IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 09 October 2010 20:32 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CCC43A692B for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 13:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=-0.527, BAYES_00=-2.599, J_CHICKENPOX_17=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L21OrJVNPwoP for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 13:32:03 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.23]) by core3.amsl.com (Postfix) with SMTP id F3C373A6929 for <hybi@ietf.org>; Sat, 9 Oct 2010 13:32:02 -0700 (PDT)
Received: (qmail invoked by alias); 09 Oct 2010 20:33:09 -0000
Received: from dslb-094-223-184-138.pools.arcor-ip.net (EHLO hive) [94.223.184.138] by mail.gmx.net (mp015) with SMTP; 09 Oct 2010 22:33:09 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/WW9oP6PbWh5bw2WNBeAQiV4VNa/SvR678Ft9OPr Q/J3Zys1nresQM
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Sat, 09 Oct 2010 22:33:05 +0200
Message-ID: <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de>
References: <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com>
In-Reply-To: <4CB0A27D.9000307@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 20:32:05 -0000

* Scott Ferguson wrote:
>IP restrictions aren't practical because clients access sites from a 
>variety of devices including mobile access points. A $2 a month server 
>on a shared virtual host certainly isn't doing authentication using IP 
>identification.
>
>You're now claiming:
>
>  1. DELETE public to the world
>  2. No credential-based authentication
>  3. Strong IP authentication which forbids the local host, but allows 
>arbitrary browser IPs.

The scenario is: there is a web server 1.2.3.4 that supports a.example
and b.example. The attacker controls a.example, and b.example e.g. does
not allow requests coming from anywhere but a certain IP address range.
A small business for instance may be hosting a collaboration platform on
a shared server, but the platform can only be accessed from their office
network. The platform may require additional authentication, but trying
to overcome those can be part of an attack. The Websocket frames just
need to look like HTTP so the server does not close the connection. The
exchange could go like this:

(Websocket handshake)
  C: WEBSOCKET ... HTTP/1.1
  C: Host: a.example
  C: ...

(Websocket handshake)
  S: HTTP/1.1 101 Switching Protocols
  S: ...

(First Websocket frame(s) just happen to look like HTTP)
  C: DELETE / HTTP/1.1
  C: Host: a.example
  C: Content-Length: ...
  C: ...

(Whatever response the attacker feels like sending)
  S: ...

(Websocket traffic, starting from a point chosen by the attacker)
  C: WHATEVER /anywhere HTTP/1.1
  C: Host: b.example
  C: ...

By choosing the Content-Length in the HTTP-spoofing first Websocket
frame carefully, what goes to b.example can come from the free-form
Websocket payload. The attacker just needs to make sure the browser
keeps the "Websocket" connection open and the HTTP server keeps the
"HTTP" connection open, at least long enough to do something meaning-
ful; the attacker can then re-establish the connection as needed.

Right now, to take the example above, if an attacker tricks someone
in the office network to visit a.example, the options for attacks on
b.example are rather limited, for instance, only a few method verbs
are available, the browser will send a Referer header, he can't read
out the responses, and so on. If the above works, the attacker has
more options.

Obviously there are a number of ways to make this kind of attack hard
or even impossible, I just wanted it to be clear that an attacker is
not able to simply use XMLHttpRequest or something similar instead and
do all the same things.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email