IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Sat, 09 October 2010 00:43 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B8E0B3A699F for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id szhU2mS3gIBx for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:43:19 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 40C963A696D for <hybi@ietf.org>; Fri, 8 Oct 2010 17:43:19 -0700 (PDT)
Received: by gwb20 with SMTP id 20so621501gwb.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 17:44:25 -0700 (PDT)
Received: by 10.236.109.169 with SMTP id s29mr6667617yhg.10.1286585064187; Fri, 08 Oct 2010 17:44:24 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id t74sm2890727yhf.44.2010.10.08.17.44.22 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Oct 2010 17:44:23 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1770961iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 17:44:21 -0700 (PDT)
Received: by 10.42.216.201 with SMTP id hj9mr383839icb.390.1286585061817; Fri, 08 Oct 2010 17:44:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 8 Oct 2010 17:43:51 -0700 (PDT)
In-Reply-To: <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 08 Oct 2010 17:43:51 -0700
Message-ID: <AANLkTingLtQ7q=5jVBe4xZTdNoXbA3N-N8+TJ+yeON-K@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 00:43:21 -0000

On Fri, Oct 8, 2010 at 5:37 PM, Greg Wilkins <gregw@webtide.com> wrote:
> On 9 October 2010 10:03, Adam Barth <ietf@adambarth.com> wrote:
>> This is a virtual hosting environment.  That's what I meant when I
>> said "consider, for example, a virtual hosting environment in which
>> the attacker can place PHP scripts on the server."  The attacker has
>> access to one virtual host on the server but does not own the entire
>> server.
>>
>> Concretely, consider http://www.adambarth.com/.  My web site is a
>> virtual host on a physical server in a 1and1 datacenter.  I'm
>> perfectly capable of placing a PHP script on my virtual host.  If the
>> PHP script is able to complete the web socket handshake, then I can
>> open a WebSocket connection to www.adambarth.com on port 80 from the
>> user's browser.  Once the WebSocket handshake completes, I can now
>> talk directly to the 1and1 server over more-or-less a raw socket,
>> which means I can spoof further HTTP requests and potentially attack
>> other virtual hosts that happen to be on the same physical machine,
>> which is bad news bears.
>
> the key phrase in this description is "Once the Websocket handshake completes".
> That just glosses over several defences:
>
>  + It is not certain that the HTTP server will allow a PHP script to
> generate a 101 response.

I don't know why you think that's so hard to set the response status.
There's a PHP function does exactly that:

http://php.net/manual/en/function.http-send-status.php

According to the documentation it can set any status between 100 and 599.  Etc.

Anyway, we have a handshake that nukes these vulnerabilities from
orbit.  We should just use that instead of crossing our fingers and
hoping for the best.

Adam

v2.23.0 | Report a Bug | By Email