[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Richard Moore
rich at kde.org
Sun Jan 26 23:46:28 CET 2014
On 26 January 2014 19:23, Kurt Pattyn <pattyn.kurt at gmail.com> wrote:
>> 2. When sending data from client to server (not the other way)
>> The client generates a 32-bit random number.
>> This random number is stored in plain text in the header of each frame.
>> The data is XOR-ed with that 32-bit random number.
>>
>> The server takes the 32-bit random number from the header and XORs it
>> with the payload to get to the original data.
>>
>> I really fail to see what the intention is of this mechanism. I really
>> fail to see what could make this communication ‘secure’.
The aim of the masking is to prevent request splitting and smuggling
attacks when going through proxies. It prevents an application from
being to trick proxies into beginning a new request that does
something different to the one intended.
https://www.owasp.org/index.php/HTTP_Request_Smuggling
Cheers
Rich.
More information about the Development
mailing list