IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Tue, 12 October 2010 00:04 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A06323A6BAB for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 17:04:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2C3qM7FtybSF for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 17:04:49 -0700 (PDT)
Received: from smtp112.biz.mail.mud.yahoo.com (smtp112.biz.mail.mud.yahoo.com [209.191.68.77]) by core3.amsl.com (Postfix) with SMTP id 9B9333A6863 for <hybi@ietf.org>; Mon, 11 Oct 2010 17:04:49 -0700 (PDT)
Received: (qmail 56470 invoked from network); 12 Oct 2010 00:05:06 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.mud.yahoo.com with SMTP; 11 Oct 2010 17:05:06 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: m50e2D0VM1kL_T_D75IWSI4gCIb9GEd.b_Kw2A6I2UgH1yg fn0T8fsAcISUOnyt4E4Ddcylvhn5lI1zRE1Ix4ySmsgSgUtg5TzwutNtn4q2 Dr8ElAqjY4EJiZxYj6NxiCvIELZ6E_rL8Kl5WU5k3QFsWZMjLKqlSrz5VTeN 1hVzA0eFfe4gNSzOZdmhyZvaE4AqQAlzJvFRhoakVk4IRSJv1YmWZlwylEDJ G_WseHvXF5qHuXYqowwkerko0o0r7GQYBIz0b0_hryll6IWYfN9Fv3aU3Mg3 ij97hvEx6BLcakwUwAsf08viLKAYfmVRdMJaqTfQiqiCCEpOcOfD_Sos-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CB3A632.4070103@caucho.com>
Date: Mon, 11 Oct 2010 17:05:06 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com> <AANLkTinJM9fK2p2-kp5-PaNsWGA9EiJgxFbOXwC0hE+v@mail.gmail.com>
In-Reply-To: <AANLkTinJM9fK2p2-kp5-PaNsWGA9EiJgxFbOXwC0hE+v@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 00:04:50 -0000

Adam Barth wrote:
> On Mon, Oct 11, 2010 at 9:56 AM, Scott Ferguson <ferg@caucho.com> wrote:
>   
>> You didn't address point #6, the open DELETE.
>>
>> The target is pre-compromised because it has an open DELETE (point #6) and
>> the target is pre-compromised because it's on the same machine as the
>> attacker (point #1).
>>
>> You're requiring a pre-compromised target to make this attack work.
>>     
>
> I'm not sure what pre-compromised means.  I'm not sure that I'd run my
> servers in this configuration, but that doesn't mean lots of other
> people don't.
>   

1. Your target has an open vulnerability ("DELETE") to non-browser clients
2. Your attacker is running an arbitrary program on the same machine as 
the target.
3. Your attacker has control over the target's web server.

That target server is already under the control of the attacker. Adding 
a browser attack to that scenario is superfluous.

-- Scott

v2.23.0 | Report a Bug | By Email