[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Konrad Rosenbaum
konrad at silmor.de
Mon Jan 27 11:12:19 CET 2014
On Sunday, Sunday 26 January 2014 at 23:46, Richard Moore wrote:
> The aim of the masking is to prevent request splitting and smuggling
> attacks when going through proxies. It prevents an application from
> being to trick proxies into beginning a new request that does
> something different to the one intended.
>
> https://www.owasp.org/index.php/HTTP_Request_Smuggling
Thanks for the link, this is an interesting attack on faulty proxies.
Masking does not solve this attack completely. Only for browsers (in which
case the "application" cannot control the mask) and scripts that don't have
much time to mount their attack. 32 bits is not exactly a big obstacle, even
if they consist of good random (however they are a big enough obstacle if the
attacker does not control hundreds or thousands of browsers for a long enough
time to attack the same target). And there remain enough attack surfaces
outside websockets...
As far as I can see all request smuggling attacks rely on the attacker being
able to inject Content-Length headers to confuse the proxy. I've read only the
first 3 chapters of the RFC yet, but as far as I can see a Content-Length
header should not be generated at all in a Websocket handshake (if we receive
one: ignore the data and complain loudly with qWarning, if we receive more
than one: panic and close the TCP connection immediately).
Are the following assumptions correct?
1) Websockets in Qt use different TCP connections than normal HTTP connections
(QNAM for clients, and whatever is used as a HTTP server equivalent)
2) The Websocket implementation does not allow to manipulate/inject headers
during handshake, esp. Content-Length (setting some pre-defined headers, like
cookies and Sec-Websocket-Protocol is fine if the values are sanitized -
remove newlines!)
3) the client side implementation always uses a fresh TCP connection and the
CONNECT method (not GET) when faced with a proxy - even broken proxies should
not care about content after CONNECT is successful
4) the first data packets are queued until the handshake is complete and only
transmitted after a successful handshake
In that case we do not need to worry about "secure masking". If not, we may
have to rethink the design and/or strong random (if we also care about
corporations using outdated and broken proxies)...
Konrad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140127/d34d0c4c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140127/d34d0c4c/attachment.sig>
More information about the Development
mailing list