause others to cease parsing.
这会导致 node.js 在尝试解析这些 HTTP 响应时抛出错误。错误代码为 HPE_INVALID_HEADER_TOKEN,仅当 HTTP header 格式错误时才会抛出此错误。
问题:这是什么?谁在做?为什么?
最佳答案
“这是什么?”
这是服务器端的一个错误,因为它违反了 HTTP 协议(protocol)。
实际上,它是discussed在 2013 年的 HTTP 工作组中,因为“python 库中的错误”,我认为 conclusion通过 Julian Reschke是正确的:
It's not a legal field name, thus not a legal start of a header field line.
...
It's forbidden by the grammar, so it's invalid.
“谁在做?为什么?”
当开发人员生成随机 HTTP header 名称时,他/她无意中引入了这 4 个空白前导字符。
关于node.js - 随机名称 HTTP header 开头的四个空格字符,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56979862/