Sunday, January 6, 2013

Follow The RFC!

About 40 minutes before our WebSocket presentation at BayThreat I decided to do the final dry run. The slide with stacktrace of crashed desktop Safari caught my attention and I re-checked if there is still a problem. While current OSX Safari was fixed and I removed the slide, I decided to navigate to that page using Safari on my iPhone running IOS6.

The result was quite surprising, since I thought Apple is using the same webkit engine for all platforms: Safari simply hanged, while minimizing and re-opening caused a crash. Chrome on IOS6 behaved in similar way, while Chrome on OSX was always handling that code properly. Trying it on friends' Galaxy something caused the entire UI of Android to behave funny.

For those who are curious what the code is doing: it does nothing but trying to open several thousand WebSocket connections to non-existing server.

RFC 6455 is quite clear on this:

"There MUST be no more than one connection in a CONNECTING state. If multiple connections to the same IP address are attempted simultaneously, the client MUST serialize them so that there is no more than one connection at a time running through the following steps."

Most likely, mobile versions of popular browsers are just not implementing this policy, causing to either drain the file descriptors pool, or random number generator, or the memory.

This isn't a big deal, I just decided to document this in my blog to see how long would it take to port the policy to the mobile versions. As of today, January 6, the problem still exists, and the web page with deadly javascript is right here .



  1. Thank you for sharing this! I remember my brother mentioning this and he was stressing over this issue. I am immediately going to share this with him even though I am currently at my job, giving interview transcription services but this seemed to be of great importance to him. Hope it helps him. Fingers Crossed!

  2. Thank you for bringing this to our attention! I recall my uncle addressing it, and he was concerned about it. Despite the fact that I am now at work, I am going to discuss this with him right away. I agree with my uncle and his advice. Thank you very much for your wonderful blog. These blogs provide me with useful information.
    Source: Web design company

  3. Find exclusive discounts code. Take up to 35% off Over Various Items Using vonhaus discount code Buy the Best Home & Kitchen Appliances with Vonhaus Discount Code. Be the first to save money now!

  4. Great job for publishing such a beneficial web site This is such a great resource that you are providing and you give it away for free. i was looking cheap dissertation writing services service. so meanwhile, i see your blog thanks for sharing this.

  5. I read this blog. This is very informative and helpful for us. The result was quite surprising, since I thought Apple was using the same WebKit engine for all platforms. Thanks for sharing  your great idea with us. Keep sharing more content with us. Now it's time to get Roofing Services in Paramus NJ for more information.


CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability

CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability   Date Published: 05-08-2014 Class: Design error Remotely Exploit...