IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Mon, 11 October 2010 17:52 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FEBC3A6B56 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:52:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.21
X-Spam-Level:
X-Spam-Status: No, score=-2.21 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqv76-tAoJoR for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:52:21 -0700 (PDT)
Received: from smtp112.biz.mail.sp1.yahoo.com (smtp112.biz.mail.sp1.yahoo.com [69.147.92.225]) by core3.amsl.com (Postfix) with SMTP id 476953A6B52 for <hybi@ietf.org>; Mon, 11 Oct 2010 10:52:21 -0700 (PDT)
Received: (qmail 40350 invoked from network); 11 Oct 2010 17:53:33 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.sp1.yahoo.com with SMTP; 11 Oct 2010 10:53:33 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: kkTJCb8VM1moREb6RDzDwcn8_ZmxCuB7yC.TWJkApL_qbBS MRomWJtqejXLJ6LF00kx5vrDaTKt6hsHrjrdSfQv0WRq52WWy9zSDG1NOMve FUgd1bLRZujXt6arXvGXocldYNQxTk2Bhi3jbRpl4Tk33yH1mrAi9xsqlhcN GsLD9KmV..jqFlaikx2Kxpf7wS4sHttvK74LQCFjYg4ZBEHTvScADo67SrLZ 6QxVMfRICdUxOpOinu_1ySwoj0grbI6Ro8SlSb6Weqahy0DKw_VIFCsVjd0l GTET7pMoPagX3K_YHODdI
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CB34F1D.1@caucho.com>
Date: Mon, 11 Oct 2010 10:53:33 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com> <iah6b6526sush1hv7e982lu4003r455i4e@hive.bjoern.hoehrmann.de>
In-Reply-To: <iah6b6526sush1hv7e982lu4003r455i4e@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 17:52:22 -0000

Bjoern Hoehrmann wrote:
> * Scott Ferguson wrote:
>   
>> The target is pre-compromised because it has an open DELETE (point #6) 
>> and the target is pre-compromised because it's on the same machine as 
>> the attacker (point #1).
>>     
>
> You are misunderstanding the example trace I gave. The DELETE is sent to
> the attacker, not the target. The server 1.2.3.4 needs to think that the
> client is still talking HTTP, and if the first thing it sees is "ħ<" or
> something like that, it might respond with an error message and close
> the connection. "DELETE..." in US-ASCII looks like a Websocket text
> frame and like HTTP, so I am using that as an example. If the attacker
> manages to create the initial frames such that the web server keeps the
> connection open, then he can send pretty much arbitrary HTTP requests to
> the target server.
>   

The "DELETE" represents the HTTP request that a normal browser cannot 
produce but the WebSocket request supposedly can.

The point is, a server cannot rely on browser restrictions to protect 
their HTTP site. It must defend itself against arbitrary clients which 
are perfectly capable of sending arbitrary, perfectly valid requests.

The attempt to avoid that server-side responsibility by using an IP 
restriction to a foreign site (the office) is not any kind of real defense.

-- Scott

v2.23.0 | Report a Bug | By Email