Fwd: How much attacker-controlled plaintext does the client send?

[Adam Rice]

I'm trying to understand the risks of the NAT Slipstreaming attack in the context of UDP-only protocols, in particular the Amanda protocol on port 10080.

Assuming an attacker-controlled page and server, could something like "CONNECT DATA 32877 MESG 32880 INDEX 32883\n" be sent in plaintext over HTTP/3 by Chrome? It has to be in a single packet for the attack to work, but extra garbage will be ignored.

[Ian Swett]

The best possibility is a server chosen connection ID of that string, which would be used by the client in packets sent after the client Initial.

It's probably worth reading the Request Forgery section in QUIC Transport: https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-21.5

On Mon, Mar 15, 2021 at 11:41 AM Adam Rice <ri...@chromium.org> wrote:

I'm trying to understand the risks of the NAT Slipstreaming attack in the context of UDP-only protocols, in particular the Amanda protocol on port 10080.

Assuming an attacker-controlled page and server, could something like "CONNECT DATA 32877 MESG 32880 INDEX 32883\n" be sent in plaintext over HTTP/3 by Chrome? It has to be in a single packet for the attack to work, but extra garbage will be ignored.

--
You received this message because you are subscribed to the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proto-quic+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/proto-quic/CAC_ixdxNA1umA400C-WUb2r%2BZg4ajGRNYma1K%3DexXOm4VTP6kg%40mail.gmail.com.