Autobahn|Python Origin Header Manipulation
Posted on 26 July 2016
Observation: Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set. This can allow third parties to execute legitimate requests for WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within another browser's context. Proof of Concept: The following will set ``` class OriginCheckServerFactory(WebSocketServerFactory): protocol = ...arbitrary entry here... def __init__(self, url): WebSocketServerFactory.__init__(self, url) self.setProtocolOptions(allowedOrigins=[u"127.0.0.1",u"*.example.com"]) ``` Then the following connection request will result in a valid 101 Protocol Switch Response: ``` GET /ws HTTP/1.1 Host: www.example.com Sec-WebSocket-Version: 13 Origin: http://www.example.com.malicious.com Sec-WebSocket-Extensions: permessage-deflate Sec-WebSocket-Key: tXAxWFUqnhi86Ajj7dRY5g== Connection: keep-alive, Upgrade Upgrade: websocket ``` This is due to the wildcard2patterns function, which turns `u"*.example.com"` into `r".*.example.com"`. This regex pattern is then matched against the complete incoming origin value(https://github.com/crossbario/autobahn-python/blob/1c86fefa733901247d6439af346d77cbb58a9bf4/autobahn/websocket/protocol.py#L2588). Remediation: This issue was fixed within Autobahn|Python 0.15.0 (https://autobahn-python.readthedocs.io/en/latest/changelog.html#id2)