2016 Oct 20, 4:09 2014 May 22, 9:25
The
DOM location interface exposes the HTML document's URI parsed into its properties. However, it is
ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
- The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
- The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
- The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
- The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is
the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
- The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the
empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content.
Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or
hash.
But like complaining about
the number of minutes in an hour none of this can ever change without huge compat issues on the web.
Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the
URL standard moving towards a more sane (but still working
practically within the constraints of compat) location object and URI parsing in the browser.
2014 May 21, 2:06
URI Design & Ownership - On the issues with and alternatives to requiring well known filenames and extensions in URIs. You must love the draft’s URI.
technical uri 2014 Apr 14, 7:22
tp://tools.ietf.org/html/draft-wkumari-not-a-draft-00
humor technical ietf atlanteans 2013 Feb 20, 2:48
Web Security Framework: Problem Statement and Requirements
technical rfc security web html 2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via
a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.
(I found this in my drafts folder and had intended to post a while ago.)
Code
def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
remaining_time)
reactor.callLater(remaining_time, self.sendResult, False)
return
self.checkNext()
Issue
The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers
for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the
server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing
attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses
sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force
attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when
requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two
fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you
can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also
be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four,
but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry
that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
brute-force password python side-channel technical web 2012 Jan 27, 7:29
IETF draft on the contents of the User Agent HTTP header.
technical ietf http user-agent http-header 2011 Dec 4, 3:00
“The syntax for allowed Top-Level Domain (TLD) labels in the Domain Name System (DNS) is not clearly applicable to the encoding of Internationalised Domain Names (IDNs) as TLDs. This document
provides a concise specification of TLD label syntax based on existing syntax documentation, extended minimally to accommodate IDNs.” Still irritated about arbitrary TLDs.
technical syntax dns tld idn 2011 Jun 21, 1:22"This document defines the concept of an "origin", which is often used
as the scope of authority or privilege by user agents. Typically,
user agents isolate content retrieved from different origins to
prevent malicious web site operators from interfering with the
operation of benign web sites. In addition to outlining the
principles that underly the origin concept, this document defines how
to determine the origin of a URI, how to serialize an origin into a
string, and an HTTP header, named "Origin", that indicates which
origins are associated with an HTTP request."
ietf reference technical web browser user-agent webbrowser origin 2011 May 22, 10:44Links to the IETF draft document of and describes the perf benefits of SSL False Start.
security google browser web webbrowser https performance ssl tls technical 2011 Apr 27, 3:12Prescriptive spec on URI parsing. "This document contains a precise specification of how browsers process URLs. The behavior specified in this document might or might not match any particular
browser, but browsers might be well-served by adopting the behavior defined herein."
technical rfc reference uri 2011 Apr 17, 12:51"Web-based protocols often require the discovery of host policy or metadata, where "host" is not a single resource but the entity controlling the collection of resources identified by Uniform
Resource Identifiers (URI) with a common URI host [RFC3986]."
host rfc reference metadata technical 2011 Apr 6, 3:52Humorous quote from the doc: "While we readily agree that the naming of IPv6 address parts is not the most pressing concern the Internet is facing today, a common nomenclature is important for
efficient communication."
humor technical ipv6 name documentation ietf rfc 2010 Dec 15, 10:02The OAuth 2 spec still in progress.
specification reference ietf spec oauth technical 2010 Oct 4, 2:05Proposed 428 HTTP error code for hijacking proxies to indicate to the client the user needs to login to the network etc. Glad to see this one's finally happening.
http http-status captive-portal hijack proxy authentication technical rfc reference 2010 Sep 27, 3:08Adam Barth's URI API draft starts to appear in webkit: "One of the things Adam Barth is currently working on is an URL API. Citing it, the API can be used for constructing, parsing and resolving URLs
through scripting, easening up tasks like getting and setting parameters. Today the first part landed in WebKit, which added the “origin” property."
webkit adam-barth uri url api javascript dom html html5 browser webbrowser technical 2010 Jun 20, 1:18Protocol for doing distributed commenting and implemented by Google Buzz! "This document defines a lightweight, robust, and secure protocol for sending unsolicited notifications — especially comments
and responses on syndicated feed content — to specified endpoints; along with rules to enable resulting content to itself be syndicated robustly and securely."
comment blog atom rss google buzz salmon reference specification protocol syndication technical 2010 Jun 20, 1:16"This document specifies relation types for Web links, and defines a registry for them. It also defines the use of such links in HTTP headers with the Link header-field."
html http rest url uri meta reference technical link ietf 2010 Apr 21, 6:47"After years of secrecy (and the occasional leak), a draft of the Anti-Counterfeiting Trade Agreement (ACTA) treaty has finally been released by negotiators. We've delved deep into the treaty,
highlighting its numerous problems. Indeed, there's a lot not to like about the treaty: Internet disconnections, anticircumvention prohibitions, and even the ability for rightsholders to get
injunctions if they can show infringement is imminent."
arstechnica acta privacy internet todo government politics piracy technical 2010 Mar 3, 6:15Finally giving the javascript URI scheme its own IETF doc.
javascript ietf url uri scheme reference technical