Autobahn fuzzingserver/client through a firewall

#1

Hi,

I am trying to test a firewall’s websocket support using AutobahnTestSuite/0.5.2-0.5.8. I have setup the Autobahn Fuzzing client/server on either side of the firewall like so:

±---------+ ±--------------+ ±---------+

Autobahn | | | |
Autobahn |

Fuzzing |------->| HTTP Firewall |------->| Fuzzing |

Client | | | | Server |

±---------+ ±--------------+ ±---------+

Note: all 3 are housed on the same Machine.

With this setup, I am facing a few issue:

  1. Why can’t I run my Autobahn Fuzzing server on a port different from the one the client connects to? When I configure the client to talk to the firewall, my tests fail with this validation error:
    " port **** in HTTP Host header **** does not match server listening port ****"

Due to some constraints, I will have to run all 3 on the same M/c. I would like to know the reason behind this validation and if there is a way to work around this without actually commenting out the code snippet?

Regards,
Megha

0 Likes

#2

to by-pass firewalls i tested one thing on a server and it worked:

  • i added a virtual IP on the main interface

  • i limited apache to listen to the main IP address

  • and opened autobhan on the secondary IP address, port 80 too.

so both service are hosted on same machine with tcp port 80

they can talk together internally

one thing to fix though: to use port 80 autobahn script must be launched by root, but just after server runs we get back to standard user (swap to euid 500 with python instruction)

may be it can help you in your issue.

F

···

On Thu, Nov 15, 2012 at 11:31 AM, Megs megha...@gmail.com wrote:

Hi,

I am trying to test a firewall’s websocket support using AutobahnTestSuite/0.5.2-0.5.8. I have setup the Autobahn Fuzzing client/server on either side of the firewall like so:

±---------+ ±--------------+ ±---------+

| Autobahn | | | |
Autobahn |

| Fuzzing |------->| HTTP Firewall |------->| Fuzzing |

| Client | | | | Server |

±---------+ ±--------------+ ±---------+

Note: all 3 are housed on the same Machine.

With this setup, I am facing a few issue:

  1. Why can’t I run my Autobahn Fuzzing server on a port different from the one the client connects to? When I configure the client to talk to the firewall, my tests fail with this validation error:

" port **** in HTTP Host header **** does not match server listening port ****"

Due to some constraints, I will have to run all 3 on the same M/c. I would like to know the reason behind this validation and if there is a way to work around this without actually commenting out the code snippet?

Regards,
Megha

0 Likes

#3

Thanks you!

For now, I’ve configured my firewall to overwrite the host header to satisfy the fuzzing server. With that it works.

I am still curious to know the reason behind this validation …

···

On Thursday, 15 November 2012 17:20:04 UTC+5:30, Rigaudie François wrote:

to by-pass firewalls i tested one thing on a server and it worked:

  • i added a virtual IP on the main interface
  • i limited apache to listen to the main IP address
  • and opened autobhan on the secondary IP address, port 80 too.

so both service are hosted on same machine with tcp port 80

they can talk together internally

one thing to fix though: to use port 80 autobahn script must be launched by root, but just after server runs we get back to standard user (swap to euid 500 with python instruction)

may be it can help you in your issue.

F

On Thu, Nov 15, 2012 at 11:31 AM, Megs megh...@gmail.com wrote:

Hi,

I am trying to test a firewall’s websocket support using AutobahnTestSuite/0.5.2-0.5.8. I have setup the Autobahn Fuzzing client/server on either side of the firewall like so:

±---------+ ±--------------+ ±---------+

Autobahn | | | |
Autobahn |

Fuzzing |------->| HTTP Firewall |------->| Fuzzing |

Client | | | | Server |

±---------+ ±--------------+ ±---------+

Note: all 3 are housed on the same Machine.

With this setup, I am facing a few issue:

  1. Why can’t I run my Autobahn Fuzzing server on a port different from the one the client connects to? When I configure the client to talk to the firewall, my tests fail with this validation error:

" port **** in HTTP Host header **** does not match server listening port ****"

Due to some constraints, I will have to run all 3 on the same M/c. I would like to know the reason behind this validation and if there is a way to work around this without actually commenting out the code snippet?

Regards,
Megha

0 Likes

#4

Hi,

I am trying to test a firewall's websocket support using
AutobahnTestSuite/0.5.2-0.5.8. I have setup the Autobahn Fuzzing
client/server on either side of the firewall like so:

+----------+ +---------------+ +----------+
> Autobahn | | | | Autobahn |
> Fuzzing |------->| HTTP Firewall |------->| Fuzzing |
> Client | | | | Server |
+----------+ +---------------+ +----------+

Note: all 3 are housed on the same Machine.

With this setup, I am facing a few issue:

1. Why can't I run my Autobahn Fuzzing server on a port different from
the one the client connects to? When I configure the client to talk to
the firewall, my tests fail with this validation error:
  " port **** in HTTP Host header **** does not match server listening
port ****"

Due to some constraints, I will have to run all 3 on the same M/c. I
would like to know the reason behind this validation and if there is a
way to work around this without actually commenting out the code snippet?

The validation is done in accordance with the RFC6455 spec:

a) the request must contain a Host header
b) when the WS server is running on a non-standard port (other than 80/443), that must be contained in Host header
c) check that the Host header port matches the listening port

There is an option to override the "external visible port" exactly
for situation like yours

https://github.com/tavendo/AutobahnPython/blob/8851bf76310afc1f0321753f5a980150dc69e29f/autobahn/autobahn/websocket.py#L2985

This option is however not configurable (= wired up) for wstest .. which is of course desirable.

You may file a bug on Github for "autobahntestsuite" =>

make externally visible port configurable

- Tobias

···

Am 15.11.2012 11:31, schrieb Megs:

Regards,
Megha

0 Likes

#5

Exactly what I was looking for. I’ll look it up and file a bug. Thank you !

···

On Thursday, 15 November 2012 22:49:57 UTC+5:30, Tobias Oberstein wrote:

Am 15.11.2012 11:31, schrieb Megs:

Hi,

I am trying to test a firewall’s websocket support using

AutobahnTestSuite/0.5.2-0.5.8. I have setup the Autobahn Fuzzing

client/server on either side of the firewall like so:

±---------+ ±--------------+ ±---------+

Autobahn | | | | Autobahn |

Fuzzing |------->| HTTP Firewall |------->| Fuzzing |

Client | | | | Server |

±---------+ ±--------------+ ±---------+

Note: all 3 are housed on the same Machine.

With this setup, I am facing a few issue:

  1. Why can’t I run my Autobahn Fuzzing server on a port different from

the one the client connects to? When I configure the client to talk to

the firewall, my tests fail with this validation error:

" port **** in HTTP Host header **** does not match server listening

port ****"

Due to some constraints, I will have to run all 3 on the same M/c. I

would like to know the reason behind this validation and if there is a

way to work around this without actually commenting out the code snippet?

The validation is done in accordance with the RFC6455 spec:

a) the request must contain a Host header

b) when the WS server is running on a non-standard port (other than
80/443), that must be contained in Host header

c) check that the Host header port matches the listening port

There is an option to override the “external visible port” exactly

for situation like yours

https://github.com/tavendo/AutobahnPython/blob/8851bf76310afc1f0321753f5a980150dc69e29f/autobahn/autobahn/websocket.py#L2985

This option is however not configurable (= wired up) for wstest … which
is of course desirable.

You may file a bug on Github for “autobahntestsuite” =>

make externally visible port configurable

  • Tobias

Regards,

Megha

0 Likes