Re: [hybi] Handshake was: The WebSocket protocol issues.

[Scott Ferguson <ferg@caucho.com>]

Bjoern Hoehrmann wrote:
> * Scott Ferguson wrote:
>   
>> IP restrictions aren't practical because clients access sites from a 
>> variety of devices including mobile access points. A $2 a month server 
>> on a shared virtual host certainly isn't doing authentication using IP 
>> identification.
>>
>> You're now claiming:
>>
>>  1. DELETE public to the world
>>  2. No credential-based authentication
>>  3. Strong IP authentication which forbids the local host, but allows 
>> arbitrary browser IPs.
>>     
>
> The scenario is: there is a web server 1.2.3.4 that supports a.example
> and b.example. The attacker controls a.example, and b.example e.g. does
> not allow requests coming from anywhere but a certain IP address range.
> A small business for instance may be hosting a collaboration platform on
> a shared server, but the platform can only be accessed from their office
> network.

Then only browsers inside the target's office network are potential 
hijacked browsers.

To sum up, the following are required for the attack to work:

 1. the attacker has an account on the same physical/virtual machine as 
the target server
 2. the attacker has hijacked a browser inside the target's office IP 
2.2.2.*
 3. the target restricts access to the office IP 2.2.2.*
 4. the target is too cheap to pay $11/month for a virtual instance for 
security
 5. the ISP is too lazy to add <Limit WEBSOCKET>
 6. the target has an open DELETE method with no authentication
 
-- Scott