[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Autobahn|Python Insecure allowedOrigins validation >= 0.14.1

Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' 
value is set. This can allow third parties to execute legitimate requests for 
WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within 
another browser's context.

Proof of Concept:
The following will set
class OriginCheckServerFactory(WebSocketServerFactory):
    protocol = ...arbitrary entry here...

    def __init__(self, url):
        WebSocketServerFactory.__init__(self, url)

Then the following connection request will result in a valid 101 Protocol 
Switch Response:

GET /ws HTTP/1.1
Host: www.example.com
Sec-WebSocket-Version: 13
Origin: http://www.example.com.malicious.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: tXAxWFUqnhi86Ajj7dRY5g==
Connection: keep-alive, Upgrade
Upgrade: websocket

This is due to the wildcard2patterns function, which turns `u"*.example.com"` 
into `r".*\.example\.com"`. This regex pattern is then matched against the 
complete incoming origin 

This issue was fixed within Autobahn|Python 0.15.0 