Nobody has proved that this could actually happen, but since the fact that it could happen was reason enough for browser vendors to get twitchy, masking was added to remove the possibility of it being used as an attack. The idea being that since the API level code generating the WebSocket frame gets to select a masking key and mask the data supplied by the application code the application code cannot in any meaningful way dictate the data that ends up passing through the potentially broken intermediaries and therefore can't cause trouble.
Since the masking key is in the frame intermediaries can be written to understand and unmask the data to perform some form of clever inspection if they want to. Categories : Rants , Socket Servers.
Designed by committee and looks like a camel. Len replied to comment from bartonphillips January 3, AM Reply. Leave a comment. Email Address. Remember personal info? Subscribe to this blog's feed Follow me on Twitter: LenHolgate. About this Entry WebSockets - Why differentiate between text and binary frames? Recent Entries Be careful what you ask for Strangely fatal UDP issue on Windows You can argue whether that's pandering to stupid proxies and I think it is , but that's the reason.
Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Is masking really necessary when sending from Websocket client Ask Question. Asked 7 years, 9 months ago. Active 11 months ago. Viewed 5k times. However, the masking key is still known to such services it is sent on a per frame basis at the beginning of each frame Am I wrong to assume that such services can still use the key to unmask, alter, and than re-mask the contents before passing the frame to the next point?
Improve this question. Community Bot 1. Add a comment. Active Oldest Votes. Improve this answer. Ross Patterson Ross Patterson 10k 32 32 silver badges 43 43 bronze badges. Remember that all arrays in Lua begin with 1 not 0.
In this function we start decoding right after the 4 byte key, so we set i in the for loop to 7. To make sure this aligns properly we just subtract 7 from i. After that we XOR each byte with the appropriate key and store the results in an array. Once the array is complete we need to convert it back to a string to make things easier to search with. This is a bot-free zone.
Please check the box to let us know you're human. Download Now. Read complimentary reports and insightful stories in the Trustwave Resource Center. Figure 1: masked Websockets data Figure 2: unmasked Websockets data Figure 3: Websockets decoded by Wireshark The formula for both encoding and decoding the data is the same. Related SpiderLabs Blogs. Thank You One of our sales specialists will be in touch shortly.
0コメント