W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 22 Jul 2014 07:53:53 +0200
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Roberto Peon <grmocg@gmail.com>, Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140722055353.GA30395@1wt.eu>
On Tue, Jul 22, 2014 at 05:40:46AM +0000, Poul-Henning Kamp wrote:
> In message <CAP+FsNcaxeEhEpQCAteQUZGn03OXTv=MR8xz9nLZVDSU9nf8iA@mail.gmail.com>
> , Roberto Peon writes:
> 
> >If the path contains:
> >/foo/RANDOM_NUMBER/bar
> >
> >and the query contains:
> >q=foo&user=SOME_SECRET_ID
> >
> >Then guessing:
> >/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
> >
> >is far, far FAR more difficult than guessing:
> >  q=foo&user=SOME_SECRET_ID
> >alone or
> >  /foo/RANDOM_NUMBER/bar
> >alone.
> 
> Only if you have an oracle to tell you that you got a hit.
> 
> Could you outline exactly how this attack would work ?

You can for example share the same proxy as the victim, send requests
with your guesses there and observe the size of data on the encrypted
communication with the server to determine whether the proxy detected
the same path+query as the previous request and managed to reference
an indexed entry or had to send a literal.

Sometimes you can also control a page the victim displays, and reference
objects belonging to the site you want to steal the credentials for.
Using frames you can have the victim think he/she's on the correct site
and enter credentials (which are only sent to the real site), and in
another frame or using image links you can try to guess the contents
again by forging requests and observing the size on the link.

Regards,
Willy
Received on Tuesday, 22 July 2014 05:57:41 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC