IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Mon, 11 October 2010 17:18 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F13193A6B4F for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.878
X-Spam-Level:
X-Spam-Status: No, score=-2.878 tagged_above=-999 required=5 tests=[AWL=-0.279, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8rgPsn4G1eu for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:18:53 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 2CBF53A6B4D for <hybi@ietf.org>; Mon, 11 Oct 2010 10:18:52 -0700 (PDT)
Received: (qmail invoked by alias); 11 Oct 2010 17:20:04 -0000
Received: from dslb-094-223-184-138.pools.arcor-ip.net (EHLO hive) [94.223.184.138] by mail.gmx.net (mp031) with SMTP; 11 Oct 2010 19:20:04 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX19PLk0q83pPVuhbjXzRAZqMXKHkLppUjrozxr4Uvf 9/vFXSc6WnfY0T
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Mon, 11 Oct 2010 19:20:02 +0200
Message-ID: <iah6b6526sush1hv7e982lu4003r455i4e@hive.bjoern.hoehrmann.de>
References: <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com>
In-Reply-To: <4CB341CC.90300@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 17:18:55 -0000

* Scott Ferguson wrote:
>The target is pre-compromised because it has an open DELETE (point #6) 
>and the target is pre-compromised because it's on the same machine as 
>the attacker (point #1).

You are misunderstanding the example trace I gave. The DELETE is sent to
the attacker, not the target. The server 1.2.3.4 needs to think that the
client is still talking HTTP, and if the first thing it sees is "ħ<" or
something like that, it might respond with an error message and close
the connection. "DELETE..." in US-ASCII looks like a Websocket text
frame and like HTTP, so I am using that as an example. If the attacker
manages to create the initial frames such that the web server keeps the
connection open, then he can send pretty much arbitrary HTTP requests to
the target server.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email