IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Fri, 08 October 2010 22:06 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60ED33A6966 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 15:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wTgN50dpgpeI for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 15:06:00 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 6ECB73A693C for <hybi@ietf.org>; Fri, 8 Oct 2010 15:06:00 -0700 (PDT)
Received: by ywa6 with SMTP id 6so583239ywa.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 15:07:05 -0700 (PDT)
Received: by 10.236.95.175 with SMTP id p35mr6454917yhf.40.1286575625861; Fri, 08 Oct 2010 15:07:05 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id 61sm2749768yhl.13.2010.10.08.15.07.04 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Oct 2010 15:07:05 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1643212iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 15:07:03 -0700 (PDT)
Received: by 10.231.14.72 with SMTP id f8mr2789696iba.171.1286575623626; Fri, 08 Oct 2010 15:07:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 8 Oct 2010 15:06:33 -0700 (PDT)
In-Reply-To: <4CAF9589.1060007@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 08 Oct 2010 15:06:33 -0700
Message-ID: <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2010 22:06:01 -0000

On Fri, Oct 8, 2010 at 3:04 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Scott Ferguson wrote:
>> Adam Barth wrote:
>>> Consider, for example, a virtual hosting environment in which the
>>> attacker can place PHP scripts on the server....  Now, the attacker can
>>> complete the WebSocket handshake
>>> because the PHP script can compute the HMAC and send the appropriate
>>> response header.
>>
>> Proposed attack: Attack server S with the help of DNS (or hosted HTTP
>> server.)
>>
>> You need to demonstrate a sequence of connections to make that attack work
>> (without using a WebServer proxy or time travel). For discussion, I've
>> granted you syntax, but you must still demonstrate your sequence of
>> connections and propagation of the c-nonce and H to complete the attack.
>
> You still need to demonstrate a sequence of connections to make this attack
> work because your attack appears impossible to complete using TCP as
> currently described.
>
> At very minimum, you need to describe how the WebSocket connection from the
> hijacked browser connects to both the HTTP (or DNS) server that computes the
> hash, and to the target server S to complete the attack.

The DNS server is the target server.

Adam

v2.23.0 | Report a Bug | By Email