HTTP Request Smuggling(HTTP Desync Attack) ์ทจ์•ฝ์ 

๊ฐœ์š” HTTP Request Smuggling์€ Watchfire์— ์˜ํ•ด 2005๋…„์— ์ฒ˜์Œ ๋“ฑ์žฅํ•˜์—ฌ ์ˆ˜๋ฉด ์†์— ์ˆจ์–ด ์žˆ๋‹ค๊ฐ€ 2019๋…„ DEFCON๊ณผ BlackHat์—์„œ ํ•ด๋‹น ์ทจ์•ฝ์ ์˜ ์„ ์ด์šฉํ•œ ์ƒˆ๋กœ์šด ๋ฒกํ„ฐ์™€ ์œ„ํ—˜๋„๋ฅผ ๊ฒ€์ฆํ•˜๋ฉด์„œ ์ธ์ง€๋„๊ฐ€ ๋†’์•„์ง„ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ํ•ด๋‹น ์ทจ์•ฝ์ ์ด ์ด์Šˆ๊ฐ€ ๋˜๋Š” ํ•ด์ธ 2019๋…„์— PAYPAL ๊ธฐ์—…์—์„œ๋Š” ํ•ด๋‹น ์ทจ์•ฝ์ ์— ๋…ธ์ถœ๋œ๊ฒƒ์„ ๋ฒ„๊ทธ ๋ฐ”์šดํ‹ฐ ํ”„๋กœ๊ทธ๋žจ์„ ํ†ตํ•ด ์ œ๋ณด๋ฐ›์•˜๊ณ  ํฌ์ƒ๊ธˆ์œผ๋กœ ์ด 20.000 ๋‹ฌ๋Ÿฌ๋ฅผ ์ง€๊ธ‰ํ•œ ์‚ฌ๋ก€๊ฐ€ ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. Http Request Smuggling์€ ํ”„๋ก ํŠธ ์™€ ๋ฐฑ์—”๋“œ๊ฐ€ Http ์š”์ฒญ์˜ ๊ฒฝ๊ณ„๋ฅผ ๋‹ค๋ฅด๊ฒŒ ํ•ด์„ํ•˜๊ณ  RFC7230์„ ๋”ฐ๋ฅด์ง€ ์•Š๋Š” ๋‹ค์–‘ํ•œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์‚ฌ์šฉ์œผ๋กœ ์ธํ•ด ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ ํ”„๋ก ํŠธ์˜ ์—ญํ• ์€ LB(Load Balancer) ๋‚˜ RP(Reverse Prox..
WEB
1