Re: [hybi] Handshake was: The WebSocket protocol issues.

[Willy Tarreau <w@1wt.eu>]

On Wed, Sep 29, 2010 at 09:47:37AM -0700, Maciej Stachowiak wrote:
> 
> On Sep 29, 2010, at 3:28 AM, Greg Wilkins wrote:
> 
> > On 29 September 2010 18:56, Maciej Stachowiak <mjs@apple.com> wrote:
> >> The raw HTTP request can include a body, which is sent immediately, rather
> >> than waiting for the remainder of the handshake. The body can include
> >> content framed as WS protocol messages. A WebSocket client will wait until
> >> the handshake is complete. So yes, the possibility of attempting an HTTP
> >> connection to a WebSocket server does create additional attack surface.
> > 
> > But how is the HTTP header going to be skipped by the WS server in
> > order for it to find these encapsulated WS messages?
> > 
> > Both a HTTP server and a WS server will consume all of any HTTP
> > request sent to it, so content will not be mistaken as new messages.
> > 
> > It is not sufficient just to send WS frames over the wire.  You have
> > to explain how they are
> > going to be sent so that a server will actually read them and
> > interpret them WS messages.
> 
> The idea is that you make an HTTP request with a header that looks close enough to the WS handshake to fool the server, followed by what appear to be WS messages in the body.

Except that you have the Upgrade header which requires a 101 in
response. A normal HTTP server will either :
  - ignore the Upgarde and return a classical code (200, 404, 403, ...)
  - consider the Upgrade header and either return 101 because it matches
    the protocol it supports (WebSocket) or return an error code because
    it does not support the WS protocol.

Regards,
Willy