IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Sat, 09 October 2010 00:36 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 342EA3A698A for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wId5JLWMP1I8 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 17:36:45 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id E3F963A696D for <hybi@ietf.org>; Fri, 8 Oct 2010 17:36:44 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1765343iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 17:37:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.13.140 with SMTP id c12mr2993450iba.25.1286584670629; Fri, 08 Oct 2010 17:37:50 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Fri, 8 Oct 2010 17:37:50 -0700 (PDT)
In-Reply-To: <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com>
Date: Sat, 09 Oct 2010 11:37:50 +1100
Message-ID: <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 00:36:46 -0000

On 9 October 2010 10:03, Adam Barth <ietf@adambarth.com> wrote:
> This is a virtual hosting environment.  That's what I meant when I
> said "consider, for example, a virtual hosting environment in which
> the attacker can place PHP scripts on the server."  The attacker has
> access to one virtual host on the server but does not own the entire
> server.
>
> Concretely, consider http://www.adambarth.com/.  My web site is a
> virtual host on a physical server in a 1and1 datacenter.  I'm
> perfectly capable of placing a PHP script on my virtual host.  If the
> PHP script is able to complete the web socket handshake, then I can
> open a WebSocket connection to www.adambarth.com on port 80 from the
> user's browser.  Once the WebSocket handshake completes, I can now
> talk directly to the 1and1 server over more-or-less a raw socket,
> which means I can spoof further HTTP requests and potentially attack
> other virtual hosts that happen to be on the same physical machine,
> which is bad news bears.

Adam,

the key phrase in this description is "Once the Websocket handshake completes".
That just glosses over several defences:

 + It is not certain that the HTTP server will allow a PHP script to
generate a 101 response.
 + The HTTP server will not allow the PHP script to generate a WS ping
frame (or the unframed bytes of the current draft).
 + The HTTP server will not accept the pong response as a valid HTTP
request. This will almost certainly result in a 400 Bad request and
the connection being closed.

Currently there is no attack vector to get past these defences, other
than to assume that the server is already vulnerable to significant
attacks without the need to use a WS client.

Even if the handshake could complete - which it couldn't.  Then the
server does not have a more or less raw socket.  It has a WS socket
and only WS frames can be sent.  I am dubious that a valid websocket
frame could be a meaningful HTTP request.

However I do believe that this is very good exercise that we should do
- examine if it is possible to form a WS frame that looks like a
GET/POST/PUT etc request.  We should also test how common servers
treat characters such as would be expected in a WS header.  There may
be some tweaks we can make to the framing (eg setting RSV bits to 1)
that will further reduce the possibility of WS frames looking like
HTTP requests/

I will try to find some time to do this analysis next week.

regards

v2.23.0 | Report a Bug | By Email