Back to Details

competition-request-normalization-smuggling

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Request Normalization Smuggling

竞赛场景请求标准化走私

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when request interpretation changes between proxy, middleware, and backend parser layers.
Reply in Simplified Chinese unless the user explicitly requests English.
本技能仅作为下游专项能力,在
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点归属、证据优先级设定后才可使用。如果尚未满足上述前置条件,请先返回至
$ctf-sandbox-orchestrator
执行。
当请求在代理、中间件、后端解析层之间的解释逻辑出现差异时使用本技能。
除非用户明确要求英文回复,否则请使用简体中文回复。

Quick Start

快速开始

  1. Map every parsing hop: client-facing proxy, gateway, app server, and downstream service.
  2. Record path normalization, header canonicalization, transfer framing, and host derivation at each hop.
  3. Capture one accepted baseline request and one differential request with minimal delta.
  4. Prove which hop interprets the request differently.
  5. Reproduce one minimal differential path that yields decisive behavior.
  1. 梳理所有解析节点:面向客户端的代理、网关、应用服务器、下游服务。
  2. 记录每个节点的路径标准化、头部规范化、传输帧、Host来源逻辑。
  3. 采集一个可被正常接收的基准请求,以及一个差异最小的差异化请求。
  4. 定位哪个节点对请求的解析存在差异。
  5. 复现一条能触发明确异常行为的最小差异化路径。

Workflow

工作流程

1. Map Parse And Routing Boundaries

1. 梳理解析与路由边界

  • Record 
    Host
    , forwarded headers, path decoding, slash collapsing, dot-segment handling, and case behavior.
  • Note 
    Content-Length
    , 
    Transfer-Encoding
    , chunk framing, and connection reuse behavior when relevant.
  • Keep edge parser and backend parser decisions side by side.
  • 记录
    Host
    、转发头部、路径解码、斜杠合并、点段处理、大小写处理行为。
  • 相关场景下需记录
    Content-Length
    Transfer-Encoding
    、分块帧、连接复用行为。
  • 并列记录边缘节点解析器与后端解析器的决策逻辑。

2. Prove Differential Interpretation

2. 验证解析差异

  • Build paired requests that differ in one canonicalization dimension only.
  • Capture proxy logs, backend logs, route match, and downstream request shape.
  • Show where route, auth scope, or body boundary diverges.
  • 构造仅在单一规范化维度存在差异的配对请求。
  • 采集代理日志、后端日志、路由匹配结果、下游请求形态。
  • 指出路由、权限范围、请求体边界出现差异的位置。

3. Reduce To Decisive Smuggling Chain

3. 提炼完整的走私链路

  • Compress to: crafted request -> parser differential across hops -> unintended routed request or hidden endpoint reach -> resulting effect.
  • State whether root cause is path normalization drift, header ambiguity, transfer framing differential, or host-derivation confusion.
  • If the chain becomes primarily runtime routing without framing tricks, hand off to runtime routing skill.
  • 精简链路为:构造请求 -> 跨节点解析差异 -> 非预期路由请求或隐藏端点可达 -> 最终影响。
  • 说明根因是路径标准化偏差、头部歧义、传输帧差异还是Host来源混淆。
  • 如果链路主要是运行时路由问题且没有使用帧构造技巧,请移交至运行时路由技能处理。

Read This Reference

参考文档

  • Load 
    references/request-normalization-smuggling.md
    for parse-differential checklist and evidence packaging.
  • 加载
    references/request-normalization-smuggling.md
    获取解析差异检查清单与证据整理规范。

What To Preserve

需留存的内容

  • Raw request pairs, hop-by-hop interpretation, and final routed target
  • Exact normalization or framing delta that flips behavior
  • One minimal replayable differential request path
  • 原始请求对、逐节点解析逻辑、最终路由目标
  • 触发行为变更的准确标准化或帧差异
  • 一条可复现的最小差异化请求路径