IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Sat, 09 October 2010 15:58 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B18D53A68D7 for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 08:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.207
X-Spam-Level:
X-Spam-Status: No, score=-2.207 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Gc+TgZ+Ikob for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 08:58:20 -0700 (PDT)
Received: from smtp111.biz.mail.sp1.yahoo.com (smtp111.biz.mail.sp1.yahoo.com [69.147.92.224]) by core3.amsl.com (Postfix) with SMTP id 8F64A3A68BE for <hybi@ietf.org>; Sat, 9 Oct 2010 08:58:20 -0700 (PDT)
Received: (qmail 54261 invoked from network); 9 Oct 2010 15:59:27 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 09 Oct 2010 08:59:27 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: qFZqTMsVM1nKlCj5s248es3rzudtIgFYvYby_BuIXmLf5BQ 1YuF_hjNJvImS9IZmBWJeaf07nrx70MfdNpIfuX0FFLuvxHGjv1SQ2aj7Oc. QUXUZCfNmfl.2Vwix_0To75EbcE0gbtcPuWrahQsGxu7KI.2k3IU2rBuE5qx k.MxsCNGf.Bvw7dBNWhClMJH5t0JBMJcSIB6J1YXtyh2ciL9OWp9FvM_v6Jo ninSBH6srl6muSO2nycycGKaeRVtEPmd9OJyU96N8LiLIAE.k6vcy70fmMlC gCH3dAKdtT8l50BLbIeNh
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CB0915A.1030400@caucho.com>
Date: Sat, 09 Oct 2010 08:59:22 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de>
In-Reply-To: <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 15:58:21 -0000

Bjoern Hoehrmann wrote:
> * Scott Ferguson wrote:
>   
>> And even if this were all possible, the browser could now ...
>>
>> ... wait for it ...
>>
>> ... make HTTP requests to a HTTP server using websockets instead of the 
>> browser's HTTP client.
>>     
>
> By now there are quite a number of handshake proposals floating around,
> but if a single response is sufficient to make the web browser consider
> the connection to have been upgraded to a Websocket connection, and the
> framing allows to make frames that look like HTTP requests, and last I
> checked "DELETE..." was a properly formed frame (though that relied on
> the browser setting a flag that is currently reserved), then this setup
> would allow attackers do to things they currently cannot do, as browsers
> excercise considerable control over what requests a possibly malicious
> web site can trigger for an unrelated site.
>   

Your attacker's PHP script is perfectly capable of launching a 
non-browser attack against the target server. It's not true at all that 
a HTTP request is one of the "things they currently cannot do". Can you 
explain why the attacker doesn't just launch a trivial non-browser 
attack from the PHP script?

To clarify, the target has the following vulnerabilities:

  1. It has a DELETE method available to any non-browser client on the 
internet.
  2. It has no authentication for that DELETE.

This authentication issue, by the way, is why I want a place for 
authentication in the WebSocket handshake. Since servers do need to 
protect themselves against non-browser clients, and will provide 
non-browser services, they need the ability to defend themselves against 
any attacker on the web who opens a TCP socket.

-- Scott

v2.23.0 | Report a Bug | By Email