Re: [hybi] Handshake was: The WebSocket protocol issues.

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* Scott Ferguson wrote:
>To sum up, the following are required for the attack to work:
>
> 1. the attacker has an account on the same physical/virtual machine as 
>the target server
> 2. the attacker has hijacked a browser inside the target's office IP 
>2.2.2.*
> 3. the target restricts access to the office IP 2.2.2.*
> 4. the target is too cheap to pay $11/month for a virtual instance for 
>security
> 5. the ISP is too lazy to add <Limit WEBSOCKET>
> 6. the target has an open DELETE method with no authentication

Well, points 1, 5, and 6 are not quite correct. For 1, both hosts must
be behind the same IP address, how they achieve that is irrelevant. It's
perfectly possible to run them on mutually disconnected machines. For 5,
if the ISP blocks WEBSOCKET requests, that means none of the sites it is
hosting can do Websocket over port 80. If it allows it for some then the
protection is meaningless, as the WEBSOCKET request goes to the attacker
(and similarily on point 6, the DELETE request goes to the attacker). I
do not quite understand point 4, but I agree you need 2 and 3, where to
hijack a browser it is sufficient to trick someone on the office network
to open a specific web page.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/