Re: [hybi] Shipping WebSockets

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* Gabriel Montenegro wrote:
>FYI, we have submitted a draft that's essentially the handshake that Greg proposed a while back.
>We'd like to use it as a basis for further iteration.
>
>http://tools.ietf.org/html/draft-montenegro-hybi-upgrade-hello-handshake

This seems broken to me if you make three assumptions: implementations
don't stop normal HTTP processing if they see a 101 (that's the working
assumption that makes us discuss handshakes at all); it's fairly common
for servers to send response bodies when they are not supposed to, e.g.
in response to HEAD requests, so implementations treat unexpected bodies
as part of the response to the previous request; implementations do only
very limited input validation, for instance, when looking for a method,
they just skip to the next white space octet.

With these assumptions it would seem the server->client hello would be
treated as response body and the client->server hello as request method.
Since what follows the unknown request method is essentially controlled
by the attacker, that amounts to a normal HTTP request. I am sure each
of these flaws can be found in deployed software; their combination plus
additional behavior that makes them exploitable (you also need, say,
persistent connections) is probably rare, but unless I am misreading the
document, this seems insufficient if you care a lot about this problem.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/